at February 22, 2016

In this blog post will going to learn how will perform Dynamic analysis on Windows phone 8 Mobile applications. Previous article we learned WP8 applications and sideloading developer signed apps.

Dynamic Analysis


Dynamic analysis is way to audit any mobile applications communication which application can communicate or give away data in two way communicating with server or storing to and loading from device storage. We can dive into how to intercept request using proxy tool and how to analysis isolated storage data into device. We can analysis traffic between device and server by intercepting and modifying parameter. For application storage we can just observe the results the data that application has saved.

OWASP Zed Attack Proxy (ZAP)


Most of them are familiar with Zap proxy and using while doing Application penetration testing. Zap proxy is powerful proxy tool for intercepting traffic between client and server. It is open source tool. You can download from here.


Fig 1. ZAP proxy tool.

Intercept HTTP and HTTPS Traffic


In order to setup zap proxy and intercept request you have to install zap proxy properly. It is important to connect you system and device with same wifi network.

Check your system IP address, if you connected with Wifi you should also connect your device with same Wifi.


Fig. 2 System interface IP address.


Now you have to put your interface IP address inside zap proxy setting. Go to Tools > Options (Ctrl+Alt+O) > Local proxy

Address would be your system interface IP address (in my case 192.168.198.1)

Port you can put as 8080


Fig 3. ZAP proxy setup.


Now open you device and go to setting > WiFi > select your connected wifi network.


Fig 4. Device Wifi


Turn on Proxy and provide your system interface IP i.e 192.168.198.1 in Server/URL, 8080 in port and save the setting.


Fig 5. Device Wifi Setup.


Installing Certificate


It is very important to install ZAP certificate inside your device to intercept HTTPS enabled applications. Without certificate you can’t intercept the HTTPS request and response. In order to install certificate first you have to export certificate from ZAP and then install certificate by sending certificate into device using e-mail. You can also install certificate using SD card but it may not work properly.

Export the certificate from zap. Go to Tool > Options > Dynamic SSL Certificates (Ctrl+Alt+O). Now save the certificate .




Fig 6. ZAP SSL Certificate

Now you can save this certificate and send certificate using any E-mail. In device download certificate from the attached file. Make sure that the certificate extension should be .cer


Fig 7. Attached ZAP certificate in Mail.

And then install the certificate.


Fig 8. Certificate Installation.


In windows phone you can only install any one certificate at a time. Also WP8 does not provide a way to delete it later on.

After installing ZAP certificate you can able to intercept HTTPS enabled applications in your devices.

Most of peoples are comfortable with Burp proxy. In similar way you can also setup BurpProxy and certificate.

But many time burp certificates are not work properly, in this case you can use ZAP outgoing proxy to divert all HTTP/HTTPS request and response traffic via burp proxy.

Go to Tools > Options (Ctrl+Alt+O) > Connection and use proxy chain.


Fig 9. Setup Proxy Chain.

Provide Burp proxy interface in address/Domain and port.




Fig 10. Burp Proxy


Fig 11. Intercept Facebook App HTTPS.

Now you can able to intercept any application in device in order to do dynamic analysis.

Conclusion :


In this article we learned how we setup proxy with Windows Phone and intercept HTTPS request and response in order to perform Dynamic analysis on applications. Next article we learn analysis of Isolated storage or windows internal file system using Windows power tool.

Tags: , , , ,

RELATED POSTS

Author

Information Security Professional and Independent Researcher and working for Ethical Hacking. Identify security vulnerabilities and weaknesses in the target applications, establish the business impact and ease of exploitation associated with each issue identified, and provide appropriate remedial recommendations that should be implemented in order to mitigate the impact of the issues identified.

15 comments

  1. Unknown14 April 2016 at 01:24

    It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing.
    Window Replacement

    ReplyDelete
  2. Unknown25 May 2016 at 03:05

    Very helpful post, thanks for sharing!!

    Mobile Application Development Company India

    ReplyDelete
  3. Unknown8 June 2016 at 00:09

    As per the increased number of mobile data breaches, it becomes important to avail mobile security solutions to protect it from undefined attacks. Thank you for sharing a very nice blog about window mobile application security testing as you have described each and everything very nicely.
    Avyaan

    ReplyDelete
  4. aerona15 August 2016 at 04:09

    This comment has been removed by the author.

    ReplyDelete
  5. aerona15 August 2016 at 04:11

    Amazing content. I bookmarked it for future reference.



    apple iphone development

    ReplyDelete
  6. Unknown28 June 2017 at 06:00

    Buy high quality Mobile Covers & Cases Online; Tempered Glass screen protectors online. We give unmatched premium protection to your mobile, iPad and MacBook.
    buy Mobile Cases

    ReplyDelete
  7. Anshad8 August 2017 at 08:20

    https://security-testing1.blogspot.com/2017/08/how-to-intercept-android-app-using-zap.html

    ReplyDelete
  8. Unknown5 September 2017 at 23:58

    OWASP has also dropped their long time vulnerability due to its lack of importance in present day application security. They probably thought that it could be replaced by a more contemporary one.

    OWASP has merged 2013-A4: Insecure Direct Object References and 2013-A7: Missing Function Level Access Control back into 2017- A4: Broken Access Control.

    Here I am sharing about owasp 2013 vs owasp 2017 and Web application security testing hope it will be helpful for you all.

    ReplyDelete
  9. Unknown9 February 2018 at 03:31

    Buy online power banks for mobile at Low Price. Shop Power bank with 10000, 4000, 5100, 5200 mAh With Axl Brand & more with Great Discount price.
    online power banks for mobile

    ReplyDelete
  10. Unknown14 February 2018 at 03:40

    When you will read the article on blog you will understand about how the tester check each and every things of mobile application.
    MSI gaming motherboards price in India

    ReplyDelete
  11. Charli Smith15 February 2018 at 00:05

    Very informative article which is about the software and i must bookmark it, keep posting interesting articles.
    desarrollo de software

    ReplyDelete
  12. Unknown26 March 2018 at 04:02

    Meilleure information donne à nos blogs
    Prometteur Solution est la meilleure agence de développement d'applications mobiles en France.
    société de développement d'applications mobiles en France
    meilleure société de développement d'applications mobiles à Paris

    ReplyDelete
  13. Unknown30 March 2018 at 02:09

    Your post is just outstanding! thanks for such a post,its really going great and great work.
    Sdaemon Infotech Pvt Ltd Pune
    Top Web Development Company in Pune
    Mobile Application Development

    ReplyDelete
  14. Grepix4 April 2018 at 05:58

    Mobile application technology is in demand,so thanks to share this information.connect with Top mobile app development company in India for best app development services .

    ReplyDelete
  15. Unknown4 April 2018 at 23:39


    That is very interesting; you are a very skilled blogger. I have shared your website in my social networks! A very nice guide. I will definitely follow these tips. Thank you for sharing such detailed article.
    Best Mobile Applications Company In Hyderabad

    ReplyDelete

Note: only a member of this blog may post a comment.

Powered by Blogger.

Copyright © All Rights Reserved / Designed By: Templatezy | Blogger Templates