Windows Mobile Application Security Testing - Part 3
In this blog post will going to learn how will perform Dynamic analysis on Windows phone 8 Mobile applications. Previous article we learned WP8 applications and sideloading developer signed apps.
OWASP Zed Attack Proxy (ZAP)
Most of them are familiar with Zap proxy and using while doing Application penetration testing. Zap proxy is powerful proxy tool for intercepting traffic between client and server. It is open source tool. You can download from here.
Fig 1. ZAP proxy tool.
Intercept HTTP and HTTPS Traffic
Check your system IP address, if you connected with Wifi you should also connect your device with same Wifi.
Fig. 2 System interface IP address.
Now you have to put your interface IP address inside zap proxy setting. Go to Tools > Options (Ctrl+Alt+O) > Local proxy
Address would be your system interface IP address (in my case 192.168.198.1)
Port you can put as 8080
Fig 3. ZAP proxy setup.
Now open you device and go to setting > WiFi > select your connected wifi network.
Fig 4. Device Wifi
Turn on Proxy and provide your system interface IP i.e 192.168.198.1 in Server/URL, 8080 in port and save the setting.
Fig 5. Device Wifi Setup.
It is very important to install ZAP certificate inside your device to intercept HTTPS enabled applications. Without certificate you can’t intercept the HTTPS request and response. In order to install certificate first you have to export certificate from ZAP and then install certificate by sending certificate into device using e-mail. You can also install certificate using SD card but it may not work properly.
Export the certificate from zap. Go to Tool > Options > Dynamic SSL Certificates (Ctrl+Alt+O). Now save the certificate .
Fig 6. ZAP SSL Certificate
Fig 7. Attached ZAP certificate in Mail.
Fig 8. Certificate Installation.
In windows phone you can only install any one certificate at a time. Also WP8 does not provide a way to delete it later on.
After installing ZAP certificate you can able to intercept HTTPS enabled applications in your devices.
Most of peoples are comfortable with Burp proxy. In similar way you can also setup BurpProxy and certificate.
But many time burp certificates are not work properly, in this case you can use ZAP outgoing proxy to divert all HTTP/HTTPS request and response traffic via burp proxy.
Go to Tools > Options (Ctrl+Alt+O) > Connection and use proxy chain.
Fig 9. Setup Proxy Chain.
Fig 10. Burp Proxy
Fig 11. Intercept Facebook App HTTPS.
In this article we learned how we setup proxy with Windows Phone and intercept HTTPS request and response in order to perform Dynamic analysis on applications. Next article we learn analysis of Isolated storage or windows internal file system using Windows power tool.