SlideShare a Scribd company logo

Exploiting and analyzing Microsoft Surface Applications

W
Wardell Motley, NSA IAM\IEM

The document presents an analysis of Microsoft Surface applications, emphasizing their increasing relevance in enterprise environments due to the rise of BYOD. It provides insights on app package architecture, extraction methods, and web analysis using tools like Burp Suite while highlighting potential security vulnerabilities. The author, Wardell Motley, aims to fill the knowledge gap around Surface platform applications, typically overshadowed by discussions on iOS and Android.

Engineering
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
BSIDES DFW 2014 Into the Mobile DeepExploiting and Analyzing Microsoft SurfaceApplications
2 Who am I? Wardell Motley Currently: Penetration Tester Veracode Previously Sr. Penetration Tester (Undisclosed) Systems Administrator: Walls Industries Network Administrator: CSI Other Security Related Stuff: Contributor: The Ethical Hacker.Net Contributor:Hakin9 Magazine …….Others
3 •Why Bother? •Introduction to Microsoft Surface •App Supply Chain •Package Breakdown •Extraction and Analysis •Web Analysis Goals
4 •Seems to be very little discussion surrounding Surface Platform Applications •Most People seem to be Fixated on IOS and Android Applications •More and More Surface devices appearing in the Enterprise environment due to BYOD •I’m tired of hearing about things everyone else already knows!! Why Bother?
5 Surface Platform (More than just the tablets)
6 Surface Platform Architecture OSKernel CPU Surface ARMv7 WinRT 8.0 NvidaTegra Surface2 ARMv7 WinRT8.1 NvidaTegra SurfacePro x86/x64 WinRT8.0 IntelIvy Bridge SurfacePro 2 x86/x64 WinRT 8.0 IntelHaswell SurfacePro 3 x86/x64 WinRT 8.1 IntelHaswell
7 Surface App Supply Chain Development Win32 and C++ .NET C# and XAML DirectX HTML/JavaScript Publish Windows Store Consumption Surface Surface 2 Surface Pro 2
8 Windows Runtime app packages .Appx AppX App Manifest App Block Map App Signature App Payload
9 Windows Runtime app packages .Appx App Payload App Code files and assets Payload files are the code files and assets that you create when you actually create the App App Manifest The manifest declares the identity of the application. Basically what does this application do? App Block Map The block map files lists all of the applications files along with associated cryptographic hashes App Signature The app signature ensures that the contents of the Appx hasn’t been modified and they get signed
10 Surface Apps: Distribution & Location Apps are distributed as .zip archives from the Microsoft Store 3rdparty apps are stored inside C:Program FilesWindowsApps
11 Directory Structure
12 Surface Apps: Distribution & Location
13 Surface Apps: Distribution & Location
14 Surface Apps: Extraction & Analysis Unzip It!
15 Surface Apps: Extraction & Analysis App packer (MakeAppx.exe) App Packer creates the app package from files on disk or extracts the files from the app package to disk -Requires Installation of Windows SDK 8.1
16 Surface Apps: Extraction & Analysis Extract It! MakeAppx unpack /l /v /p application.appx/d “D:My Files
17 Surface Apps: Extraction & Analysis Extract It!
18 Surface Apps: Extraction & Analysis Unzip It!
19 Surface Apps: Extraction & Analysis Goodies to be Found! Hard Coded Usernames and Passwords Database Files with Unmasked User data Active Test Licensing Keys Many others……
20 Surface Apps: Web Analysis Proxying Surface Application traffic through Burp Suite Traditional Web Application Testing
21 Surface Apps: Web Analysis You are already a Pro at this! Setup Secondary Interface Under Burp Suite Options Tab Install Burp Suite SSL Certificate in Trusted Store on Microsoft Store
22 If you are not the web app guy you thought you were see references!
23 If you are not the web app guy you thought you were see references! Setup Secondary Interface Under Burp Suite Options Tab Install Burp Suite SSL Certificate in Trusted Store on Microsoft Store
24 Surface Apps: Web Analysis Goodies to be Found! OWASP Top 10 YadaYada Other Unencrypted Goodness
25 Questions?
26 Contact Information LinkedIn: Wardell Motley Twitter:Infowarrior0 Email:infowarrior0@gmail.com Please Put “BsidesDFW 2014 in the Subject Line”
27 App Packager Manager http://msdn.microsoft.com/en-us/library/windows/desktop/hh446767(v=vs.85).aspx Windows SDK for Windows 8.1 http://dev.windows.com/en-us/develop/downloads XAML Decompiler (Convert XBF to XAML) http://xamldecompiler.codeplex.com/ Burp Suite Pro http://portswigger.net/burp/ Installing Burp Suite Pro SSL Certificates http://portswigger.net/burp/help/proxy_options_installingCAcert.html References:
28 Proxying Traffic through Microsoft Surface http://www.7tutorials.com/how-set-proxy-server-windows-81-tablet-or-hybrid-device Burp Suite SSL Options http://portswigger.net/burp/help/options_ssl.html Windows Runtime Apps http://msdn.microsoft.com/en-us/library/windows/desktop/hh464929.aspx References: http://www.7tutorials.com/how-set-proxy-server-windows-81-tablet-or-hybrid-devicehttp://www.7tutorials.com/how-set-proxy-server-windows-81-tablet-or-hybrid-device

More Related Content

PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
PPTX
[Wroclaw #1] Android Security Workshop
OWASP
 
PDF
09 Myths About Open Source Software
Suyati Technologies
 
PDF
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
Yury M
 
PDF
Android Security & Penetration Testing
Subho Halder
 
PDF
OWASP for iOS
Phineas Huang
 
PDF
Week11
so3137
 
PDF
Apple threat-landscape
Andrey Apuhtin
 
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
[Wroclaw #1] Android Security Workshop
OWASP
 
09 Myths About Open Source Software
Suyati Technologies
 
YuryMakedonov_TesTrek2013_AndroidTesting_12u_slides
Yury M
 
Android Security & Penetration Testing
Subho Halder
 
OWASP for iOS
Phineas Huang
 
Week11
so3137
 
Apple threat-landscape
Andrey Apuhtin
 

What's hot (16)

PPTX
Understanding android security model
Pragati Rai
 
PPT
Understanding Android Security
Asanka Dilruk
 
PDF
無題 1
s1170034
 
PDF
Mobile application security tools
QTMContent
 
PDF
You installed what Thierry Sans
OWASP-Qatar Chapter
 
PPT
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
PDF
(In)security in Open Source
Shane Coughlan
 
PDF
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
PDF
Compliance in the 2016 Future of Open Source
Black Duck by Synopsys
 
PPTX
Indie Game Development
Shahed Chowdhuri
 
PDF
The Evolution of the Fileless Click-Fraud Malware Poweliks
Symantec
 
PPTX
100 effective software testing tools that boost your Testing
BugRaptors
 
PDF
IRJET- Android Malware Detection System
IRJET Journal
 
PPT
I os note kenlai-2014 mar
Ken Lai
 
PPTX
Open source software
Amruhtha Viswanathan
 
PDF
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
Understanding android security model
Pragati Rai
 
Understanding Android Security
Asanka Dilruk
 
無題 1
s1170034
 
Mobile application security tools
QTMContent
 
You installed what Thierry Sans
OWASP-Qatar Chapter
 
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
(In)security in Open Source
Shane Coughlan
 
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Compliance in the 2016 Future of Open Source
Black Duck by Synopsys
 
Indie Game Development
Shahed Chowdhuri
 
The Evolution of the Fileless Click-Fraud Malware Poweliks
Symantec
 
100 effective software testing tools that boost your Testing
BugRaptors
 
IRJET- Android Malware Detection System
IRJET Journal
 
I os note kenlai-2014 mar
Ken Lai
 
Open source software
Amruhtha Viswanathan
 
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
Ad

Similar to Exploiting and analyzing Microsoft Surface Applications (20)

PDF
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
PDF
Embedded Programming With Android Bringing Up An Android System From Scratch ...
barelapaablo
 
PPTX
Mobile Application Penetration Testing - Android
UtpalSwain2
 
PDF
Introduction to Android App Development
Andri Yadi
 
PPTX
Android Overview
Raju Kadam
 
PPTX
Mobile Web Apps and the Intel® XDK
Intel® Software
 
PDF
Mobile Application Development-Lecture 03 & 04.pdf
AbdullahMunir32
 
PPTX
Crosswalk and the Intel XDK
Intel® Software
 
PDF
Blackberry_runtime_for_android_apps
Droidcon Berlin
 
PDF
Android Part-1 - Hello Android
Bipin Jethwani
 
PPTX
Windows 10 UWP Development Overview
DevGAMM Conference
 
PPTX
Manish Chasta - Securing Android Applications
Positive Hack Days
 
PPTX
Please, Please, PLEASE Defend Your Mobile Apps!
Jerod Brennen
 
PPSX
Android..!!
Parthik Poshiya
 
PDF
Cookbook for Building An App
Manish Jain
 
PPTX
Building Windows8 Metro Applications
Abhishek Sur
 
PPT
rakesh
Rakesh Jaiswal
 
PDF
Evolution of Android Operating System and it’s Versions
ijtsrd
 
PDF
An brief introduction to android operating system
Alexander Decker
 
PDF
Software training report
Natasha Bains
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Embedded Programming With Android Bringing Up An Android System From Scratch ...
barelapaablo
 
Mobile Application Penetration Testing - Android
UtpalSwain2
 
Introduction to Android App Development
Andri Yadi
 
Android Overview
Raju Kadam
 
Mobile Web Apps and the Intel® XDK
Intel® Software
 
Mobile Application Development-Lecture 03 & 04.pdf
AbdullahMunir32
 
Crosswalk and the Intel XDK
Intel® Software
 
Blackberry_runtime_for_android_apps
Droidcon Berlin
 
Android Part-1 - Hello Android
Bipin Jethwani
 
Windows 10 UWP Development Overview
DevGAMM Conference
 
Manish Chasta - Securing Android Applications
Positive Hack Days
 
Please, Please, PLEASE Defend Your Mobile Apps!
Jerod Brennen
 
Android..!!
Parthik Poshiya
 
Cookbook for Building An App
Manish Jain
 
Building Windows8 Metro Applications
Abhishek Sur
 
rakesh
Rakesh Jaiswal
 
Evolution of Android Operating System and it’s Versions
ijtsrd
 
An brief introduction to android operating system
Alexander Decker
 
Software training report
Natasha Bains
 
Ad

Recently uploaded (20)

PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PDF
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PDF
composite construction of structures.pdf
AinieButt1
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PPTX
web development for engineering and engineering
keshriji700
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PPTX
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
composite construction of structures.pdf
AinieButt1
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
web development for engineering and engineering
keshriji700
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
Well-logging-methods_new................
ZafriFarid
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 

Exploiting and analyzing Microsoft Surface Applications

  • 1. BSIDES DFW 2014 Into the Mobile DeepExploiting and Analyzing Microsoft SurfaceApplications
  • 2. 2 Who am I? Wardell Motley Currently: Penetration Tester Veracode Previously Sr. Penetration Tester (Undisclosed) Systems Administrator: Walls Industries Network Administrator: CSI Other Security Related Stuff: Contributor: The Ethical Hacker.Net Contributor:Hakin9 Magazine …….Others
  • 3. 3 •Why Bother? •Introduction to Microsoft Surface •App Supply Chain •Package Breakdown •Extraction and Analysis •Web Analysis Goals
  • 4. 4 •Seems to be very little discussion surrounding Surface Platform Applications •Most People seem to be Fixated on IOS and Android Applications •More and More Surface devices appearing in the Enterprise environment due to BYOD •I’m tired of hearing about things everyone else already knows!! Why Bother?
  • 5. 5 Surface Platform (More than just the tablets)
  • 6. 6 Surface Platform Architecture OSKernel CPU Surface ARMv7 WinRT 8.0 NvidaTegra Surface2 ARMv7 WinRT8.1 NvidaTegra SurfacePro x86/x64 WinRT8.0 IntelIvy Bridge SurfacePro 2 x86/x64 WinRT 8.0 IntelHaswell SurfacePro 3 x86/x64 WinRT 8.1 IntelHaswell
  • 7. 7 Surface App Supply Chain Development Win32 and C++ .NET C# and XAML DirectX HTML/JavaScript Publish Windows Store Consumption Surface Surface 2 Surface Pro 2
  • 8. 8 Windows Runtime app packages .Appx AppX App Manifest App Block Map App Signature App Payload
  • 9. 9 Windows Runtime app packages .Appx App Payload App Code files and assets Payload files are the code files and assets that you create when you actually create the App App Manifest The manifest declares the identity of the application. Basically what does this application do? App Block Map The block map files lists all of the applications files along with associated cryptographic hashes App Signature The app signature ensures that the contents of the Appx hasn’t been modified and they get signed
  • 10. 10 Surface Apps: Distribution & Location Apps are distributed as .zip archives from the Microsoft Store 3rdparty apps are stored inside C:Program FilesWindowsApps
  • 12. 12 Surface Apps: Distribution & Location
  • 13. 13 Surface Apps: Distribution & Location
  • 14. 14 Surface Apps: Extraction & Analysis Unzip It!
  • 15. 15 Surface Apps: Extraction & Analysis App packer (MakeAppx.exe) App Packer creates the app package from files on disk or extracts the files from the app package to disk -Requires Installation of Windows SDK 8.1
  • 16. 16 Surface Apps: Extraction & Analysis Extract It! MakeAppx unpack /l /v /p application.appx/d “D:My Files
  • 17. 17 Surface Apps: Extraction & Analysis Extract It!
  • 18. 18 Surface Apps: Extraction & Analysis Unzip It!
  • 19. 19 Surface Apps: Extraction & Analysis Goodies to be Found! Hard Coded Usernames and Passwords Database Files with Unmasked User data Active Test Licensing Keys Many others……
  • 20. 20 Surface Apps: Web Analysis Proxying Surface Application traffic through Burp Suite Traditional Web Application Testing
  • 21. 21 Surface Apps: Web Analysis You are already a Pro at this! Setup Secondary Interface Under Burp Suite Options Tab Install Burp Suite SSL Certificate in Trusted Store on Microsoft Store
  • 22. 22 If you are not the web app guy you thought you were see references!
  • 23. 23 If you are not the web app guy you thought you were see references! Setup Secondary Interface Under Burp Suite Options Tab Install Burp Suite SSL Certificate in Trusted Store on Microsoft Store
  • 24. 24 Surface Apps: Web Analysis Goodies to be Found! OWASP Top 10 YadaYada Other Unencrypted Goodness
  • 26. 26 Contact Information LinkedIn: Wardell Motley Twitter:Infowarrior0 Email:[email protected] Please Put “BsidesDFW 2014 in the Subject Line”
  • 27. 27 App Packager Manager http://msdn.microsoft.com/en-us/library/windows/desktop/hh446767(v=vs.85).aspx Windows SDK for Windows 8.1 http://dev.windows.com/en-us/develop/downloads XAML Decompiler (Convert XBF to XAML) http://xamldecompiler.codeplex.com/ Burp Suite Pro http://portswigger.net/burp/ Installing Burp Suite Pro SSL Certificates http://portswigger.net/burp/help/proxy_options_installingCAcert.html References:
  • 28. 28 Proxying Traffic through Microsoft Surface http://www.7tutorials.com/how-set-proxy-server-windows-81-tablet-or-hybrid-device Burp Suite SSL Options http://portswigger.net/burp/help/options_ssl.html Windows Runtime Apps http://msdn.microsoft.com/en-us/library/windows/desktop/hh464929.aspx References: http://www.7tutorials.com/how-set-proxy-server-windows-81-tablet-or-hybrid-devicehttp://www.7tutorials.com/how-set-proxy-server-windows-81-tablet-or-hybrid-device