Windows Mobile Application Security Testing - Part 2

Previous article we learned about the windows phone 8 security basics and their features. In this article we’ll going to learn about windows phone 8 applications and sideloading developer signed app in device.

About XAP Files

XAP is the file format used to distribute and install application software and middleware onto Microsoft's Windows Phone 7/8 operating system, and is the file format for Silverlight applications. Beginning with Windows Phone 8.1, XAP will be replaced by APPX as the file format used to install apps on the Windows Phone platform, a move which was done by Microsoft in order to unify the app development platforms for Windows Store apps and Windows Phone apps.

XAP files are ZIP file formatted packages. The MIME type associated with XAP files is application/x-silverlight-app.

Fig 1. Unzipped XAP file 

If you downloaded app from store and wants to unzip then you can’t able to do so. It's because microsoft signed every app with DRM encryption. However if the app is developer signed then you can easily unzip the XAP file.

Encrypted and Unencrypted XAP file

The difference between a XAP file from the app store and an unencrypted XAP can be inspected by opening the XAP file headers in text editor. A limitation of encrypted XAP files downloaded from the app store is that they cannot run in emulators. When conducting penetration tests of a windows Phone application using emulators it's is required to obtain the XAP files of the application compiled by the developer, not from the Windows Store.

Fig 2. Encrypted XAP file
Fig 3. Unencrypted XAP file

After some google search I found Youtube XAP unencrypted XAP file from xda-developers forum which help us to understand the Encrypted and Unencrypted applications and difference between them.

Sideloading developer signed app

If you want to perform security testing on your client applications in un-rooted devices then you have to ask them for their developer signed app and by sideloading the App you can able to perform dynamic as well as static analysis.

If you downloaded or installed app from store you will only able to perform dynamic analysis on the app. To perform analysis into internal file system (Isolated storage only) you need to get the developer signed app. Later blog post we will learn inspection of isolated storage.

You can sideload your developer signed app using Application Deployment app which will installed in your system while installing SDK.

Search in your system for “Application Deployment” and open the application. In case you would not found the app then you can use the system path C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\XAP Deployment locatedwhere you can run XapDeploy.exe .

Fig 4. Application Deployment App

You can use any developer signed app and sideload app in your device using this application.

Windows Power Tool.

Windows power tool is very useful while doing pentesting on WP8 application. It is developed for the developers to deploy application, testing the app, check isolated storage and other useful functions. You can download this application from codeplex.

However many time I face below error while installing Windows Power tool, may you can also face the same issue.

Fig 5. Windows Power Tool Error 

So it's better to install offline file which you can find from XDA Developer forum. Download the file and extract the file.

Now run the WindowsPhonePowerTools.exe file.

Fig 6. Windows Power Tool

In order to connect your device with windows power tool you have to unlock your screen and then click on Connect.

After you have successfully connected with windows power tool you can able to install your developer XAPs file and other useful task able to perform for analysis the application.

Fig 7. Windows Power tool feature.

Deploy XAPs easily with WPV Xap Deployer

Project My Screen App

Microsoft has developed application for users to project phone screen to an external display which can using USB cable and connect with system to project phone display on systems.

This app is useful for us while doing pentesting on Windows mobile application to get the display on our system.

You can download application from Microsoft site Project My Screen App

Fig 8. Project My screen Application.

Conclusion :

In this article we understanding of how WP8 applications are packaged and distributed. Also we now know the sideloding developer signed app into device. Next article will learn how will do dynamic analysis on WP8 application using Device.


  1. Detecvision Provide best mobile application development services in India.We Provide complete solution for mobile mobile application like IOS Application development, Android application developemnt and web application development company in Delhi, India.

  2. Your article about software testing is awesome. It helped me to understand the career prospects in software testing industry. software testing training in Chennai

  3. Very Thanks for information and Best content is in this blog.
    Mobile Apps Development

  4. Android is the best platform to work over and we are having a cheerful and hardworking team of Android application developers for serving your business with the latest and out of box apps. Being an, Android Apps Development Company, we provide our clients with quality and creative Android application development services that turn the use of Android device into something that is smarter and superior.

  5. Android is the best platform to work over and we are having a cheerful and hardworking team of Android application developers for serving your business with the latest and out of box apps. Being an, Android Apps Development Company, we provide our clients with quality and creative Android application development services that turn the use of Android device into something that is smarter and superior.

  6. Very nice, i like the way you explained. I also wrote something on similar lines on what we need to know about Security Testing. Hope you would like it -

  7. Thanks for sharing the info, keep up the good work going.... I really enjoyed exploring your site. good resource...
    Window Replacement

  8. Thank you for the look into mobile application security testing, ! In forums I've participated in, users often say application security testing is not necessary because developers should have made their applications secure in the first place.Mobile App Creation

  9. Really such an impressive and informative post about testing of windows mobile application security. windows app development company jaipur

  10. Holiday 2016, Govt. Holidays of Bangladesh Calendar - 2016,
    is a useful tool for Bangladeshi people.
    The application Views All Public Holidays for the calendar of 2016 of Bangladesh.
    Govt. Holidays Bangladesh application provides following features:
    - Holiday in Month view with calendar with alarm system
    - List of holidays at a glance by month
    - It's include with alarming system.dcitltd

  11. This comment has been removed by the author.

  12. The market share of mobile user devices will certainly increase in the next five to ten years and the risks are also expected to increase in number and complexity so it's better for us to be prepared and be knowledgeable about this. If we choose to ignore it, malicious applications might pose a bigger threat and hurt and it would be shocking if we are not yet ready to face all of this.

    Mobile Application Security

  13. It is quite beneficial, although think about the facts when it reaches this target.

    iPhone App Development Company Australia

  14. This comment has been removed by the author.

  15. Mobile device security is very serious issue. You cannot be 100% sure can your phone be hacked by someone

  16. This comment has been removed by the author.

  17. This is really an important blog with many helpful information. I have been searching for a long time for this types of content. Keep up posting more and thanks for your great staff.
    web application security best practices

  18. Great Work. This post is worth everyone’s attention. web design company in chennai

  19. Enpersol Technologies provide best Mobile App Development Services, it is no. 1 Mobile App Development Company in Indore.

  20. We thought about offering popcorn, pop, and sweet nearby our Mobile App Development in Los Angeles. Our specialization is Mobile App based game plans. We offer end-to-end courses of action from necessities progression, Mobile App Security and utilization.

  21. I am new to mobile app security
    so can you help me out learning the moblizer
    can you help me out in performing reverse engineering

  22. These ways are very simple and very much useful, as a beginner level these helped me a lot thanks fore sharing these kinds of useful and knowledgeable information.
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies


  23. I’ve been browsing on-line greater than three hours today, but I never discovered any attention-grabbing article like yours. It is beautiful worth sufficient for me. Personally, if all webmasters and bloggers made good content material as you did, the net will be a lot more helpful than ever before.
    iOS Training in Chennai
    Android Training in Chennai
    php Training in Chennai

  24. Informative article, just what I was looking for.seo services chennai


Post a Comment

Popular posts from this blog

Windows Mobile Application Security Testing - Part 1

Windows Mobile Application Security Testing - Part 5