By now you should be familiar with the WP8 app you are testing and need to see the type of traffic it is sending to transmit data to the Internet. This post will show you how to use an HTTP proxy, configure it on the WP8 device, and install a digital certificate to see HTTPS traffic as well. If you are using an emulator you have a couple more steps which will be explained in the last portion of this post. As per the OWASP mobile security testing methodology this will be part of the Dynamic Analysis.
The first step will be to install an HTTP proxy on your computer. You will run the proxy from your computer and configure WP8 to send all traffic to it instead of directly to the Internet. This will allow you to see the traffic as well as modify it if you choose.
There are many HTTP proxies to choose from and everyone has his/her favorite. Since we mentioned OWASP in the previous post, we will use the OWASP Zed Attack Proxy (ZAP). Download and install it on your Windows 8 system where the Windows Phone SDK is installed. If you are using a physical device, you can use any system you have on the same local network as the WP8.
Do you know your computer’s IP address? This is needed to configure the proxy and your WP8. In Windows open a command prompt (start-cmd.exe) and type ipconfig:
Click OK. You may get a message asking you to allow connection through the firewall. Click Accept. If you have any other firewall, you will need to allow connections on port 8080.
You now need to configure WP8 to use the proxy. Go to Settings – System – WiFi. Select the Wireless network you are on. You should be in the Edit Network menu. Slide the Proxy button to On. Fill out the Server and Port that you configured for your proxy:
Test this by opening IE on WP8 and go to http://www.google.com/ You should see the HTTP request and response on ZAP:
To ensure all HTTP and HTTPS traffic is sent via WiFi and to your proxy, disable data on your mobile network: Settings – Mobile Network – Data Connection – Off. Or you can pull the SIM from the phone.
Also note, that WP8 does not allow you to authenticate to a proxy. This won’t be a problem in this scenario but it is basic functionality that Microsoft should really consider adding to WP8.
Try accessing an HTTPS page, for example https://www.google.com/ You should see the standard IE invalid digital certificate error. In IE, an end user can click “Continue to website (not recommended)” and you would see all the HTTPS traffic on your proxy. This is because the certificate being provided to the WP8 device is from your HTTP proxy. At this point, you should test your app and see if it sends traffic via HTTP or allows sending traffic via HTTPS to sites that have not successfully validated the digital certificate. The reason for this is that once you install the ZAP certificate, WP8 does not provide a way to delete it later on. So to test if an app disregards the digital certificate in the future, you will need to generate a new ZAP certificate on the proxy.
To avoid the invalid digital certificate errors and verify the WP8 app requires a validated certificate, you need to install the proxy’s certificate on the WP8 device. In ZAP, go to Tools – Options. This time click on Dynamic SSL Certificate on the left. The certificate should be there, if not click Generate and then Save.
You will now need to open the .cer file on your Windows Phone. There are many ways to do this:
- Email it to yourself
- Save it on SkyDrive and access it from IE (remember App Sandboxing won’t allow you to install the cert onto the device if it is opened with SkyDrive App)
- Transfer it via USB
- Host it on a web server and browse to it with IE
Once you open it, you should be prompted to install the certificate:
Once installed, navigate to a site using SSL: https://www.google.com/ Notice you did not get a certificate error and you can see the requests and responses in ZAP. Now use the app you are testing and see if you can see the HTTPS traffic.
The Windows Phone 8 emulator is a Hyper-V virtual machine with it’s own IP address. This means the network traffic will route from the virtual machine (emulator) to your Windows 8 system running the SDK and then out to the Internet. The easiest way to configure the emulator to use a proxy is to configure the Windows 8 system’s IE proxy settings. Click on the Gear on the top left of IE and select Internet Options. Click the Connections tab and then LAN Settings. Check the box under Proxy Server: Use a proxy server for your LAN. In the Address field put your IP address and Port 8080 as configured in your HTTP Proxy (ZAP). You will need to restart the emulator every time you change the proxy settings on your host.
More Information Gathering
Now that you can see the HTTP and HTTPS traffic the WP8 app sends and receives, more information may be gathered on the application. Taken straight from the OWASP mobile security testing methodology under Information Gathering:
- Can you determine anything about the server side application environment?
- Hosting provider (AWS, App Engine, Heroku, Rackspace, Azure, etc.)
- Development environment (Rails, Java, Django, ASP.NET, etc.)
- Does the application leverage Single Sign On or Authentication APIs (Google Apps, Facebook, iTunes, OAuth, etc.)
- Any other APIs in use
- Payment gateways
- SMS messaging
- Social networks
- Cloud file storage
- Ad networks
- Perform a thorough crawl of exposed web resources and sift through the requests and responses to identify potentially interesting data or behavior
- Leaking sensitive information (i.e. credentials) in the response
- Resources not exposed through the UI
- Error messages
- Cacheable information
At this point you may have identified even more vulnerabilities. Here are some ideas as to what you may find after being able to see HTTP and HTTPS traffic:
- Encryption not enforced – I prefer always enforcing HTTPS even for non-sensitive data. Most end users connect to any free/untrusted WiFi and modifying HTTP data is trivial. We will cover this in another post.
- Sensitive information sent in clear text
- Credentials sent over HTTP instead of HTTPS
- Digital Certificate not validated
- Does the app accept the invalid cert and send sensitive information?
- No warning on invalid digital certificate
- Basic Authentication used
- No Mutual Authentication
Web Application Assessment
Knowing what URLs the WP8 app communicates with will allow you to perform traditional Web Application testing. Ensure the server side components are in scope and follow the usual testing methodology for assessing web apps. If your phone can access it, your browser probably can too!
You should not be able to see and modify HTTP and HTTPS request between the WP8 app and server side components. This visibility facilitates the continuation of information gathering as well as vulnerability identification and verification.