In this blog post will going to learn how will perform Dynamic analysis on Windows phone 8 Mobile applications. Previous article we learned WP8 applications and sideloading developer signed apps.

Dynamic Analysis

Dynamic analysis is way to audit any mobile applications communication which application can communicate or give away data in two way communicating with server or storing to and loading from device storage. We can dive into how to intercept request using proxy tool and how to analysis isolated storage data into device. We can analysis traffic between device and server by intercepting and modifying parameter. For application storage we can just observe the results the data that application has saved.

OWASP Zed Attack Proxy (ZAP)

Most of them are familiar with Zap proxy and using while doing Application penetration testing. Zap proxy is powerful proxy tool for intercepting traffic between client and server. It is open source tool. You can download from here.

Fig 1. ZAP proxy tool.

Intercept HTTP and HTTPS Traffic

In order to setup zap proxy and intercept request you have to install zap proxy properly. It is important to connect you system and device with same wifi network.

Check your system IP address, if you connected with Wifi you should also connect your device with same Wifi.

Fig. 2 System interface IP address.

Now you have to put your interface IP address inside zap proxy setting. Go to Tools > Options (Ctrl+Alt+O) > Local proxy

Address would be your system interface IP address (in my case

Port you can put as 8080

Fig 3. ZAP proxy setup.

Now open you device and go to setting > WiFi > select your connected wifi network.

Fig 4. Device Wifi

Turn on Proxy and provide your system interface IP i.e in Server/URL, 8080 in port and save the setting.

Fig 5. Device Wifi Setup.

Installing Certificate

It is very important to install ZAP certificate inside your device to intercept HTTPS enabled applications. Without certificate you can’t intercept the HTTPS request and response. In order to install certificate first you have to export certificate from ZAP and then install certificate by sending certificate into device using e-mail. You can also install certificate using SD card but it may not work properly.

Export the certificate from zap. Go to Tool > Options > Dynamic SSL Certificates (Ctrl+Alt+O). Now save the certificate .

Fig 6. ZAP SSL Certificate

Now you can save this certificate and send certificate using any E-mail. In device download certificate from the attached file. Make sure that the certificate extension should be .cer

Fig 7. Attached ZAP certificate in Mail.

And then install the certificate.

Fig 8. Certificate Installation.

In windows phone you can only install any one certificate at a time. Also WP8 does not provide a way to delete it later on.

After installing ZAP certificate you can able to intercept HTTPS enabled applications in your devices.

Most of peoples are comfortable with Burp proxy. In similar way you can also setup BurpProxy and certificate.

But many time burp certificates are not work properly, in this case you can use ZAP outgoing proxy to divert all HTTP/HTTPS request and response traffic via burp proxy.

Go to Tools > Options (Ctrl+Alt+O) > Connection and use proxy chain.

Fig 9. Setup Proxy Chain.

Provide Burp proxy interface in address/Domain and port.

Fig 10. Burp Proxy

Fig 11. Intercept Facebook App HTTPS.

Now you can able to intercept any application in device in order to do dynamic analysis.

Conclusion :

In this article we learned how we setup proxy with Windows Phone and intercept HTTPS request and response in order to perform Dynamic analysis on applications. Next article we learn analysis of Isolated storage or windows internal file system using Windows power tool.


  1. It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing.
    Window Replacement

  2. As per the increased number of mobile data breaches, it becomes important to avail mobile security solutions to protect it from undefined attacks. Thank you for sharing a very nice blog about window mobile application security testing as you have described each and everything very nicely.

  3. This comment has been removed by the author.

  4. Amazing content. I bookmarked it for future reference.

    apple iphone development

  5. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing..
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies

  6. Usually I do not read post on blogs, but I would like to say that this write-up very forced me to try and do it! Your writing style has been surprised me. Great work admin.Keep update more blog.
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies

  7. Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..
    please sharing like this information......
    Android training in chennai
    Ios training in chennai

  8. Buy high quality Mobile Covers & Cases Online; Tempered Glass screen protectors online. We give unmatched premium protection to your mobile, iPad and MacBook.
    buy Mobile Cases

  9. Car Detailing and Paint Protection film for Supercars, Classic Cars and Prestige Cars by Highly Skilled and Experienced Car Detailers. call us: 011-45129999
    Car Detailing Services in delhi


  11. OWASP has also dropped their long time vulnerability due to its lack of importance in present day application security. They probably thought that it could be replaced by a more contemporary one.

    OWASP has merged 2013-A4: Insecure Direct Object References and 2013-A7: Missing Function Level Access Control back into 2017- A4: Broken Access Control.

    Here I am sharing about owasp 2013 vs owasp 2017 and Web application security testing hope it will be helpful for you all.

  12. Nice Information provided in the blog
    #Bestmobileappdevelopmentagency firm in #Paris which provides custom #Android, #Iphone, #Ios application development services in #France #Paris, #Lyon, #Toulouse, #Nantes, #Strasbourg, #Bordeaux, #Lille
    Best Mobile App Development Agency Paris

  13. Your post is just outstanding! thanks for such a post,its really going great and great work.
    Web Designing Company Bangalore | Website Design Company Bangalore

  14. Your blog is very informative and gracefully. Your guideline is very good. Thank you Mobile Application Development Company in Bangalore

  15. Buy online power banks for mobile at Low Price. Shop Power bank with 10000, 4000, 5100, 5200 mAh With Axl Brand & more with Great Discount price.
    online power banks for mobile

  16. When you will read the article on blog you will understand about how the tester check each and every things of mobile application.
    MSI gaming motherboards price in India

  17. Very informative article which is about the software and i must bookmark it, keep posting interesting articles.
    desarrollo de software

  18. Meilleure information donne à nos blogs
    Prometteur Solution est la meilleure agence de développement d'applications mobiles en France.
    société de développement d'applications mobiles en France
    meilleure société de développement d'applications mobiles à Paris

  19. Your post is just outstanding! thanks for such a post,its really going great and great work.
    Sdaemon Infotech Pvt Ltd Pune
    Top Web Development Company in Pune
    Mobile Application Development

  20. Mobile application technology is in demand,so thanks to share this information.connect with Top mobile app development company in India for best app development services .


  21. That is very interesting; you are a very skilled blogger. I have shared your website in my social networks! A very nice guide. I will definitely follow these tips. Thank you for sharing such detailed article.
    Best Mobile Applications Company In Hyderabad

  22. nice blog I really appricate the blogger
    Cylon Technologies is best Mibile Applications 'Development Company in Michigan  The management’s role at Cylon Technologies is to empower employees to believe in the power of ideas.


Note: only a member of this blog may post a comment.

Powered by Blogger.