Static Analysis of Windows Phone Applications
The objective of the project was to analyse a number of Windows Phone Apps on common security issues. It started with the manual analysis of selected applications. Soon it became evident that many of the analysis steps can be easily automated to save time. Another observation was that several applications suffer from similar security issues.
The found issues correspond to four groups:
- Broken Cryptography,
- Insufficient Transport Layer Security,
- Exposed API keys and
- Other exposed client secrets.
As most of these issues can be found by an automated analysis, an automated framework for downloading and analysing Windows Phone applications was developed. Using this framework, roughly 40.000 distinct Windows Phone 8.1 application files were downloaded and analysed. Older applications for e.g. Windows Phone 7 are published encrypted, which makes them resistant to static analysis. The extracting and decompiling process of the ~40.000 applications resulted in over 2 million unique source-code files that were statically examined. 8.5% of all analysed applications contain at least one security relevant issue. The following list shows the number of affected applications per issue group:
- 13 applications use broken cryptography,
- 83 applications ignore HTTPS related certificate validation errors,
- 362 applications expose their Google API key,
- 23 applications expose their Amazon Web Service key, and
- 230 applications expose other API keys or client secrets.
The impact of these issues cannot be determined automatically, but it ranges from endangered user’s privacy in case of broken cryptography or insufficient transport layer security, to monetary losses for the developer, when an attacker abuses the developer’s billing enabled API key.
Following responsible disclosure principles, a publication of particular deficiencies in the investigated applications is not planned.