Breaking

(In-)secure SD cards on WP8.1

During our first year of testing Windows Phone 8 applications we had yet another, let’s say: “surprising” finding. It all started with the first approaches on pentesting mobile applications on that  new and rather closed platform. Lacking jailbreak, root, and similar approaches we had a closer look at alternate approaches to have a look at an apps interior. We quickly hooked onto using modified firmwares (with deeper system access) and found a perfect solution in a little flaw concerning the handling of SD cards in WP8.1. A flaw that was, sadly for us, fixed silently….


A quick disclaimer: this post was supposed to be one little round of bashing, turns out they kind of fixed it 🙁
We initially worked with with a Huawei Ascend W1. This device got broken soon after its release, via access to the SoCs  boot loader. Being able to install a custom image offered direct access to the phones file system. The first tries weren’t,  as I must admit, very comfortable and time effective but still they worked.
Shortly after the release of Windows Phone 8.1 we gave the SD card a try and as it turned out, it offered an easy way of seeing the whole application directory including the binary, local files and temporary data. While writing the first reports, we had various findings where we had to decide if there was a difference weather the app was installed on the SD card or the internal memory.  To be able to give any recommendations on how, when and if to use the SD card, we had to take a closer look at how it could be used in which scenario. (The fact that we were able to use the cards for testing might give you a hint to what the final result of this post will be.)
The golden way of course is to get some official documentation and see what Microsoft has to say.

Removable storage protection

Many Windows Phone devices have an SD card slot that allows users to store apps and data on an SD card (the installation of apps on an SD card is a new feature in Windows Phone 8.1). Windows Phone stores the apps on an encrypted SD card partition that is specifically designated for apps. This feature is always enabled, so there is no need to explicitly set a policy to have this level of protection.

The Disable removable storage card policy prevents users from using SD cards altogether, but the primary advantage to the new SD card app partition encryption feature is that you can give users the flexibility to use an SD card while still protecting the confidential apps and data on the SD card.

Note
Windows Phone stores personal content (like photos and videos) on the SD card in an unencrypted partition so that the user can access the SD card on other devices and share content with others.

If SD card use is enabled, users can sideload apps and upload data from the card. They can use this functionality to install apps that might be accessible by your MDM system, as well, but any apps installed from the SD card must be signed by the Windows Phone Store or your organization’s certificate.

Note
To sideload an app from an SD card, the device must be unlocked, which you can prevent by setting the Disable development unlock (side loading) policy. For more information about the Disable removable storage card policy, see “Security-related policy settings” later in this guide.

( Source: http://download.microsoft.com/download/B/9/A/B9A00269-28D5-4ACA-9E8E-E2E722B35A7D/Windows-Phone-8-1-Security-Overview.pdf )

This actually sounds rather good. Storing all app data on an encrypted partition even sounds safer than installing the app on the internal memory. Well, it can’t be removed as easily but having a dedicated encrypted partition sounds sweet. So let’s have a closer look…
This is the device we used:

  • Lumia 630 (white)
  • Full factory reset
  • Added Live account
  • Setup WiFi
  • 8GB micro SD card with empty partition table
  • Formatted SD card in the phone

The following screenshots show the “storage sense” app before and after inserting the SD card. WP8 is configured to store all future data on the card, which means unprotected for all ‘personal content’, just as described in MS’s documentation.

WP8.1 Storage Sense + SDWP8.1 Storage Sense + SD
(A quick note on protection, still the only way to enable device encryption is via policy. So a non-corporate device will probably be unencrypted! The classical excuse “we don’t encrypt our app’s data because it’s safe on the user’s device doesn’t count!)

When reading the SD card we see the following folder and partition structure:

  • SD root
    • Documents
    • Downloads
    • Music
    • Pictures
    • Videos
    • WPSystem
      • AppData
        • Local
        • Packages
      • AppRepository
      • Apps
        • WindowsApps
          • Deleted
        • SharedData
        • WPAppSettings.dat
        • WPSettings.dat

 

No encrypted partition to be seen, so we’ll just install some other random app. Maybe it’ll dynamically be created when it’s needed.
And the result is:

  • SD root
    • WPSystem
      • AppData
        • {DBAC6766-4B31-47C1-B4CE-92D6292206A0}

And still no special partition, even worse we can simply access the applications folders and files.
Here’s the respective section from the Microsoft documentation:
Windows Phone stores the apps on an encrypted SD card partition that is specifically designated for apps. This feature is always enabled, so there is no need to explicitly set a policy to have this level of protection.

Well, instead of being protected the data is sitting duck.


 

It >>was<< sitting duck.
I’ve had this blogpost in my head since the day WP8.1 was released and have been using this flaw in pentests quite a few times. Sadly…luckily…sadly…MS seems to have partially fixed the flaw. I’m not sure when exactly the change occurred (it must have been some time in November) and have neither been able to find any proper documentation nor can I actually remember having installed some explicit update on the devices. I myself only found out about the fix, due to wanting to prepare “a quick PoC” for this blogpost.
Still, instead of having the magical partition, we’ve got file based encryption in place now. The folder structures and filenames can still be seen, but when opening a file there’s only binary jibber jabber. This is actually the same state as I know from encrypted devices with SD cards in use.
Together with enabling encryption, the storage target for files and apps does not switch to SD card by default anymore.
If you want to check if your device will encrypt the data on the SD card, you just need to install a single application to the SD card, and pop the SD card into your PC. When browsing through the WPSystem folder, open some file of a type you know (i.e.  .png, .xml) and try to open it. If everything’s ok you should run into some error (as the program won’t be able to understand the encrypted content). Best try it with two or three files, just to be sure you didn’t select a file which is encrypted by the app itself.

So, finally, there is no encrypted partition for apps on SD cards in WP8.1 devices. Still an app’s files are all individually encrypted, at least in the interim. All ‘personal data’ is fully unprotected, even on devices with encryption in place.
And my bashing failed 🙁

If you’re interested in further first-hand intel on WP8.1, its features, fails and magic, you might want to attend this year’s TROOPERS workshop “Hacking Mobiles Vol. 2.2 – Phones with Windows”.

Brian

Comments

  1. Nice one MS! Got this challenge as well. We are rolling out Lumia Devices (635 and 630 in particular) as “cheap” smartphones in our company. One big problem is the non existing encryption of SD cards, as you mentioned. You can either block the card slot with MDM or life with it.

    Microsoft has some “voodoo” going on with this. Did some research the past few weeks and MS tells us in some whitepapers, that there actually is encryption on SD cards. But nope, i’ve never seen it either!

    Time will tell if WinPhone10 kicks in for SD card encryption. 😀

    1. Hi there,

      does that actually mean, that you haven’t even seen encryption on the WPSystem directory when encryption was activated via MDM!?
      Because that actually seemed to have worked in my test scenarios (starting from WP8.1).

      Brian

  2. Now I am start to guess why my apps on sd card are inaccessible after external backup/format/restore of the sd card. Stupid Wp8.1 is probably not able to decrypt the files in Wpsystem folder.

Comments are closed.