This is the third part of a series on testing WP8 Apps. The first post introduced you to the WP8 platform and the second post had you install the prerequisites. This post will focus on the XAP file and side loading it onto your device or emulator.

Side loading is the act of installing an application from your computer connected directly to your device. To do this in WP8 you must obtain the XAP file from the developer. Ensure this is in your contract as push back by developers to provide the XAP file is common. Note that the phone will only run apps signed with trusted certificates and your phone must be unlocked as explained in part one and two of this series respectively.

You may download a XAP file from the store if you want to follow along and do not have the developer provided XAP file. Search the Windows Phone store for the app you will be testing and select Download and install manually from the bottom left of the screen as shown in the screen shot below:

Alternatively, you can download a XAP file from XDA-Developers. Here is a link to the YouTube XAP.

What is a XAP file?

XAP is a file format used for both Windows Phone applications and Silverlight applications. XAP files are ZIP file formatted packages. The MIME type associated with XAP files is application/x-silverlight-app. The XAP file generally contains a AppManifest.xaml file which defines the assemblies that get deployed in the client application as well as the DLLs required by the app. Below is an example:

XAP files downloaded from the app store come PlayReady DRM encrypted. Encrypted XAP files will not run in the emulator. This is one of the reasons I prefer to have a physical device.

To determine if the XAP file is encrypted or not, you can open it with notepad. If the first line of text is PK then the file is not encrypted. If the first line of text is PRE, then it is encrypted. Here is an example, the one on the left is not encrypted.

Side Loading

To side load the app, you can use Application Deployment shortcut that came installed with the Windows Phone SDK or a tool called Windows Phone Power Tools. We will use Windows Phone Power Tools to look at the local storage of the app in the following post. Install the tool from the website onto your Windows 8 system with the Windows Phone SDK.

Plug in your device, unlock it, and run the Windows Phone Power Tools application. You will be able to launch an emulator from the drop down or connect to the device.

Make sure your physical device is connected to the Windows 8 system via USB, unlock it, and click Connect. From the main screen, you can click browse and select the XAP file to side load:

Click Install and wait for the app to install.

Conclusion

You now have an understanding of how WP8 applications are packaged and distributed. To look at the local storage of the app you will need the developer provided XAP file and side load the app onto your device or emulator. Now that you have the app installed on the device or emulator we will begin testing!

This is the second post of a series on WP8 App Security and is focused on setting up the environment where you will test WP8 apps. You should already have a basic understanding of how the WP8 platform works. We will focus on the prerequisites for the tools and methods required to test WP8 apps.

• Physical Device or Emulator
• Windows Phone SDK
• Unlocking the Device

Physical Device or Emulator

This series will use a physical device to test WP8 apps, a Nokia Lumia 925. I personally prefer testing on a physical device but testing through an emulator is also possible. The emulator comes with the Windows Phone SDK and is installed in C:\Program Files (x86)\Microsoft XDE\8.0\XDE.exe

Windows Phone SDK

The Windows Phone SDK requires a Windows 8 64-bit operating system with Hyper-V enabled for the emulator to work. If you insist on trying to run the SDK on Windows 7 64-bit here is how but do so at your own risk. The Windows 8 system does not have to be a physical system and can be a virtual machine. If you are using a virtual machine you need to ensure you enable hypervisor applications in the virtual machine. This is set in the processor settings of the virtual machine in vmware products and add this line to your .vmx file: hypervisor.cpuid.v0 = ”FALSE” Here is a great tutorial for those choosing to virtualize on Windows and one for Mac.

If you are using an emulator, ensure that Hyper-V is turned on by going to Control Panel – Programs – Turn Windows Features on or off – check Hyper-V.

Now you are ready to download and install the Windows Phone SDK 8.0 from Microsoft.

Unlocking the Device

To side load applications once you obtain the XAP (application) file, you will need the device to be unlocked. Side loaded applications allows you to view the local storage of the app which is important in your assessment.  Here is how to register your device and unlock it for testing. You need the SDK, a Microsoft account, a physical device, and join the dev program. Using a developer account ($99/year) you can side load up to 10 applications at a time. Using a student account (free or $19) you can side load up to 3 applications at a time.

Conclusion

You should now be ready to test a WP8 app. You have a device or an emulator, you have the Windows Phone SDK installed on a Windows 8 system, and you have unlocked the device.

In this post and series we will dive into the process and methods used to test the security of Windows Phone 8 (WP8) app. Let’s say you are tasked with performing a security assessment, ethical hack, vulnerability assessment, or a penetration test of a WP8 app, where do you begin? This is where!

WP8 Platform

Before testing any app, one must first understand how the underlying platform works. Microsoft rebranded Windows Mobile to Windows Phone for version 7. The latest version is Windows Phone 8 (WP8). WP8 runs ARM hardware architecture, similar to iOS, Android, and Blackberry. WP8 migrated to the Windows NT kernel instead of Windows CE which WP7 used. WP8 also uses the Windows Phone Runtime application architecture, not identical to WinRT, to allow developers convergence between Windows 8 and WP8. Applications for WP8 may be coded in .NET (C# or VB.NET) and C++ but not JavaScript.

Security in WP8 Platform

WP8 being Windows NT kernel based allows for multiple benefits from a end user security perspective. These security controls do not help a tester but do help make the device more secure and attractive to enterprise users and decision makers.

• 128-bit BitLocker for full disk encryption
• NTFS file system
• Sandboxed apps – no access to other apps
• SafeBoot: Secure boot with Unified Extensible Firmware Interface (EUFI)
  • This makes it difficult for software without correct  digital signature to be loaded on your Windows Phone. Something jailbreakers will need to bypass. More on the jailbreaking later.
  • TPM 2.0 standard, requires unique keys to be burned into the chip during production
• All Windows Phone 8 binaries must have legit digital signatures from Microsoft to run

No Jailbreak for WP8 Yet

WP8 is a closed operating system and therefore does not allow access to memory, inspecting the local file system and storage, or transferring certain files to and from the device. Traditionally, a jailbreak is required to obtain this type of access to the platform. Unfortunately there is no jailbreak for WP8 which limits us substantially at the moment. However, there are ways we can test the app without a jailbreak as you will see in this series. To see and manipulate the app’s local storage we must obtain the XAP file from the developers. This should be a requirement in your contract to successfully and thoroughly test a WP8 app. Even if you do not have the XAP file, you will be able to perform some testing so don’t let that stop you.

What would a jailbreak for WP8 look like? Well it would need to do the following:

• Exploit a vulnerability
• Escalate privilege to run code as SYSTEM
• Bypass SecureBoot
• Disable application code signing
• Create a trusted app store certificate

Resources

• Microsoft Windows Phone 8 Security Overview
• XDA Developers
• OWASP Mobile

Conclusion

In the first part of WP8 application security we learned about the WP8 platform and the security controls that Microsoft has implemented. We learned there is no jailbreak currently available and will have to be creative in ways to test the applications.

Now that evad3rs released evasi0n to jailbreak iOS 7 we may begin testing iOS apps on iOS 7! This post will cover the steps and tools to set up your jailbroken iOS 7 device for testing mobile apps.

From the Cydia app on the device, search and install the following:

• OpenSSH
• MobileTerminal
• BigBoss Recommended Tools
• PreferenceLoader
• Applist
• iFile
• MobileSubstrate

Once all of these are installed you will want to change the root and mobile user password. You can do this through SSH or using the MobileTerminal. The default password for both accounts is: alpine

Once SSHed or on MobileTerminal you can install these other tools and scripts required for testing iOS 7 apps. You can either use wget from the terminal or SSH or download the binary to your computer and move it to the device via SCP or SFTP.

class_dump_z

• Site: https://code.google.com/p/networkpx/wiki/class_dump_z
• In terminal type:
  • wget http://networkpx.googlecode.com/files/class-dump-z_0.2a.tar.gz
  • tar -xvzf class-dump-z_0.2a.tar.gz
  • cd iPhone_armv6/
  • mv class-dump-z /usr/bin *ensures we can run it from anywhere*

Keychain Dumper

• Site: https://github.com/ptoomey3/Keychain-Dumper
• In terminal:
  • chmod a+x keychain_dumper
  • chmod +r /private/var/Keychains/keychain-2.db *this allows the keychain to be readable*
  • mv keychain_dumper /usr/bin *ensures we can run it from anywhere*

Clutch

• Site: https://iphone-clutch.googlecode.com/files/Clutch-1.3
• In terminal:
  • chmod a+x Clutch-1.3
  • mv Clutch-1.3 /usr/bin/clutch

Cycript

• Site: http://www.cycript.org/debs/
• Download libffi_1-3.0.10-5_iphoneos-arm.deb and cycript_0.9.458_iphoneos-arm.deb
• In terminal:
  • dpkg -i libffi_1-3.0.10-5_iphoneos-arm.deb
  • dpkg -i cycript_0.9.458_iphoneos-arm.deb

TCPDump from apt-get

• In terminal:
  • apt-get install tcpdump

Introspy

• Site: https://github.com/iSECPartners/Introspy-iOS
• In terminal:
  • wget https://www.dropbox.com/s/z5cwqk5wti3zsvd/com.isecpartners.introspy-v0.3-iOS_6.1.deb?dl=1
  • dpkg -i com.isecpartners.introspy-v0.3-iOS_6.1.deb

Snoop-it from Cydia

• Currently not working on iOS 7 due to MobileSubstrate
• Add repo: http://repo.nesolabs.de/
• https://code.google.com/p/snoop-it/

These are some of the main tools required for testing iOS 7 apps from the device. Are there any missing? Let me know!