Windows Phone 8Security deep dive

@DavidHernieTechnical EvangelistMicrosoft Belux

Agenda

Data protectionPrevent unauthorized access to data

System integrityPrevent malware from taking

control

Access control & App MgmtProvide secure access to device

Security goalsWhat is this all about?

App platform securityArchitecture and recommendations

RemediationWhat if something goes wrong?

All large screen, dual-core, LTE and NFC

Nokia Lumia 9204.5”, PureMotion display, PureView OIS camera

Nokia City lens, Nokia musicstreaming, Wireless charging

Nokia Lumia 8204.3”, ClearBlack display, Carl Zeiss lens

Snap on back cover, Wireless charging, Nokia City lens, Nokia music streaming

Samsung ATIV S4.8”, HD super AMOLED display

NFC Tap-to-send, Samsung Family Story

HTC 8X4.3”, Gorilla Glass 2 display, ultra-wide angle camera lens

Built-in Beats Audio, built-in amp

Security Goals

Business complianceEnterprise .. Policy .. Management

User first Great users experiences .. What’s the impact

End user safety Not always aware .. Tools to protect

Developer trustCreate apps .. Trustable platform

New WP8 security controls

Secure Boot helps prevent malware from being installed on the phone

Secure Boot helps ensure the integrity of the entire Operating System

Secure Boot implementation is provided by SoCTwo phases:

pre-UEFI secure boot loaders to initialize the hardwareUEFI secure boot helps ensure integrity of OS

Secure UEFI

Secure boot process

Firmware boot loaders

OEM UEFI applications

Windows Phone boot manager

Power On

Windows Phone 8 OS boot

Windows Phone 8 update OS boot

Boot to flashing modeSoC Vendor

OEM

MSFT http://www.uefi.org/specs/

Secure pre Boot loeader

Signed pre-boot loader

No secure boot bypass for usersSecure flashing is required

During manufacturing Pre boot is securely signedAdd public key used to sign the initial boot loaders+ numbers of unique & common keys per deviceBlow appropriate fuses – read only

Every phone gets unique keyEncryption, …

Secure UEFI Boot Loader

Platform Key – Master key Once PK is provisioned the UEFI environment is “enabled”

be used to sign updates

All about keys

Allowed and Forbidden Signature Database – DB/DBX

Controls what images can be loaded Contains forbidden keys – can be updatedSupports only signed componentsSecure boot policy

Boot Sequence

Code Signing

All Windows Phone 8 binaries must have digital signatures signed by Microsoft

OS components and Apps have a digital signatures

Different from WP7, OEM binaries are signed by Microsoft

With the control of every layers, it

becomes very difficult to integrate a

custom build.

Windows Phone 7 Application security model

Least Privilege Chamber (LPC)

Trusted Computing Base (TCB)

Elevated Rights

Standard Rights

DynamicBuild

FixedPermissions

ChamberTypes

For the Kernel & Drivers <- risk

For OS component and cross OS apps like music – expose to multiple apps

Created ad-hoc for apps based on

Expressed in application manifestDisclosed on MarketplaceDefines app’s security boundary on phone

Chamber security Model (Sandbox)

Capabilities

Capabilities

WP7 capabilities

Capabilities are detected during ingestion and overwrite what you specified during development.

WP8 capabilities• You are responsible for specifying the correct capabilities that are

used by your application in the AppManifest before submitting your app to the Store

Windows Phone 8 Application security model

Least Privilege Chamber (LPC)

Trusted Computing Base (TCB)

DynamicBuild(LPC)

WP8 chambers are built on the Windows security infrastructureTBC for the kernelLPC for all• Apps• OS components• Drivers

The attack surface becomes smaller

Internet Explorer 10 for Windows Phone

Fast and safe browsing

Run in the Least privilege sandboxCannot access data in the phone’s file system or access information from other applications in memory.

No plug-insReal time anti-phishing protection SmartScreen Filter

Device EncryptionFull internal storage encryption to protect information

Build on Windows BitLocker architecture (TPM 2.0)Encryption is always onNot manageable or pre-boot PIN entry All internal storage is encryptedSD card not encrypted but can be managed

Data Leak Prevention (DLP)

Information Rights Management (IRM) Helps prevent intellectual property from being leaked

Protects emails and documents on the phone from unauthorized distributionSupportExchange Server and SharePointActive Directory Rights Management supports all your Mobile Information Management (MIM) needs

Security takeaways

Secure boot turned onSecurity model for applicationsAll binaries are signedDevice encryption on

Device access must be controlled!

Device management choice

Enterprise App and device management with System Center Mobile Device ManagementFor app distribution and access policy management

Exchange ActiveSync with Exchange Server and Office 365 for email and config managementWidely used for mobile email and access policy management

Mobile device policy and reporting

Simple passwordAlphanumeric passwordMinimum password lengthMinimum password complex charactersPassword expirationPassword historyDevice wipe thresholdInactivity timeoutIRM enabledRemote device wipeDevice encryption (new)Disable removable storage card (new) Remote update of business apps (new)Remote or local un-enroll (new)

(NA)

EAS

Server configured policy valuesQuery installed enterprise app Device name Device IDOS platform typeFirmware versionOS versionDevice local timeProcessor typeDevice modelDevice manufacturerDevice processor architectureDevice language

MDM Enterprise policies MDM Reporting

2. Signing Tools

1. Registration 1. Device Enrollment

2. Get apps3. Cert and Enterprise ID

Registration1. Enterprise registers @ Dev

center2. Enterprise downloads app tools3. Geotrust checks that vetting is

complete, and generates a certificate for enterprise

IT departDev Center

Enterprise Application Management

No need to publish itSupports multiple organizations tokens

Development & deployment1. Develop Corp App2. Sign package with enterprise

Certificate3. Integrate in Corp app catalog4. Generate tokens to side load5. Deploy by mail, Corp hub ..

Enterprise app ingestion

Enterprise apps are not submitted to Marketplace for ingestion App ingestion in enterprise catalog is owned and managed exclusively by IT

IT is responsible for the quality of enterprise apps IT is responsible for any impact on the overall experience on the phone

Use the Windows Phone Marketplace Test Kit to evaluate appsEnterprise app capabilities are the same as a public apps

Capabilities are enforced on the phone at app install timeSandbox still thereIf app uses the location capability, would suggest to add an option to disable it

WP7 Phones enterprise app deployment

1.Submit you app to me marketplace2.Mark as hidden3.Email a Deep Link (IRM)4.User downloads and install the app5.Advice – Add a User Authentication

Enterprise app installation works only for enrolled phones

Unmanaged Phones enterprise app deployment (BYOD)

1.Enterprise IT signs the XAP2.Email a link with the app enrollment token (IRM)3.User downloads and install the app enrollment

token4.User navigates via web to the enterprise app

store or via a client app5.App is downloaded and installed on the phone6.Advice – Add a User Authentication

Enterprise app installation works only for enrolled phones

Managed Phones Enterprise App management

Managed by MDM

1.The phone initiates enrollment with MDM2.MDM provisions certificates and sends the app

enrollment token to the phone3.IT can decide to push only one App, 4.Advice – push a discovery app that provides

access to apps in the enterprise store5.User always decides to install Apps6.Automatic update or remove Apps ones enrolled

with the enterprise

Company Hub as private marketplace

Remediate

Remote and local wipeAdmin initiated or end user initiated

Windowsphone.live.com (Demo)

Windows updateOTA only - not manageable by IT

Application revocationMarketplace and enterprise apps

App sandboxingLeast privilege, secure chambers model is applied to operating system services, inbox apps, and store apps

Marketplace developer validation, app certification, and malware scanningAssures apps can be trusted and helps protect against malware

Robust security helps to protect informationSecure boot

Complete boot sequence is securedAssures operating system integrity and know state, helps protect against

malwareCode signingAll code is signedMaking sure only known and trusted software components can

execute

Device encryptionAlways-on, hardware assisted, and accelerated, full internal storage encryption

5 – 6 – 7 MARCH 2013Kinepolis Antwerp3 days full of fascinating technical sessions for developers and IT professionals.www.techdays.be

The information herein is for informational purposes only an represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be

interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

© 2012 Microsoft Corporation.

All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.