By now you should be familiar with the WP8 app you are testing and need to see the type of traffic it is sending to transmit data to the Internet. This post will show you how to use an HTTP proxy, configure it on the WP8 device, and install a digital certificate to see HTTPS traffic as well. If you are using an emulator you have a couple more steps which will be explained in the last portion of this post. As per the OWASP mobile security testing methodology this will be part of the Dynamic Analysis.

HTTP Proxy

The first step will be to install an HTTP proxy on your computer. You will run the proxy from your computer and configure WP8 to send all traffic to it instead of directly to the Internet. This will allow you to see the traffic as well as modify it if you choose.

There are many HTTP proxies to choose from and everyone has his/her favorite. Since we mentioned OWASP in the previous post, we will use the OWASP Zed Attack Proxy (ZAP). Download and install it on your Windows 8 system where the Windows Phone SDK is installed. If you are using a physical device, you can use any system you have on the same local network as the WP8.

Do you know your computer’s IP address? This is needed to configure the proxy and your WP8. In Windows open a command prompt (start-cmd.exe) and type ipconfig:

Now run ZAP and accept the terms. On the top menu select Tools – Options. A new window will open, select  local proxy from the left. On the Address field, put the IP Address of your system:

Click OK. You may get a message asking you to allow connection through the firewall. Click Accept. If you have any other firewall, you will need to allow connections on port 8080.

Configure WP8

You now need to configure WP8 to use the proxy. Go to Settings – System – WiFi. Select the Wireless network you are on. You should be in the Edit Network menu. Slide the Proxy button to On. Fill out the Server and Port that you configured for your proxy:

Test this by opening IE on WP8 and go to http://www.google.com/ You should see the HTTP request and response on ZAP:

To ensure all HTTP and HTTPS traffic is sent via WiFi and to your proxy, disable data on your mobile network: Settings – Mobile Network – Data Connection – Off. Or you can pull the SIM from the phone.

Also note, that WP8 does not allow you to  authenticate to a proxy. This won’t be a problem in this scenario but it is basic functionality that Microsoft should really consider adding to WP8.

HTTPS

Try accessing an HTTPS page, for example https://www.google.com/ You should see the standard IE invalid digital certificate error. In IE, an end user can click “Continue to website (not recommended)” and you would see all the HTTPS traffic on your proxy. This is because the certificate being provided to the WP8 device is from your HTTP proxy. At this point, you should test your app and see if it sends traffic via HTTP or allows sending traffic via HTTPS to sites that have not successfully validated the digital certificate. The reason for this is that once you install the ZAP certificate, WP8 does not provide a way to delete it later on. So to test if an app disregards the digital certificate in the future, you will need to generate a new ZAP certificate on the proxy.

To avoid the invalid digital certificate errors and verify the WP8 app requires a validated certificate, you need to install the proxy’s certificate on the WP8 device. In ZAP, go to Tools – Options. This time click on Dynamic SSL Certificate on the left. The certificate should be there, if not click Generate and then Save.

You will now need to open the .cer file on your Windows Phone. There are many ways to  do this:

• Email it to yourself
• Save it on SkyDrive and access it from IE (remember App Sandboxing won’t allow you to install the cert onto the device if it is opened with SkyDrive App)
• Transfer it via USB
• Host it on a web server and browse to it with IE

Once you open it, you should be prompted to install the certificate:

Once installed, navigate to a site using SSL: https://www.google.com/ Notice you did not get a certificate error and you can see the requests and responses in ZAP. Now use the app you are testing and see if you can see the HTTPS traffic.

Emulator

The Windows Phone 8 emulator is a Hyper-V virtual machine with it’s own IP address. This means the network traffic will route from the virtual machine (emulator) to your Windows 8 system running the SDK and then out to the Internet. The easiest way to configure the emulator to use a proxy is to configure the Windows 8 system’s IE proxy settings. Click on the Gear on the top left of IE and select Internet Options. Click the Connections tab and then LAN Settings. Check the box under Proxy Server: Use a proxy server for your LAN. In the Address field put your IP address and Port 8080 as configured in your HTTP Proxy (ZAP). You will need to restart the emulator every time you change the proxy settings on your host.

More Information Gathering

Now that you can see the HTTP and HTTPS traffic the WP8 app sends and receives, more information may be gathered on the application. Taken straight from the OWASP mobile security testing methodology under Information Gathering:

• Can you determine anything about the server side application environment?
  • Hosting provider (AWS, App Engine, Heroku, Rackspace, Azure, etc.)
  • Development environment (Rails, Java, Django, ASP.NET, etc.)
  • Does the application leverage Single Sign On or Authentication APIs (Google Apps, Facebook, iTunes, OAuth, etc.)
  • Any other APIs in use
    • Payment gateways
    • SMS messaging
    • Social networks
    • Cloud file storage
    • Ad networks

• Perform a thorough crawl of exposed web resources and sift through the requests and responses to identify potentially interesting data or behavior
  • Leaking sensitive information (i.e. credentials) in the response
  • Resources not exposed through the UI
  • Error messages
  • Cacheable information

Vulnerabilities

At this point you may have identified even more vulnerabilities. Here are some ideas as to what you may find after being able to see HTTP and HTTPS traffic:

• Encryption not enforced – I prefer always enforcing HTTPS even for non-sensitive data. Most end users connect to any free/untrusted WiFi and modifying HTTP data is trivial. We will cover this in another post.
• Sensitive information sent in clear text
  • Credentials sent over HTTP instead of HTTPS
• Digital Certificate not validated
  • Does the app accept the invalid cert and send sensitive information?
  • No warning on invalid digital certificate
• Basic Authentication used
• No Mutual Authentication

Web Application Assessment

Knowing what URLs the WP8 app communicates with will allow you to perform traditional Web Application testing. Ensure the server side components are in scope and follow the usual testing methodology for assessing web apps. If your phone can access it, your browser probably can too!

Conclusion

You should not be able to see and modify HTTP and HTTPS request between the WP8 app and server side components. This visibility facilitates the continuation of information gathering as well as vulnerability identification and verification.

The first three posts in this series were an introduction to WP8 platform, prerequisites for testing, and side loading the XAP file. At this point you should have the app installed on your device or emulator. If a XAP file was not provided, obtain the app from the Microsoft App Store as an end user would. We will follow the OWASP mobile security testing methodology moving forward. It is broken up in the following sections of which we will break up even more to get deeper into the platform specific steps for testing WP8 App Security:

• Information Gathering –  describes the steps and things to consider when you are in the early stage reconnaissance and mapping phases of testing as well as determining the application’s magnitude of effort and scoping.
• Dynamic Analysis – executing an application either on the device itself or within a simulator/emulator and interacting with the remote services with which the application communicates. This includes assessing the application’s local inter process communication surface, forensic analysis of the local file system, and assessing remote service dependencies.
• Static Analysis – Analyzing raw mobile source code, decompile or disassembled code.

Information Gathering

The first phase of any vulnerability assessment or penetration test is understanding what you are testing. This step will prepare you for the future tests we will cover in this series. Learning how the application works will reveal what it “should” do so you can identify when it does something it “should not”. This step also helps identify attack vectors you will try to exploit.

1. Navigate through the application. This will expose you to the application as an end user would use it. Tap through all the different features, look at the settings, etc. This may be performed on the device or in the emulator as we covered in previous sections.
2. Identify the network interfaces used. Does the application require internet connectivity? If so, does it work through Wi-Fi only, SIM only? Does the application use bluetooth, NFC, a VPN?
3. Does the application take your input? Any sensitive information? Does it access any sensitive information?
4. Does the application perform transactions? In-app purchases? Credit card or payment information?
5. What other components does the application interact with? Contact list, calendar, camera, location?
6. Do some reconnaissance. Has this app been talked about already? Search Google, app store reviews, etc.

It is a good idea to document all of this as you go, particularly any attack vectors you identify. For instance, you notice that sensitive information must be submitted and sent to a web server. It would be a good idea to write that down and test it during the dynamic analysis of network traffic to ensure the data is being transferred securely. Also, you will want to make sure the sensitive information is not being stored locally.

Vulnerabilities

During the information gathering phase you may already have some vulnerabilities in mind. Here are a few to consider:

• No application pass code – does the app reveal sensitive information that requires authentication? Should it have it’s own pass code. This may be a consideration for apps storing company data while the devices are BYOD and don’t require a device pass code.
• Weak pass code – does the app enforce good password policies?
  • Minimum of how many characters?
  • Complexity?
  • Password rotation?
  • Password lock out?
• Sensitive information stored on disk – does the app request sensitive information from the end user and then store it? We will look at local storage later in this series.

Conclusion

In this step we covered using the application for the first time to gather as much information as possible. Good notes were taken so they may be used in the different phases of testing.

This is the third part of a series on testing WP8 Apps. The first post introduced you to the WP8 platform and the second post had you install the prerequisites. This post will focus on the XAP file and side loading it onto your device or emulator.

Side loading is the act of installing an application from your computer connected directly to your device. To do this in WP8 you must obtain the XAP file from the developer. Ensure this is in your contract as push back by developers to provide the XAP file is common. Note that the phone will only run apps signed with trusted certificates and your phone must be unlocked as explained in part one and two of this series respectively.

You may download a XAP file from the store if you want to follow along and do not have the developer provided XAP file. Search the Windows Phone store for the app you will be testing and select Download and install manually from the bottom left of the screen as shown in the screen shot below:

Alternatively, you can download a XAP file from XDA-Developers. Here is a link to the YouTube XAP.

What is a XAP file?

XAP is a file format used for both Windows Phone applications and Silverlight applications. XAP files are ZIP file formatted packages. The MIME type associated with XAP files is application/x-silverlight-app. The XAP file generally contains a AppManifest.xaml file which defines the assemblies that get deployed in the client application as well as the DLLs required by the app. Below is an example:

XAP files downloaded from the app store come PlayReady DRM encrypted. Encrypted XAP files will not run in the emulator. This is one of the reasons I prefer to have a physical device.

To determine if the XAP file is encrypted or not, you can open it with notepad. If the first line of text is PK then the file is not encrypted. If the first line of text is PRE, then it is encrypted. Here is an example, the one on the left is not encrypted.

Side Loading

To side load the app, you can use Application Deployment shortcut that came installed with the Windows Phone SDK or a tool called Windows Phone Power Tools. We will use Windows Phone Power Tools to look at the local storage of the app in the following post. Install the tool from the website onto your Windows 8 system with the Windows Phone SDK.

Plug in your device, unlock it, and run the Windows Phone Power Tools application. You will be able to launch an emulator from the drop down or connect to the device.

Make sure your physical device is connected to the Windows 8 system via USB, unlock it, and click Connect. From the main screen, you can click browse and select the XAP file to side load:

Click Install and wait for the app to install.

Conclusion

You now have an understanding of how WP8 applications are packaged and distributed. To look at the local storage of the app you will need the developer provided XAP file and side load the app onto your device or emulator. Now that you have the app installed on the device or emulator we will begin testing!

This is the second post of a series on WP8 App Security and is focused on setting up the environment where you will test WP8 apps. You should already have a basic understanding of how the WP8 platform works. We will focus on the prerequisites for the tools and methods required to test WP8 apps.

• Physical Device or Emulator
• Windows Phone SDK
• Unlocking the Device

Physical Device or Emulator

This series will use a physical device to test WP8 apps, a Nokia Lumia 925. I personally prefer testing on a physical device but testing through an emulator is also possible. The emulator comes with the Windows Phone SDK and is installed in C:\Program Files (x86)\Microsoft XDE\8.0\XDE.exe

Windows Phone SDK

The Windows Phone SDK requires a Windows 8 64-bit operating system with Hyper-V enabled for the emulator to work. If you insist on trying to run the SDK on Windows 7 64-bit here is how but do so at your own risk. The Windows 8 system does not have to be a physical system and can be a virtual machine. If you are using a virtual machine you need to ensure you enable hypervisor applications in the virtual machine. This is set in the processor settings of the virtual machine in vmware products and add this line to your .vmx file: hypervisor.cpuid.v0 = ”FALSE” Here is a great tutorial for those choosing to virtualize on Windows and one for Mac.

If you are using an emulator, ensure that Hyper-V is turned on by going to Control Panel – Programs – Turn Windows Features on or off – check Hyper-V.

Now you are ready to download and install the Windows Phone SDK 8.0 from Microsoft.

Unlocking the Device

To side load applications once you obtain the XAP (application) file, you will need the device to be unlocked. Side loaded applications allows you to view the local storage of the app which is important in your assessment.  Here is how to register your device and unlock it for testing. You need the SDK, a Microsoft account, a physical device, and join the dev program. Using a developer account ($99/year) you can side load up to 10 applications at a time. Using a student account (free or $19) you can side load up to 3 applications at a time.

Conclusion

You should now be ready to test a WP8 app. You have a device or an emulator, you have the Windows Phone SDK installed on a Windows 8 system, and you have unlocked the device.