Thanks for the comment. It’s certainly not a revolutionary tool by any means but I hate doing things manually that I can automate and I know the keyword highlighting, being able to execute other tools etc within one tool has been beneficial to me as a security code reviewer in the past.

Thanks for the two tools/links you posted as well. I’ve taken a quick look at those and your tool in particular I think is very interesting. If you are interested in working with me to include similar functionality in WPAA let me know because I think that kind of thing along with the existing functionality would be awesome for a code reviewer to have in one single tool!

SN

Pretty nice tool you’ve made there My normal workflow included the manual extraction of the XAP file, followed by loading the DLL files into IlSpy. Your tool greatly improves this unnecessary steps, well done!

Regarding code analysis, I want to add another good tool by Behrang Fouladi called XapSpy (http://www.sensepost.com/blog/6081.html). It allows you to monitor the called methods during the application’s runtime inside the WP Emulator. Unfortunately it only works with 32Bit Windows Versions because of the used libraries. It is also limited to the Emulator, as normal developer unlocked devices do not allow to attach a console or debugger to applications without source code.

I made myself a little extension to XapSpy called XapSpyAnalysis (http://xapspyanalysis.codeplex.com), which allows to graphically display the called methods over time. It’s not very pretty and still buggy, but its a starting point

Maybe you will find these two usefull.

Very true, they aren’t very different to Silverlight .xap files at all and I’d imagine you could do the same/very similar analysis of those files with the WPAA.

The second point you made is something I considered including in the tool but then I came across this application: http://mktwp7.codeplex.com/ and decided not to reinvent the wheel. It doesn’t do exactly what you were saying because it downloads free apps directly from the marketplace which is exactly what I did to test the WPAA

SN

Nicely done! No exciting news for people who are familar with application architecture of Silverlight, because the approach applies to Silverlight-XAPs as well. All the single steps are well documented in the different SDKs. But nevertheless the tool does a good job, summarizing all together to address people who just want to take a peek at WP7-XAPs without the need to dig deeper.

In my opinion the more challenging task, regarding WP7-App security analysis, is to obtain a alien XAP file from another publisher, e.g. an App I recently installed from WP7 Marketplace on my device. Does your tool offer options to get the XAP out of a phone to analyze it? I can imagine ways to get the App – maybe one may try to pull the XAP out of the network traffic, while downloading the app. I think a feature like that would be a real benefit for the tool.

Cheers,
Tommy