Today I learned: APPX Security

Today, I was researching Metro/Modern/Store/Whatever-they-call-it-this-week (let’s just call them “Metro”) application packages. When you download a Metro app from the Microsoft Store, the app is delivered to your machine as a single .APPX file (e.g. LatestSillyFadGame.appx). So, what is an APPX file? At its heart, it is nothing more than a standard ZIP archive file that follows the Open Packaging Conventions (OPC).

OPC was published as ECMA standard 376-2 in 2006, and as ISO/IEC standard 29500-2 in 2008. OPC is also the container technology used in Microsoft’s XML Paper Specification (XPS; a better page description technology than PDF), and Office starting in 2007, e.g. Word (.docx, .docm), Excel (.xlsx, xlsm), PowerPoint (.pptx, .pptm), Visual Studio extensions (.vsix), and so on. You can find a partial list of companies that use OPC on Wikipedia. If you change the extension of any OPC container file to ZIP, then Explorer will happily open it and allow you to operate on the file like any other ZIP archive, including browsing, adding, and extracting files.  (Try it on a Word .docx or .docm file)

It may occur to some hackers that since the ZIP archive is a simple, well-known file type, they could add some malware to a package and spam the world with ridiculous ads for male enhancement pills and web sites for cheating spouses. Instant big bucks! (Hmm, I wonder if there is some collusion between them?)

Bzzzzt! Wrong!  Aside from the fact that the criminal economy isn’t too different from the regular economy in that very few criminals ever make it big, the developers at Microsoft aren’t stupid: they thought about this and added security mechanisms to prevent malware from attacking Metro APPX files.

One of the goals of the Win8 application model is to provide “a trusted user experience that prevents the user from executing untrusted code that may contain viruses or malware.” Of course, this is only true on WinRT (ARM) tablets; anyone running Win8 on an x86/x64 CPU can simply switch to the desktop and run all the malware they want. Oddly, there doesn’t appear to be a group policy setting that prevents the user from running non-Metro apps.

APPX packages are digitally signed, and within the package is a file (AppxBlockMap.xml) listing all of the files and their SHA2 hashes. So any modification of any file within the app package will be detected when the package is installed, and the installation will be aborted.

The ZIP archive file format has been a de facto standard in the industry for 25 years, and it does not contain much in the way of security—certainly nothing that would prevent the addition of malware designed to make me question my manhood. However, the clever developers at Microsoft came up with a scheme for not only hashing the individual files within a ZIP archive, but also the structure of the files and directories within the archive—all without making any changes to the ZIP file format.

This security mechanism provides a means to fingerprint (using a cryptographic hash) both the content and structural elements of a signed ZIP archive.  The resultant signature contains hashes of each file within the archive along with hashes of the overall archive, including structure elements (such as local file headers, data descriptors, and the central directory) that are part of the ZIP archive, but not part of the actual content files.  This solution allows validation of either just the content of the archived data files, or of the entire ZIP archive including file format structures that are external to the content data. Thus, if a file was tampered or removed from the archive after the archive was signed, the Trusted Installer will detect this when the package is being installed and abort the installation.

During the installation of a Metro app, the contents of the APPX file are extracted to C:\Program Files\WindowsApps\<app name> and each of the signatures and hashes is checked. Any extra files that are not listed in the BlockMap are deleted. Finally, the APPX file is deleted because it is no longer needed, and thus it cannot be infected after the install. So, you’re not going to find any APPX files laying around your system to experiment upon; however, you could download a sample Metro app from the Microsoft Sample Gallery and build it with Visual Studio, or use the MakeAppx.exe tool in the SDK, if you have a burning need to play around with one.

If you want to learn about any errors regarding APPX package deployment on your system, you can use the Event Viewer:

  1. Bring up the Computer Management window by right-clicking in the bottom left corner of your monitor, and selecting Computer Management from the context menu.
  2. Open the following path (left-click on the little triangle next to each): Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server
  3. Select the Microsoft-Windows-AppXDeploymentServer/Operational log.