Previous article we learned about the windows phone 8 security basics and their features. In this article we’ll going to learn about windows phone 8 applications and sideloading developer signed app in device.


About XAP Files


XAP is the file format used to distribute and install application software and middleware onto Microsoft's Windows Phone 7/8 operating system, and is the file format for Silverlight applications. Beginning with Windows Phone 8.1, XAP will be replaced by APPX as the file format used to install apps on the Windows Phone platform, a move which was done by Microsoft in order to unify the app development platforms for Windows Store apps and Windows Phone apps.

XAP files are ZIP file formatted packages. The MIME type associated with XAP files is application/x-silverlight-app.

Fig 1. Unzipped XAP file 

If you downloaded app from store and wants to unzip then you can’t able to do so. It's because microsoft signed every app with DRM encryption. However if the app is developer signed then you can easily unzip the XAP file.

Encrypted and Unencrypted XAP file

The difference between a XAP file from the app store and an unencrypted XAP can be inspected by opening the XAP file headers in text editor. A limitation of encrypted XAP files downloaded from the app store is that they cannot run in emulators. When conducting penetration tests of a windows Phone application using emulators it's is required to obtain the XAP files of the application compiled by the developer, not from the Windows Store.


Fig 2. Encrypted XAP file
               '
       
Fig 3. Unencrypted XAP file



After some google search I found Youtube XAP unencrypted XAP file from xda-developers forum which help us to understand the Encrypted and Unencrypted applications and difference between them.

Sideloading developer signed app


If you want to perform security testing on your client applications in un-rooted devices then you have to ask them for their developer signed app and by sideloading the App you can able to perform dynamic as well as static analysis.

If you downloaded or installed app from store you will only able to perform dynamic analysis on the app. To perform analysis into internal file system (Isolated storage only) you need to get the developer signed app. Later blog post we will learn inspection of isolated storage.

You can sideload your developer signed app using Application Deployment app which will installed in your system while installing SDK.

Search in your system for “Application Deployment” and open the application. In case you would not found the app then you can use the system path C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\XAP Deployment locatedwhere you can run XapDeploy.exe .


Fig 4. Application Deployment App

You can use any developer signed app and sideload app in your device using this application.

Windows Power Tool.


Windows power tool is very useful while doing pentesting on WP8 application. It is developed for the developers to deploy application, testing the app, check isolated storage and other useful functions. You can download this application from codeplex.

However many time I face below error while installing Windows Power tool, may you can also face the same issue.


Fig 5. Windows Power Tool Error 


So it's better to install offline file which you can find from XDA Developer forum. Download the WPPowerToolsStandaloneAmir.zip file and extract the file.

Now run the WindowsPhonePowerTools.exe file.


Fig 6. Windows Power Tool


In order to connect your device with windows power tool you have to unlock your screen and then click on Connect.

After you have successfully connected with windows power tool you can able to install your developer XAPs file and other useful task able to perform for analysis the application.


Fig 7. Windows Power tool feature.



Deploy XAPs easily with WPV Xap Deployer


Project My Screen App


Microsoft has developed application for users to project phone screen to an external display which can using USB cable and connect with system to project phone display on systems.

This app is useful for us while doing pentesting on Windows mobile application to get the display on our system.

You can download application from Microsoft site Project My Screen App


Fig 8. Project My screen Application.



Conclusion :

In this article we understanding of how WP8 applications are packaged and distributed. Also we now know the sideloding developer signed app into device. Next article will learn how will do dynamic analysis on WP8 application using Device.

43 comments

  1. Detecvision Provide best mobile application development services in India.We Provide complete solution for mobile mobile application like IOS Application development, Android application developemnt and web application development company in Delhi, India.

    ReplyDelete
  2. Your article about software testing is awesome. It helped me to understand the career prospects in software testing industry. software testing training in Chennai

    ReplyDelete
  3. Very Thanks for information and Best content is in this blog.
    Mobile Apps Development

    ReplyDelete
  4. Android is the best platform to work over and we are having a cheerful and hardworking team of Android application developers for serving your business with the latest and out of box apps. Being an, Android Apps Development Company, we provide our clients with quality and creative Android application development services that turn the use of Android device into something that is smarter and superior.

    ReplyDelete
  5. Android is the best platform to work over and we are having a cheerful and hardworking team of Android application developers for serving your business with the latest and out of box apps. Being an, Android Apps Development Company, we provide our clients with quality and creative Android application development services that turn the use of Android device into something that is smarter and superior.

    ReplyDelete
  6. Very nice, i like the way you explained. I also wrote something on similar lines on what we need to know about Security Testing. Hope you would like it - http://bit.ly/1RtuiEX

    ReplyDelete
  7. Thanks for sharing the info, keep up the good work going.... I really enjoyed exploring your site. good resource...
    Window Replacement

    ReplyDelete
  8. Thank you for the look into mobile application security testing, ! In forums I've participated in, users often say application security testing is not necessary because developers should have made their applications secure in the first place.Mobile App Creation

    ReplyDelete
  9. Really such an impressive and informative post about testing of windows mobile application security. windows app development company jaipur

    ReplyDelete
  10. Holiday 2016, Govt. Holidays of Bangladesh Calendar - 2016,
    is a useful tool for Bangladeshi people.
    The application Views All Public Holidays for the calendar of 2016 of Bangladesh.
    Govt. Holidays Bangladesh application provides following features:
    - Holiday in Month view with calendar with alarm system
    - List of holidays at a glance by month
    - It's include with alarming system.dcitltd

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. The market share of mobile user devices will certainly increase in the next five to ten years and the risks are also expected to increase in number and complexity so it's better for us to be prepared and be knowledgeable about this. If we choose to ignore it, malicious applications might pose a bigger threat and hurt and it would be shocking if we are not yet ready to face all of this.


    Mobile Application Security

    ReplyDelete
  13. It is quite beneficial, although think about the facts when it reaches this target.




    iPhone App Development Company Australia

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. Mobile device security is very serious issue. You cannot be 100% sure can your phone be hacked by someone

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. This is really an important blog with many helpful information. I have been searching for a long time for this types of content. Keep up posting more and thanks for your great staff.
    web application security best practices

    ReplyDelete
  18. Great Work. This post is worth everyone’s attention. web design company in chennai

    ReplyDelete
  19. Enpersol Technologies provide best Mobile App Development Services, it is no. 1 Mobile App Development Company in Indore.

    ReplyDelete
  20. We thought about offering popcorn, pop, and sweet nearby our Mobile App Development in Los Angeles. Our specialization is Mobile App based game plans. We offer end-to-end courses of action from necessities progression, Mobile App Security and utilization.

    ReplyDelete
  21. I am new to mobile app security
    so can you help me out learning the moblizer
    can you help me out in performing reverse engineering

    ReplyDelete
  22. These ways are very simple and very much useful, as a beginner level these helped me a lot thanks fore sharing these kinds of useful and knowledgeable information.
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies

    ReplyDelete

  23. I’ve been browsing on-line greater than three hours today, but I never discovered any attention-grabbing article like yours. It is beautiful worth sufficient for me. Personally, if all webmasters and bloggers made good content material as you did, the net will be a lot more helpful than ever before.
    iOS Training in Chennai
    Android Training in Chennai
    php Training in Chennai

    ReplyDelete
  24. Informative article, just what I was looking for.seo services chennai

    ReplyDelete
  25. Usually I do not read post on blogs, but I would like to say that this write-up very forced me to try and do it! Your writing style has been surprised me. Great work admin.Keep update more blog.
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies

    ReplyDelete
  26. Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..
    please sharing like this information......
    Android training in chennai
    Ios training in chennai

    ReplyDelete
  27. These ways are very simple and very much useful, as a beginner level these helped me a lot thanks fore sharing these kinds of useful and knowledgeable information.
    Android App Development Company
    Android App Development Company

    ReplyDelete
  28. This article is very much helpful and i hope this will be an useful information for the needed one. Keep on updating these kinds of informative things...
    Mobile App Development Company

    ReplyDelete
  29. I just want to say that all the information you have given here is awesome...great and nice blog thanks sharing..Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...
    Web Design Development Company
    Web design Company in Chennai
    Web development Company in Chennai

    ReplyDelete
  30. Can truly relate and retain this outstanding post. Very well written. web design company Chennai

    ReplyDelete
  31. it is really amazing...thanks for sharing....provide more useful information...
    Mobile app development company

    ReplyDelete
  32. Buy high quality Mobile Covers & Cases Online; Tempered Glass screen protectors online. We give unmatched premium protection to your mobile, iPad and MacBook.
    buy Mobile Cases

    ReplyDelete
  33. Car Detailing and Paint Protection film for Supercars, Classic Cars and Prestige Cars by Highly Skilled and Experienced Car Detailers. call us: 011-45129999
    Car Detailing Services in delhi

    ReplyDelete
  34. That was an extremely interesting blog. The level of information your blogs provide is par excellence. Thanks for sharing your thoughts with us.

    Mobile Application Company In Delhi

    ReplyDelete
  35. Your article about Mobile application security testing is amazing, actually we are also running a blog series about application security so this will be helpful for us.

    ReplyDelete
  36. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
    iphone app training course

    ReplyDelete
  37. Nice Information provided in the blog.
    #Best Mobile Application Development Services Company in #Paris #France Provides Customized #Smartphone #Android, #Iphone, #Ios apps in #Paris, #Lyon, #Toulouse, #Nantes, #Strasbourg, #Bordeaux, #Lille
    Mobile Application Development Services Company
    

    ReplyDelete
  38. Nice blog..! I really loved reading through this article... Thanks for sharing such an amazing post with us and keep blogging...
    ios app development course

    ReplyDelete
  39. Awesome,
    Thank you so much for sharing such an awesome blog...
    sap consulting services in usa

    ReplyDelete
  40. That's wonderful stuff you've written up here. Been searching for it all around. Great blogWebsite Designing Company Bangalore | Web Development Company Bangalore

    ReplyDelete

Powered by Blogger.