210 Chapter7·OperatingSystemandDeviceVulnerabilities Bypassing Code-Signing Protections As we discussed earlier, code signing is Microsoft's answer to preventing undesired applications from being able to run on a device. It does this by requiring user interaction in the form of a press of a button to confirm execution/installation. Ironically, while the intentions were good, code signing is somewhat self-defeating because few software providers get their code signed. As a result, users are in the habit of hitting the Yes button. That said, code signing will stop remote users from installing software or prevent an application from installing additional programs--unless... Installing Your Own Certificate On each WM device is a certificate store that hosts a collection of preexisting root certificates. When a vendor wants to sign their software, they are encouraged to use the Mobile2Market solution provided by Microsoft because the application's certificate will match up with a root certificate. Assuming this is the case, the user is not prompted when the application is installed because it is essentially pre-approved. While Mobile2Market is the preferred option, Microsoft also allows third parties to install their own certificates. This is useful in enterprise environments where devices are locked down to prevent users from installing unauthorized programs. However, this opens up a loophole that can be used and/or abused by an attacker, something made very easy by Microsoft thanks to the SDKSamplePrivDeveloper.spc certificates available from Visual Studio. For an attacker to make this work, they would first have to convince their target to install the SDKCerts.cab file, which will install the necessary components into the device. Then, any executable that the attacker wants to run without interference can be signed using the following command: signcode /spc SDKSamplePrivDeveloper.spc /v SDKSamplePrivDeveloper.pvk target.exe Once signed, the .exe file will have full access to the device with no prompts to the end user. n ote Some developers have taken it upon themselves to require installation of these very same certifications in order to bypass privileged initiations. This is a very bad idea because ANY developer (good or bad) can ensure their software will also have privileged access.