Windows Mobile Application Security Testing - Part 2

Previous article we learned about the windows phone 8 security basics and their features. In this article we’ll going to learn about windows phone 8 applications and sideloading developer signed app in device.

About XAP Files

XAP is the file format used to distribute and install application software and middleware onto Microsoft's Windows Phone 7/8 operating system, and is the file format for Silverlight applications. Beginning with Windows Phone 8.1, XAP will be replaced by APPX as the file format used to install apps on the Windows Phone platform, a move which was done by Microsoft in order to unify the app development platforms for Windows Store apps and Windows Phone apps.

XAP files are ZIP file formatted packages. The MIME type associated with XAP files is application/x-silverlight-app.

If you downloaded app from store and wants to unzip then you can’t able to do so. It's because microsoft signed every app with DRM encryption. However if the app is developer signed then you can easily unzip the XAP file.

Encrypted and Unencrypted XAP file

The difference between a XAP file from the app store and an unencrypted XAP can be inspected by opening the XAP file headers in text editor. A limitation of encrypted XAP files downloaded from the app store is that they cannot run in emulators. When conducting penetration tests of a windows Phone application using emulators it's is required to obtain the XAP files of the application compiled by the developer, not from the Windows Store.

After some google search I found Youtube XAP unencrypted XAP file from xda-developers forum which help us to understand the Encrypted and Unencrypted applications and difference between them.

Sideloading developer signed app

If you want to perform security testing on your client applications in un-rooted devices then you have to ask them for their developer signed app and by sideloading the App you can able to perform dynamic as well as static analysis.

If you downloaded or installed app from store you will only able to perform dynamic analysis on the app. To perform analysis into internal file system (Isolated storage only) you need to get the developer signed app. Later blog post we will learn inspection of isolated storage.

You can sideload your developer signed app using Application Deployment app which will installed in your system while installing SDK.

Search in your system for “Application Deployment” and open the application. In case you would not found the app then you can use the system path C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\XAP Deployment located, where you can run XapDeploy.exe .

You can use any developer signed app and sideload app in your device using this application.

Windows Power Tool.

Windows power tool is very useful while doing pentesting on WP8 application. It is developed for the developers to deploy application, testing the app, check isolated storage and other useful functions. You can download this application from codeplex.

However many time I face below error while installing Windows Power tool, may you can also face the same issue.

So it's better to install offline file which you can find from XDA Developer forum. Download the WPPowerToolsStandaloneAmir.zip file and extract the file.

Now run the WindowsPhonePowerTools.exe file.

In order to connect your device with windows power tool you have to unlock your screen and then click on Connect.

After you have successfully connected with windows power tool you can able to install your developer XAPs file and other useful task able to perform for analysis the application.

Deploy XAPs easily with WPV Xap Deployer

Project My Screen App

Microsoft has developed application for users to project phone screen to an external display which can using USB cable and connect with system to project phone display on systems.

This app is useful for us while doing pentesting on Windows mobile application to get the display on our system.

You can download application from Microsoft site Project My Screen App

Conclusion :

In this article we understanding of how WP8 applications are packaged and distributed. Also we now know the sideloding developer signed app into device. Next article will learn how will do dynamic analysis on WP8 application using Device.