Skip to main content

Windows Mobile Application Security Testing - Part 3

In this blog post will going to learn how will perform Dynamic analysis on Windows phone 8 Mobile applications. Previous article we learned WP8 applications and sideloading developer signed apps.

Dynamic Analysis

Dynamic analysis is way to audit any mobile applications communication which application can communicate or give away data in two way communicating with server or storing to and loading from device storage. We can dive into how to intercept request using proxy tool and how to analysis isolated storage data into device. We can analysis traffic between device and server by intercepting and modifying parameter. For application storage we can just observe the results the data that application has saved.

OWASP Zed Attack Proxy (ZAP)

Most of them are familiar with Zap proxy and using while doing Application penetration testing. Zap proxy is powerful proxy tool for intercepting traffic between client and server. It is open source tool. You can download from here.

Intercept HTTP and HTTPS Traffic

In order to setup zap proxy and intercept request you have to install zap proxy properly. It is important to connect you system and device with same wifi network.

Check your system IP address, if you connected with Wifi you should also connect your device with same Wifi.

Now you have to put your interface IP address inside zap proxy setting. Go to Tools > Options (Ctrl+Alt+O) > Local proxy

Address would be your system interface IP address (in my case

Port you can put as 8080

Now open you device and go to setting > WiFi > select your connected wifi network.

Turn on Proxy and provide your system interface IP i.e in Server/URL, 8080 in port and save the setting.

Installing Certificate

It is very important to install ZAP certificate inside your device to intercept HTTPS enabled applications. Without certificate you can’t intercept the HTTPS request and response. In order to install certificate first you have to export certificate from ZAP and then install certificate by sending certificate into device using e-mail. You can also install certificate using SD card but it may not work properly.

Export the certificate from zap. Go to Tool > Options > Dynamic SSL Certificates (Ctrl+Alt+O). Now save the certificate .

Fig 6. ZAP SSL Certificate

Now you can save this certificate and send certificate using any E-mail. In device download certificate from the attached file. Make sure that the certificate extension should be .cer

And then install the certificate.

In windows phone you can only install any one certificate at a time. Also WP8 does not provide a way to delete it later on.

After installing ZAP certificate you can able to intercept HTTPS enabled applications in your devices.

Most of peoples are comfortable with Burp proxy. In similar way you can also setup BurpProxy and certificate.

But many time burp certificates are not work properly, in this case you can use ZAP outgoing proxy to divert all HTTP/HTTPS request and response traffic via burp proxy.

Go to Tools > Options (Ctrl+Alt+O) > Connection and use proxy chain.

Provide Burp proxy interface in address/Domain and port.

Now you can able to intercept any application in device in order to do dynamic analysis.

Conclusion :

In this article we learned how we setup proxy with Windows Phone and intercept HTTPS request and response in order to perform Dynamic analysis on applications. Next article we learn analysis of Isolated storage or windows internal file system using Windows power tool.