Micros oft Security Ass urance

Ap plication Penetration Test

Project: Po w er Ap ps API, Android, IO S

Po w er Platform
March 27 th , 2024

Mobil e A ppli cation P en etr atio n T est

Pag e 1 of 10
Mar ch 27, 2024 | Pro prietary & Confid ential
 NetSPI Pr opr ietar y and Confid ential
C ont e nt s
Chap ter 1 | Projec t Su m m ary --------------------------------------------------------------------------------- 2
1.1 Project Objectives ------------------------------------------------------------------------------------------ 2
1.2 Scope & Timeframe --------------------------------------------------------------------------------------- 2
1.2.1 Application Bi naries --------------------------------------------------------------------------------------------- 2
1.2.2 Application Se rvers ---------------------------------------------------------------------------------------------- 3
1.3 Sum mary of Findings ------------------------------------------------------------------------------------- 4
Chap ter 2 | Tec hnic al Su m m ary ------------------------------------------------------------------------------ 6
2.1 Overview ------------------------------------------------------------------------------------------------------ 6
Ap p endix A | Mobile App lic ation Penetration Test Method olog y ------------------------------------ 8
Ap p endix B | Risk M anag e ment Ap proac h Ov erview -------------------------------------------------- 10

C hapte r 1 | Proje ct Su m mary

NetSPI performe d an anal ysis of Mi crosoft Corporation’s Power Apps applicati on to i de ntify vul ne rabilities,
determi ne the le vel of risk the y pre se nt to Mi crosoft, and provide acti onable re com me ndations to re duce
this risk. NetSPI compiled this re port to provide Mi crosoft with detaile d i nform ation on e ach vulne rability
discovere d withi n the Power Apps applicati on, i ncludi ng pote ntial busi ne ss i mpacts and spe cific
re me di ation instructions.

1.1 Project Objectives

NetSPI’s pri mary goal within this proje ct was to provide Mi crosoft with an unde rstandi ng of the curre nt
level of se curity i n the Powe r Apps application.
NetSPI compl ete d the followi ng obje ctive s to accomplish this goal:
 Ide ntifyi ng application-base d thre ats to and vul nerabilities i n the application
 Compari ng Mi crosoft’s curre nt se curity me asures with industry be st practice s
 Provi ding re com me ndations that Mi crosoft can i mple me nt to mitigate thre ats and vul ne rabilities a nd
me et i ndustry be st practices

1.2 Sc ope & Ti m efra m e

Te sting and verifi cation was performe d betwe e n M arch 18, 2024 and M arch 22, 2024. The scope of this
proje ct was li mite d to the non-producti on ve rsi on of Power Apps application and the spe cific
infrastructure on whi ch the application re sides. All other applications and se rve rs not liste d bel ow we re
out of scope. All testi ng and verification was conducte d from outsi de of Mi crosoft’s office s.

1.2.1 Ap plicatio n Binaries

The followi ng table(s) provide s details of the appli cation binarie s that were in scope for testi ng:

Mobil e A ppli cation P en etr atio n T est

Pag e 2 of 10
Mar ch 27, 2024 | Pro prietary & Confid ential
 D ESCRI P TI O N VAL UE

Applicatio n Name Po wer A pps

O perating System A ndroid

Applicatio n Package
Name co m.micro soft.msapps

V ersio n Name 3.24 03 2.2

V ersio n Co de 34 54 3 28

SHA 25 6 69f4ff80daa3093ae2700081e24445df468012a6804002e3f485a549e818f173
T A B LE 1: A NDR OI D A P P LIC A TI ON D E T AILS

D ESCRI P TI O N VAL UE

Applicatio n Name Po wer A pps

O perating System iO S

Applicatio n Package
Name co m.micro soft.msapps

V ersio n Name 3.24 03 2.2

V ersio n Co de 34 54 3 31

SHA 25 6 41017f48ecfdd77564b2493330f40333980a7d035ec7191bf4762b0b2e644170
T A B LE 2: I OS A PP LI C ATI O N D E T AI LS

1.2.2 Ap plicatio n Serv ers

The followi ng table lists the applicati on se rvers that were i n scope for testi ng:
H O ST NA ME S

https://api.po werapps.co m

https://ce4 e3 7 b6 0 c0 9 4d3 1 af a7 24 c94 0 36 98 .6 b.tenant.api.po werplatf orm.co m

https://co ntent.po werapps.co m

https://create.po werapps.co m

https://def aultce4 e3 7b6 0c0 94 d31 af a7 24 c94 03 6 98 .6 b.enviro nment.api.po werplatf orm.co m

https://lo gin.micro softo nline.co m

Mobil e A ppli cation P en etr atio n T est

Pag e 3 of 10
Mar ch 27, 2024 | Pro prietary & Confid ential
 https://make.po werapps.co m

https://po werapps.micro soft.co m

https://po werapps.micro soft.co m

https://preview.co ntent.po werapps.co m

https://pwrappscdn.azureedge.net

https://unitedstates- 00 2.azure- apim.net

https://unitedstates- 00 2.co nsent.azure- apim.net

https://unitedstates.api.po werapps.co m

T A B LE 3: U SE R S A ND R OLE S

1.3 Su m m a ry of Fin din gs

NetSPI’s assessme nt of the Powe r Apps application re ve al e d the followi ng vul ne rabilities:
• 1 me di um se verity vul ne rability
• 6 low se verity vul ne rabilities
• 3 i nformational se verity vul ne rabilities

MI CRO SO FT
VUL NER ABI LI TY NA ME SEVERI TY O W ASP
CO M MENTS

Missing Lo cal Authenticatio n - M4-Inse cure

Medium Re me diate d/Fixe d
Mo bile A pplication A uthe nticatio n

Infor matio n Disclosure - M2-Inse cure Data By design. Lo w severity,

Lo w
Keychain Stor age acce ptable risk

Infor matio n Disclosure - Mo bile M2-Inse cure Data By design. Lo w severity,

Lo w
Applicatio n Stor age Stor age acce ptable risk

Mobil e A ppli cation P en etr atio n T est

Pag e 4 of 10
Mar ch 27, 2024 | Pro prietary & Confid ential
 M4-Inse cure By design. Lo w severity,
J WT - Excessive To ke n Lifetime Lo w
A uthe nticatio n acce ptable risk

O A uth 2.0 - Insufficie nt Refresh By design. Lo w severity,

Lo w M4-Inse cure
To ke n Invalidatio n acce ptable risk

We ak C o nfigur atio n - SSL/TLS - By design. Lo w severity,

Lo w M3-Inse cure
Depre cate d Proto col acce ptable risk

We ak C o nfigur atio n - SSL/T LS - By design. Lo w severity,

Lo w M3-Inse cure
We ak Encr yptio n Ciphers acce ptable risk

We ak C o nfigur atio n - A ndroid - M1-I mpro per Platf or m By design. Lo w severity,

Infor matio nal
Lo w Minimum SDK Versio n Usage acce ptable risk

By design. Lo w severity,
We ak C o nfigur atio n - iO S - Infor matio nal M3-Inse cure
acce ptable risk

We ak C o nfigur atio n - iO S - Lo w M1-I mpro per Platf or m By design. Lo w severity,

Infor matio nal
Minimum O S V ersio n Usage acce ptable risk

T A B LE 4: F I NDI NG S S U M MA R Y

Mobil e A ppli cation P en etr atio n T est

Pag e 5 of 10
Mar ch 27, 2024 | Pro prietary & Confid ential
C hapte r 2 | Technical Sum m ary

2.1 Overvie w
The detaile d findi ngs se ction contai ns the anal ysis and docume ntati on of the vulnerabilities i de ntified
withi n the Power Apps application. This analysis i nclude d:
 Ide ntifyi ng pote nti al vulnerabilities associ ate d with the Powe r Apps appli cation
 Assi gning appropri ate severity ranki ngs to valid vul nerabilities and risks
 Formul ati ng use ful action-base d re comme ndations that can i mprove the se curity posture of the IT
e nvironme nt
Vul ne rabilities are groupe d according to se ve rity. Information for e ach of the vulnerabilities incl udes the
followi ng:

Na m e: The name of the vul ne rability.

Severity: Each of the vul ne rabilities has be e n assigne d a se ve rity base d on its CVSS score. The
followi ng tabl e summ arizes the five se ve rity le vels:
CVSS SEVERI TY D ESCRI P TI O N

9.0 – 1 0.0 Critical V ulnerability will result in co mplete co mpro mise of the aff ected applicatio ns or
systems. T he vulnerability can be exploited remo tely by an unauthenticated user.

7.0 – 8 .9 High V ulnerabilities that may result in significant unautho rized access to sensitive data o r
system o r applicatio n functio nality. Successf ul exploitatio n of the vulnerability is
likely to require authenticatio n o r depends on co nditio ns beyo nd the attacker’s
co ntrol.

4.0 – 6 .9 Medium V ulnerabilities that may result in partial co mpro mise of the co nfidentiality, integrity,
and availability.

0.1 – 3 .9 Lo w Security flaws that can co ntribute to additio nal attacks against the system o r
applicatio n but do not, by themselves, allo w unautho rized access to targeted
systems o r applicatio ns.

0.0 Info rmatio nal Security best practices that do not have direct o r immediate impact to system o r
applicatio n security.
T A B LE 5: S E VE RI TY RE FE RE NC E S

CV SS Score: This field contai ns the CVSS (Com mon Vul nerabilities Scoring Syste m) Version 3.1 Base
score as well as the scoring ve ctor use d to ge nerate the score. Complete docume ntati on of CVS S can be
found at http://ww w.first.org/cvss.

O W A SP We b Categor y: Re fe re nce to the O WA SP Top 10 we b application se curity risk cate gorie s

(2021).

O W A SP Mo bile Cate gory: Re fere nce to the O WASP Mobile Top 10 application security risk
cate gories (2016).

Affected Assets an d Services: Spe cific assets and associ ate d services on whi ch the vul ne rability
was found.

Mobil e A ppli cation P en etr atio n T est

Pag e 6 of 10
Mar ch 27, 2024 | Pro prietary & Confid ential
Vulnerability Details: Compre he nsive e xpl anation of the vul ne rability that was found, i ncluding a
hi gh-le vel sum mary of how the vul nerability works.
Business I m pact: This describe s the pote nti al business i mpact of the vul nerability, shoul d it be
exploite d.

Rec o m m en dation: Ne tSPI's solution for re pai ring the vul ne rability or miti gati ng the proble m if no fix
is yet avail able.

Affected U R Ls and Para m eters: URLs and para mete rs associ ate d with the fi ndi ng, if appl icable.
Verification: Scree nshot or sampl e data from one i nstance of the fi ndi ng showi ng how NetSPI has
ve rified the fi nding manu ally, whe n possible.

References: These are othe r resource s that have more i nform ation on the vul ne rability.

Mobil e A ppli cation P en etr atio n T est

Pag e 7 of 10
Mar ch 27, 2024 | Pro prietary & Confid ential
Ap p e ndix A | Mobile Ap plication Pe netration Te st Met hod olo g y
The followi ng se ctions provi de an overvie w of the Mobile Application Pe netration Test.

Infor m ation G atherin g

D uring e ach Mobile Applicati on Pe netration Te st, NetSPI first works with the client to defi ne proje ct
re quire me nts and goals, ide ntify are as of risk and concern, and gather the informati on ne cessary to assess
the application. An application walkthrough is performe d with the clie nt to hel p NetSPI better un de rstand
the appli cation’s archite cture and busi ne ss logi c re quire me nts, as well as to ali gn e xpe ctations i n terms of
the te sting approach. This i nform ation is use d by the pri mary consultant and supporting te am me mbe rs to
de velop a te st plan. This te st pl an is use d as a basis for asse ssi ng the applicati on and serve s as a quality
assurance me asure.

Testin g and E valuation

NetSPI assesse s the clie nt’s applicati on for known se curity vul ne rabilities from the pe rspe ctive s of
anonymous and authe nticate d users. If multi ple use r type s exist, testi ng is pe rforme d for e ach type. D uring
the assessme nt, man ual and autom ate d proce sses are followe d that le ve rage com merci al, ope n source,
and proprietary software. All automate d te st re sults are m anually ve rifie d to re duce fal se positives. NetSPI
also conducts manual testi ng to i de ntify data flow, busi ne ss logic, and access control issues. The
assessme nt i ncl ude s te sting for O WA SP Top 10 we b and mobile application vulnerabilities. De scriptions of
the O WASP Mobile Top 10 (2016) cate gorie s are incl ude d in the table below.

CATE GO R Y D ESCRI P TI O N

M1 - I mproper This category co vers misuse of a platform f eature o r failure to use platfo rm security
Platfo rm U sage co ntrols. It might include A ndroid intents, platfo rm permissio ns, misuse of To uchI D, the
K eychain, o r so me other security co ntrol that is part of the mo bile operating system. T here
are several ways that mo bile apps can experience this risk.

M2 - Insecure Data This new catego ry is a co mbinatio n of M2 + M4 fro m Mo bile T op T en 20 14 . T his co vers
Sto rage insecure data sto rage and unintended data leakage.

M3 - Insecure This covers po o r handshaking, incorrect SSL versio ns, weak negotiatio n, cleartext
Co m municatio n co m municatio n of sensitive assets, etc.

M4 - Insecure This category captures notio ns of authenticating the end user or bad sessio n manage ment.
A uthenticatio n This can include:

− Failing to identify the user at all when that sho uld be required
− Failure to maintain the user's identity when it is required
− We aknesses in sessio n management

M5 - Insufficient The co de applies crypto graphy to a sensitive info rmatio n asset. Ho wever, the cryptography
Crypto graphy is insufficient in so me way. Note that anything and everything related to TLS o r SSL go es in
M3. Also, if the app f ails to use cryptography at all when it sho uld, that probably belo ngs in
M2. T his category is fo r issues where crypto graphy was attempted, but it wasn't do ne
co rrectly.

Mobil e A ppli cation P en etr atio n T est

Pag e 8 of 10
Mar ch 27, 2024 | Pro prietary & Confid ential
 M6 - Insecure This is a category to capture any f ailures in autho rizatio n (e.g., autho rizatio n decisions in
A utho rizatio n the client side, forced bro wsing, etc.). It is distinct fro m authenticatio n issues (e.g., device
enrolment, user identificatio n, etc.).
If the app do es no t authenticate users at all in a situatio n where it sho uld (e.g., granting
anonymo us access to so me reso urce o r service when authenticated and autho rized access
is required), then that is an authentication f ailure no t an autho rizatio n failure.

CATE GO R Y D ESCRI P TI O N

M7 - Client C ode This was the "Security Decisio ns Via Untrusted Inputs", o ne of o ur lesser- used categories.
Q uality This would be the catch- all for co de-level implementatio n pro blems in the mobile client.
That's distinct fro m server-side co ding mistakes. T his wo uld capture things like buff er
overflo ws, format string vulnerabilities, and vario us o ther co de-level mistakes where the
solutio n is to rewrite so me co de that's running o n the mo bile device.

M8 - Co de This category co vers binary patching, local reso urce mo dificatio n, method ho o king, method
T ampering swizzling, and dynamic memo ry mo dificatio n.
O nce the applicatio n is delivered to the mobile device, the code and data reso urces are
resident there. An attacker can either directly mo dify the co de, change the co ntents of
me mo ry dynamically, change o r replace the system A PIs that the applicatio n uses, o r
mo dify the application's data and reso urces. This can provide the attacker a direct metho d
of subverting the intended use of the software fo r perso nal o r mo netary gain.

M9 - Reverse This category includes analysis of the final co re binary to determine its so urce co de,
Engineering libraries, algorithms, and other assets. Software such as I DA Pro , Ho pper, otool, and other
binary inspectio n to ols give the attacker insight into the inner wo rkings of the applicatio n.
This may be used to exploit other nascent vulnerabilities in the applicatio n, as well as
revealing inf ormatio n abo ut back end servers, cryptographic co nstants and ciphers, and
intellectual pro perty.

M1 0 - Extraneous Often, develo pers include hidden backdo or f unctio nality o r other internal develo pment
Functio nality security controls that are not intended to be released into a pro ductio n enviro nment. For
example, a develo per may accidentally include a passwo rd as a co mm ent in a hybrid app.
A nother example includes disabling of 2-f actor authenticatio n during testing.

Data An alysis
All of the data colle cte d is consolidate d and anal yze d usi ng the NetSPI Re solve ™ pl atform. Additional
rese arch is conducte d to i de ntify known vul nerabilities for indi vidual applicati on compone n ts. Afte r
ide ntifying, anal yzi ng, and prioritizi ng vulnerabilities, NetSPI formul ate s re comme ndati ons for m itigati ng
e ach of the se se curity issue s. D uri ng this phase, supporting te am me mbe rs walk through the te st pl an with
the pri mary consultant to e nsure the inte grity of the results. A re port contai ning fi ndings and
re comme ndations is the n ge ne rate d by the pri mary consultant and pl ace d through both te chnical and
stylistic revie w of supporti ng te am me mbe rs, as well as through a fi nal revie w by the e ngage me nt man age r.

Basis for O pinions

NetSPI, through its experie nce, has worke d to interpret re gul ations and i ndustry standards, such as National
Institute of Standards and Te chnology (NIST) standards, the Ope n We b Application Se curity Proje ct
(OWASP) gui deline s, MITRE ATT&CK ® frame work, and Payme nt Card Industry D ata Security Standard (PCI
D SS), re cognize se curity best practi ce s, and appl y these withi n the conte xt of Mi crosoft's IT e nvironme nt.

Mobil e A ppli cation P en etr atio n T est

Pag e 9 of 10
Mar ch 27, 2024 | Pro prietary & Confid ential
Collaboration
In this phase , NetSPI pre se nts an ove rvie w of the fi ndi ngs and delive rs the preli mi nary re port to the
Microsoft proje ct te am. NetSPI re vie ws the we b application’s stre ngths and we aknesse s with Mi crosoft and
discusses the re comme ndati ons for addre ssi ng se curity de ficie ncies. Mi crosoft will have an opportunity to
provi de fe e dback and gui dance for re port re visions and the fi nal pre se ntati on.

Presentation
Afte r an agre e d-upon ti me fra me, NetSPI finalize s the re port, incorporati ng any fee dback from Microsoft.
This docume nt in the fi nal ve rsion is delivere d i n all re quire d form ats and to all re quire d parties.

Ap p e ndix B | Risk Manag e me nt Ap proach O vervie w

This se ction provides an overvie w of the risk man age me nt approach use d by NetSPI duri ng the proje ct.
1. NetSPI worke d with the client to ide ntify the indivi duals from both sides that nee de d to be i nvolve d
or made aware of the proje ct. In the e ve nt of an issue, good com munication hel ps e nsure that
e merge ncy re actions to testi ng acti vities are not made ; ad-hoc syste m change s duri ng the test m ay
invali date te st results and result i n a service disruption.

2. NetSPI worke d with the client to ide ntify pote nti al are as of risk that rel ate to the networks, syste ms,
and applicati ons that we re te ste d dire ctly or could be affe cte d by te ste d.

3. NetSPI and the clie nt cre ate d and e xe cute d on action ite ms to address the ide ntifie d are as of risk.
Re sponsi bilities we re assi gne d to both te a ms.

4. NetSPI and the clie nt cre ate d an e scal ation proce dure that i ncl ude d a calling tre e to addre ss and
re duce the i mpact of pote ntial i ncide nts. Calli ng tree s typically i nclude up to three contacts from the
NetSPI and the clie nt to e nsure that the appropriate action can be take n as soon as possi ble.

© 2024, NetSPI
This co nfid ential do cu ment is prod u ced by NetSPI for the exclu sive use of Mi croso ft. All rights
reserved. Du plication, distribution, or mo dification of this do cu ment b y anyon e oth er than
Mi cro soft witho ut prior written permission of NetSPI and Mi croso ft is prohibited.
NetSPI is not respo nsible for cha n ges ma de b y Mi crosoft or its agents to the ori ginal rep ort
delivered to Microsoft, or derivative wo rks of that rep ort ma de b y Mi cro soft. All trad emarks used
in this do cu ment are th e pro perti es of their resp ective o wn ers.

Mobil e A ppli cation P en etr atio n T est

Pag e 10 of 10
Mar ch 27, 2024 | Pro prietary & Confid ential