windows phone 8 security deep dive
DESCRIPTION
More info on http://www.techdays.beTRANSCRIPT
Windows Phone 8Security deep dive
@DavidHernieTechnical EvangelistMicrosoft Belux
Agenda
Data protectionPrevent unauthorized access to data
System integrityPrevent malware from taking
control
Access control & App MgmtProvide secure access to device
Security goalsWhat is this all about?
App platform securityArchitecture and recommendations
RemediationWhat if something goes wrong?
All large screen, dual-core, LTE and NFC
Nokia Lumia 9204.5”, PureMotion display, PureView OIS camera
Nokia City lens, Nokia musicstreaming, Wireless charging
Nokia Lumia 8204.3”, ClearBlack display, Carl Zeiss lens
Snap on back cover, Wireless charging, Nokia City lens, Nokia music streaming
Samsung ATIV S4.8”, HD super AMOLED display
NFC Tap-to-send, Samsung Family Story
HTC 8X4.3”, Gorilla Glass 2 display, ultra-wide angle camera lens
Built-in Beats Audio, built-in amp
Security Goals
Business complianceEnterprise .. Policy .. Management
User first Great users experiences .. What’s the impact
End user safety Not always aware .. Tools to protect
Developer trustCreate apps .. Trustable platform
New WP8 security controls
Secure Boot helps prevent malware from being installed on the phone
Secure Boot helps ensure the integrity of the entire Operating System
Secure Boot implementation is provided by SoCTwo phases:
pre-UEFI secure boot loaders to initialize the hardwareUEFI secure boot helps ensure integrity of OS
Secure UEFI
Secure boot process
Firmware boot loaders
OEM UEFI applications
Windows Phone boot manager
Power On
Windows Phone 8 OS boot
Windows Phone 8 update OS boot
Boot to flashing modeSoC Vendor
OEM
MSFT http://www.uefi.org/specs/
Secure pre Boot loeader
Signed pre-boot loader
No secure boot bypass for usersSecure flashing is required
During manufacturing Pre boot is securely signedAdd public key used to sign the initial boot loaders+ numbers of unique & common keys per deviceBlow appropriate fuses – read only
Every phone gets unique keyEncryption, …
Secure UEFI Boot Loader
Platform Key – Master key Once PK is provisioned the UEFI environment is “enabled”
be used to sign updates
All about keys
Allowed and Forbidden Signature Database – DB/DBX
Controls what images can be loaded Contains forbidden keys – can be updatedSupports only signed componentsSecure boot policy
Boot Sequence
Code Signing
All Windows Phone 8 binaries must have digital signatures signed by Microsoft
OS components and Apps have a digital signatures
Different from WP7, OEM binaries are signed by Microsoft
With the control of every layers, it
becomes very difficult to integrate a
custom build.
Windows Phone 7 Application security model
Least Privilege Chamber (LPC)
Trusted Computing Base (TCB)
Elevated Rights
Standard Rights
DynamicBuild
FixedPermissions
ChamberTypes
For the Kernel & Drivers <- risk
For OS component and cross OS apps like music – expose to multiple apps
Created ad-hoc for apps based on
Expressed in application manifestDisclosed on MarketplaceDefines app’s security boundary on phone
Chamber security Model (Sandbox)
Capabilities
Capabilities
WP7 capabilities
Capabilities are detected during ingestion and overwrite what you specified during development.
WP8 capabilities• You are responsible for specifying the correct capabilities that are
used by your application in the AppManifest before submitting your app to the Store
Windows Phone 8 Application security model
Least Privilege Chamber (LPC)
Trusted Computing Base (TCB)
DynamicBuild(LPC)
WP8 chambers are built on the Windows security infrastructureTBC for the kernelLPC for all• Apps• OS components• Drivers
The attack surface becomes smaller
Internet Explorer 10 for Windows Phone
Fast and safe browsing
Run in the Least privilege sandboxCannot access data in the phone’s file system or access information from other applications in memory.
No plug-insReal time anti-phishing protection SmartScreen Filter
Device EncryptionFull internal storage encryption to protect information
Build on Windows BitLocker architecture (TPM 2.0)Encryption is always onNot manageable or pre-boot PIN entry All internal storage is encryptedSD card not encrypted but can be managed
Data Leak Prevention (DLP)
Information Rights Management (IRM) Helps prevent intellectual property from being leaked
Protects emails and documents on the phone from unauthorized distributionSupportExchange Server and SharePointActive Directory Rights Management supports all your Mobile Information Management (MIM) needs
Security takeaways
Secure boot turned onSecurity model for applicationsAll binaries are signedDevice encryption on
Device access must be controlled!
Device management choice
Enterprise App and device management with System Center Mobile Device ManagementFor app distribution and access policy management
Exchange ActiveSync with Exchange Server and Office 365 for email and config managementWidely used for mobile email and access policy management
Mobile device policy and reporting
Simple passwordAlphanumeric passwordMinimum password lengthMinimum password complex charactersPassword expirationPassword historyDevice wipe thresholdInactivity timeoutIRM enabledRemote device wipeDevice encryption (new)Disable removable storage card (new) Remote update of business apps (new)Remote or local un-enroll (new)
(NA)
EAS
Server configured policy valuesQuery installed enterprise app Device name Device IDOS platform typeFirmware versionOS versionDevice local timeProcessor typeDevice modelDevice manufacturerDevice processor architectureDevice language
MDM Enterprise policies MDM Reporting
2. Signing Tools
1. Registration 1. Device Enrollment
2. Get apps3. Cert and Enterprise ID
Registration1. Enterprise registers @ Dev
center2. Enterprise downloads app tools3. Geotrust checks that vetting is
complete, and generates a certificate for enterprise
IT departDev Center
Enterprise Application Management
No need to publish itSupports multiple organizations tokens
Development & deployment1. Develop Corp App2. Sign package with enterprise
Certificate3. Integrate in Corp app catalog4. Generate tokens to side load5. Deploy by mail, Corp hub ..
Enterprise app ingestion
Enterprise apps are not submitted to Marketplace for ingestion App ingestion in enterprise catalog is owned and managed exclusively by IT
IT is responsible for the quality of enterprise apps IT is responsible for any impact on the overall experience on the phone
Use the Windows Phone Marketplace Test Kit to evaluate appsEnterprise app capabilities are the same as a public apps
Capabilities are enforced on the phone at app install timeSandbox still thereIf app uses the location capability, would suggest to add an option to disable it
WP7 Phones enterprise app deployment
1.Submit you app to me marketplace2.Mark as hidden3.Email a Deep Link (IRM)4.User downloads and install the app5.Advice – Add a User Authentication
Enterprise app installation works only for enrolled phones
Unmanaged Phones enterprise app deployment (BYOD)
1.Enterprise IT signs the XAP2.Email a link with the app enrollment token (IRM)3.User downloads and install the app enrollment
token4.User navigates via web to the enterprise app
store or via a client app5.App is downloaded and installed on the phone6.Advice – Add a User Authentication
Enterprise app installation works only for enrolled phones
Managed Phones Enterprise App management
Managed by MDM
1.The phone initiates enrollment with MDM2.MDM provisions certificates and sends the app
enrollment token to the phone3.IT can decide to push only one App, 4.Advice – push a discovery app that provides
access to apps in the enterprise store5.User always decides to install Apps6.Automatic update or remove Apps ones enrolled
with the enterprise
Company Hub as private marketplace
Remediate
Remote and local wipeAdmin initiated or end user initiated
Windowsphone.live.com (Demo)
Windows updateOTA only - not manageable by IT
Application revocationMarketplace and enterprise apps
App sandboxingLeast privilege, secure chambers model is applied to operating system services, inbox apps, and store apps
Marketplace developer validation, app certification, and malware scanningAssures apps can be trusted and helps protect against malware
Robust security helps to protect informationSecure boot
Complete boot sequence is securedAssures operating system integrity and know state, helps protect against
malwareCode signingAll code is signedMaking sure only known and trusted software components can
execute
Device encryptionAlways-on, hardware assisted, and accelerated, full internal storage encryption
5 – 6 – 7 MARCH 2013Kinepolis Antwerp3 days full of fascinating technical sessions for developers and IT professionals.www.techdays.be
The information herein is for informational purposes only an represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
© 2012 Microsoft Corporation.
All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.