Previous article we learned about the windows phone 8 security basics and their features. In this article we’ll going to learn about windows phone 8 applications and sideloading developer signed app in device.


About XAP Files


XAP is the file format used to distribute and install application software and middleware onto Microsoft's Windows Phone 7/8 operating system, and is the file format for Silverlight applications. Beginning with Windows Phone 8.1, XAP will be replaced by APPX as the file format used to install apps on the Windows Phone platform, a move which was done by Microsoft in order to unify the app development platforms for Windows Store apps and Windows Phone apps.

XAP files are ZIP file formatted packages. The MIME type associated with XAP files is application/x-silverlight-app.

Fig 1. Unzipped XAP file 

If you downloaded app from store and wants to unzip then you can’t able to do so. It's because microsoft signed every app with DRM encryption. However if the app is developer signed then you can easily unzip the XAP file.

Encrypted and Unencrypted XAP file

The difference between a XAP file from the app store and an unencrypted XAP can be inspected by opening the XAP file headers in text editor. A limitation of encrypted XAP files downloaded from the app store is that they cannot run in emulators. When conducting penetration tests of a windows Phone application using emulators it's is required to obtain the XAP files of the application compiled by the developer, not from the Windows Store.


Fig 2. Encrypted XAP file
               '
       
Fig 3. Unencrypted XAP file



After some google search I found Youtube XAP unencrypted XAP file from xda-developers forum which help us to understand the Encrypted and Unencrypted applications and difference between them.

Sideloading developer signed app


If you want to perform security testing on your client applications in un-rooted devices then you have to ask them for their developer signed app and by sideloading the App you can able to perform dynamic as well as static analysis.

If you downloaded or installed app from store you will only able to perform dynamic analysis on the app. To perform analysis into internal file system (Isolated storage only) you need to get the developer signed app. Later blog post we will learn inspection of isolated storage.

You can sideload your developer signed app using Application Deployment app which will installed in your system while installing SDK.

Search in your system for “Application Deployment” and open the application. In case you would not found the app then you can use the system path C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\XAP Deployment locatedwhere you can run XapDeploy.exe .


Fig 4. Application Deployment App

You can use any developer signed app and sideload app in your device using this application.

Windows Power Tool.


Windows power tool is very useful while doing pentesting on WP8 application. It is developed for the developers to deploy application, testing the app, check isolated storage and other useful functions. You can download this application from codeplex.

However many time I face below error while installing Windows Power tool, may you can also face the same issue.


Fig 5. Windows Power Tool Error 


So it's better to install offline file which you can find from XDA Developer forum. Download the WPPowerToolsStandaloneAmir.zip file and extract the file.

Now run the WindowsPhonePowerTools.exe file.


Fig 6. Windows Power Tool


In order to connect your device with windows power tool you have to unlock your screen and then click on Connect.

After you have successfully connected with windows power tool you can able to install your developer XAPs file and other useful task able to perform for analysis the application.


Fig 7. Windows Power tool feature.



Deploy XAPs easily with WPV Xap Deployer


Project My Screen App


Microsoft has developed application for users to project phone screen to an external display which can using USB cable and connect with system to project phone display on systems.

This app is useful for us while doing pentesting on Windows mobile application to get the display on our system.

You can download application from Microsoft site Project My Screen App


Fig 8. Project My screen Application.



Conclusion :

In this article we understanding of how WP8 applications are packaged and distributed. Also we now know the sideloding developer signed app into device. Next article will learn how will do dynamic analysis on WP8 application using Device.

46 comments

  1. Detecvision Provide best mobile application development services in India.We Provide complete solution for mobile mobile application like IOS Application development, Android application developemnt and web application development company in Delhi, India.

    ReplyDelete
    Replies
    1. Très belle information
      Prometteur solution est la meilleure entreprise de conception d'applications Android pour smartphone en France. Nous fournissons des services de développement d'applications mobiles à Paris, en France.

      Société de développement de design d'applications Android en France Paris _ |
      société de conception d'applications Android en france_ |
      société de conception d'applications Android à Paris

      Delete
  2. Very Thanks for information and Best content is in this blog.
    Mobile Apps Development

    ReplyDelete
  3. Android is the best platform to work over and we are having a cheerful and hardworking team of Android application developers for serving your business with the latest and out of box apps. Being an, Android Apps Development Company, we provide our clients with quality and creative Android application development services that turn the use of Android device into something that is smarter and superior.

    ReplyDelete
  4. Android is the best platform to work over and we are having a cheerful and hardworking team of Android application developers for serving your business with the latest and out of box apps. Being an, Android Apps Development Company, we provide our clients with quality and creative Android application development services that turn the use of Android device into something that is smarter and superior.

    ReplyDelete
  5. Very nice, i like the way you explained. I also wrote something on similar lines on what we need to know about Security Testing. Hope you would like it - http://bit.ly/1RtuiEX

    ReplyDelete
  6. Thanks for sharing the info, keep up the good work going.... I really enjoyed exploring your site. good resource...
    Window Replacement

    ReplyDelete
  7. Thank you for the look into mobile application security testing, ! In forums I've participated in, users often say application security testing is not necessary because developers should have made their applications secure in the first place.Mobile App Creation

    ReplyDelete
  8. Really such an impressive and informative post about testing of windows mobile application security. windows app development company jaipur

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. The market share of mobile user devices will certainly increase in the next five to ten years and the risks are also expected to increase in number and complexity so it's better for us to be prepared and be knowledgeable about this. If we choose to ignore it, malicious applications might pose a bigger threat and hurt and it would be shocking if we are not yet ready to face all of this.


    Mobile Application Security

    ReplyDelete
  11. It is quite beneficial, although think about the facts when it reaches this target.




    iPhone App Development Company Australia

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. Mobile device security is very serious issue. You cannot be 100% sure can your phone be hacked by someone

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. This is really an important blog with many helpful information. I have been searching for a long time for this types of content. Keep up posting more and thanks for your great staff.
    web application security best practices

    ReplyDelete
  16. Enpersol Technologies provide best Mobile App Development Services, it is no. 1 Mobile App Development Company in Indore.

    ReplyDelete
  17. We thought about offering popcorn, pop, and sweet nearby our Mobile App Development in Los Angeles. Our specialization is Mobile App based game plans. We offer end-to-end courses of action from necessities progression, Mobile App Security and utilization.

    ReplyDelete
  18. I am new to mobile app security
    so can you help me out learning the moblizer
    can you help me out in performing reverse engineering

    ReplyDelete
  19. Buy high quality Mobile Covers & Cases Online; Tempered Glass screen protectors online. We give unmatched premium protection to your mobile, iPad and MacBook.
    buy Mobile Cases

    ReplyDelete
  20. That was an extremely interesting blog. The level of information your blogs provide is par excellence. Thanks for sharing your thoughts with us.

    Mobile Application Company In Delhi

    ReplyDelete
  21. Your article about Mobile application security testing is amazing, actually we are also running a blog series about application security so this will be helpful for us.

    ReplyDelete
  22. Thank you for sharing. This article is very helpful and Inspirational. Excellent!


    Mobile App Developer

    ReplyDelete
  23. Excellent website. Lots of useful information here, thanks in your effort! . For more information please visit
    Low Cost Mobile Applications In India

    ReplyDelete
  24. A priority should be given to a faster and better development framework that builds, develops and designs your business application without taking a long time.

    Xamarin mobile app development services

    ReplyDelete
  25. However, stay up the nice quality writing, it is uncommon to see a nice blog like this one...Great Information!!! App Development Company in Bangalore

    ReplyDelete
  26. Thanks for sharing this blog and it's useful to all new developers and it clear my all doubt. I know one of the best web and mobile app development company in Chennai they have over 5+year of experience in web development services and mobile app services and their web developers are highly skilled in this services. if you're looking for development services at best prices and on time delivery with great UI and UX, I highly recommend this company, they will fully satisfy your expectation. Their developers are skilled in many frameworks like laravel, angular js, node js, vue js, MongoDB.

    Also, they provide best services in web designing, web application development, mobile app development for android, ios, hybrid app development, digital marketing services and outsourcing

    ReplyDelete
  27. I read your articles very excellent and the i agree our all points because all is very good information provided this through in the post. IOS Application Development Company in Rajasthan

    ReplyDelete
  28. Hi Dear,

    i Like Your Blog Very Much..I see Daily Your Blog ,is A Very Useful For me.

    You can also Find application development company

    Brossarddesign is one of the best mobile application development company in Toronto & Montreal. We have the latest range of designs to create your iOS & android mobile app.

    Visit Now - http://brossarddesign.com

    ReplyDelete
  29. Well having such a wonderful content on the blog, that will help us and others to learn some important things about security.
    Bluetooth speaker online

    ReplyDelete
  30. At first thanks for writing meaningful content on the blog. It is useful for us and it will be also very helpful for others. keep it up.
    Best Micro USB Cables

    ReplyDelete
  31. This comment has been removed by the author.

    ReplyDelete

  32. Just the right and informative post to read. Thanks for sharing the informative post.
    How to Develop Mobile Application?

    ReplyDelete
  33. The iPhone developers who work in companies begin getting acquainted with the latest technologies a long time before the technologies are actually launched.

    iOS App Development Company in India

    ReplyDelete
  34. Nice blog..! I really loved reading through this article... Thanks for sharing such an amazing post with us and keep blogging...
    mobile app training institutes

    ReplyDelete
  35. I really appreciate your hard work an giving us some information and inspiring others to follow.
    low cost mobile application development in hyderabad

    ReplyDelete

  36. Very informative and well written post! Quite interesting and nice topic chosen for the post Nice Post keep it up.Excellent post. I want to thank you for this informative post. I really appreciate sharing this great post. Keep up your work.

    Best Mobile Applications Company In Hyderabad

    ReplyDelete
  37. Maxwell Global Software is the Top & Best Mobile Application Development Company in Bahrain, Android and IOS Application Development Company in Bahrain, Tablet App Designing and Development Company in Bahrain & World Wide. Mobile App Development In Bahrain

    ReplyDelete
  38. Nice blog and absolutely outstanding. You can do something much better but i still say this perfect.Keep trying for the best. Hire iPhone Developers India

    ReplyDelete
  39. Search Engine Optimization company in Sri lanka, providing SEO solutions, internet marketing as well as web promotion services. We are one of the leading SEO companies in Sri Lanka. Apart from SEO services we also provide PPC (Pay Per Click), Analytics, Web Design & Architecture, SMM.SEO Service In Sri Lanka

    ReplyDelete
  40. Good information about mobile applications.good image explanations You have included.thank you.

    Best Mobile Applications Company in Hyderabad

    ReplyDelete
  41. Maxwell Global Software is one of the best mobile app development companies in Manama Bahrain provides iPhone app development, Android app development, Windows app development and Blackberry app development.Hybrid App Development

    ReplyDelete

Note: only a member of this blog may post a comment.

Powered by Blogger.