Windows Mobile Application Security Testing - Part 3


In this blog post will going to learn how will perform Dynamic analysis on Windows phone 8 Mobile applications. Previous article we learned WP8 applications and sideloading developer signed apps.

Dynamic Analysis


Dynamic analysis is way to audit any mobile applications communication which application can communicate or give away data in two way communicating with server or storing to and loading from device storage. We can dive into how to intercept request using proxy tool and how to analysis isolated storage data into device. We can analysis traffic between device and server by intercepting and modifying parameter. For application storage we can just observe the results the data that application has saved.

OWASP Zed Attack Proxy (ZAP)


Most of them are familiar with Zap proxy and using while doing Application penetration testing. Zap proxy is powerful proxy tool for intercepting traffic between client and server. It is open source tool. You can download from here.


Fig 1. ZAP proxy tool.

Intercept HTTP and HTTPS Traffic


In order to setup zap proxy and intercept request you have to install zap proxy properly. It is important to connect you system and device with same wifi network.

Check your system IP address, if you connected with Wifi you should also connect your device with same Wifi.


Fig. 2 System interface IP address.


Now you have to put your interface IP address inside zap proxy setting. Go to Tools > Options (Ctrl+Alt+O) > Local proxy

Address would be your system interface IP address (in my case 192.168.198.1)

Port you can put as 8080


Fig 3. ZAP proxy setup.


Now open you device and go to setting > WiFi > select your connected wifi network.


Fig 4. Device Wifi


Turn on Proxy and provide your system interface IP i.e 192.168.198.1 in Server/URL, 8080 in port and save the setting.


Fig 5. Device Wifi Setup.


Installing Certificate


It is very important to install ZAP certificate inside your device to intercept HTTPS enabled applications. Without certificate you can’t intercept the HTTPS request and response. In order to install certificate first you have to export certificate from ZAP and then install certificate by sending certificate into device using e-mail. You can also install certificate using SD card but it may not work properly.

Export the certificate from zap. Go to Tool > Options > Dynamic SSL Certificates (Ctrl+Alt+O). Now save the certificate .




Fig 6. ZAP SSL Certificate

Now you can save this certificate and send certificate using any E-mail. In device download certificate from the attached file. Make sure that the certificate extension should be .cer


Fig 7. Attached ZAP certificate in Mail.

And then install the certificate.


Fig 8. Certificate Installation.


In windows phone you can only install any one certificate at a time. Also WP8 does not provide a way to delete it later on.

After installing ZAP certificate you can able to intercept HTTPS enabled applications in your devices.

Most of peoples are comfortable with Burp proxy. In similar way you can also setup BurpProxy and certificate.

But many time burp certificates are not work properly, in this case you can use ZAP outgoing proxy to divert all HTTP/HTTPS request and response traffic via burp proxy.

Go to Tools > Options (Ctrl+Alt+O) > Connection and use proxy chain.


Fig 9. Setup Proxy Chain.

Provide Burp proxy interface in address/Domain and port.




Fig 10. Burp Proxy


Fig 11. Intercept Facebook App HTTPS.

Now you can able to intercept any application in device in order to do dynamic analysis.

Conclusion :


In this article we learned how we setup proxy with Windows Phone and intercept HTTPS request and response in order to perform Dynamic analysis on applications. Next article we learn analysis of Isolated storage or windows internal file system using Windows power tool.

Comments

  1. It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing.
    Window Replacement

    ReplyDelete
  2. As per the increased number of mobile data breaches, it becomes important to avail mobile security solutions to protect it from undefined attacks. Thank you for sharing a very nice blog about window mobile application security testing as you have described each and everything very nicely.
    Avyaan

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Amazing content. I bookmarked it for future reference.



    apple iphone development

    ReplyDelete
  5. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing..
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies

    ReplyDelete

Post a Comment

Popular posts from this blog

Windows Mobile Application Security Testing - Part 1

Windows Mobile Application Security Testing - Part 5

Windows Mobile Application Security Testing - Part 2