Security research, news and guidance

Windows Phone App Analyser v1.0 released today

January 20, 2012  |  Written by Security Ninja  |   Application Security, Ninja News and Updates   |   6 Comments

Hi everyone,

As we are now nearly half way through the first month of 2012 I thought I’d better write my first blog post of 2012!

If you follow me on Twitter or have liked the Security Ninja Facebook page you will have seen that I was doing some Windows Phone 7 app development over Christmas. I have actually published two apps into the Windows Marketplace and I have a few more app ideas as well!

The main reason I wanted to do the WP7 app development was to increase my knowledge about the WP7 application development and submission process. I have done a lot of mobile security research and even presented about Android and iOS security but I didn’t want to assume that knowledge would apply to WP7 so I got my hands dirty with some app development!

Even though my apps are pretty basic functionality wise it allowed me to learn a bit more about how WP7 apps are developed and put together. That has allowed me to understand how to start security code reviewing these applications if you have the source code. In an ideal world if you have been tasked with performing a security code review you will have the source code but that isn’t always true so I felt it was important to understand how to turn the .xap (the finished app file) back into source code.

I had added functionality to do this for Android .apk files to a recent release of Agnitio so I had a good idea of how to approach this. It turns out that the WP7 .xap files are easier, or certainly require less work to turn back into the original source code than the Android .apk files.

When you try to reverse engineer a .apk file (and remember you should never do this to software/apps that you don’t own or have permission to reverse engineer) you would do the following things (this is how Agnitio works):

1) Unzip the .apk file

2) Decompress the AndroidManifext.xml file

3) Convert the classes.dex file into a .jar file

4) Decompile the .jar file so you have the Java source code

Things are much simpler when it comes to WP7 .xap files. When you build your WP7 app in Visual Studio all the files for your app (.XAML and .NET code) are compiled into a single DLL file. Any images or external DLL’s you add to the project are included in the .xap file but not as part of your app DLL file. I have included an image below which shows the content of my Security News .xap file:

You can see that the .xap files include a couple of additional files on top the images and DLLs I explained above. The AppManifest.xaml and WMAppManifest.xml files are created automatically and I will touch briefly on the contents of the WMAppManifest.xml file later in this post.

We can get back to the original source code easier than we can with our Android .apk file; in fact we just need to do two things:

1) Unzip the .xap file

2) Decompile your application .dll file

Even though we only have to do two things to get back to the original source code I still hate doing manual work I know I can automate. That’s why I developed and would now like to introduce the Windows Phone App Analyser!

The Windows Phone App Analyser is similar to the static analysis tab in Agnitio. If you browse to any C# .cs files and click scan you will see the keyword highlighting that you might be familiar with from Agnitio:

If you browse to a .xap file Windows Phone App Analyser will unzip the .xap for you. You will then see the contents of the .xap in the left hand panel:

If you click on your applications .dll file and click scan again it will be decompiled and the left hand panel will refresh again to show you the original source code. You can then select any of the source code files and click scan again to see the code in the main panel with any keywords from the database highlighted. Click on the highlighted keywords for an explanation of why they have been highlighted, simples!

Those of you who looked at those images closely will have noticed that the biggest difference between the Windows Phone App Analyser and Agnitio is the automated review tab. If you write your WP7 apps in C# (I believe you can use F# and VB.NET if you really want to……..) you can launch CAT.NET and FxCop scans from the automated review tab. I’m not sure if many of the rules in these tools are useful for WP7 app reviews yet but I thought I’d add this functionality anyway. I didn’t want to deal with problems that might arise from trying to bundle tools like these with my installer so if you want to use CAT.NET or FxCop you will need to download them yourself and browse to the installer before clicking the scan button:

You will also need to make sure the following directories/files exist on your system to use FxCop to analyse a WP7 app with or without the Windows Phone App Analyser:

C:\Program Files\Reference Assemblies\Microsoft\Framework\Silverlight\v4.0\system.dll

C:\Program Files\ReferenceAssemblies\Microsoft\Framework\Silverlight\v4.0\Profile\WindowsPhone\Microsoft.Phone.dll

There are likely to be other files needed as well but if you have all of the dll files in the above directories it should work fine.

I’m hoping to find a way to execute the scans from within the app analyser without needing to have these directories/files on your computer. I wanted to get this first version released quickly so it’s not perfect!

The third tool you can launch from within the Windows Phone App Analyser is the Capabilities Detection tool from Microsoft (same deal as above with downloading it yourself). Before I explain what this tool does it will probably make sense to quickly cover capabilities and the WMAppManifest.xml file I mentioned earlier in this post.

A WP7 capability is the same as permissions in Android apps to get straight to the point. There are some interesting things about capabilities that I will cover in another blog post but for now all you need to know is they are like permissions in Android apps. The capabilities that your app uses such as phone dialer (capability: ID_CAP_PHONEDIALER) will be listed in the WMAppManifest.xml file. This means just like the AndroidManifest.xml file the WMAppManifest.xml file is good place to start your security code reviews. There are many more things I want to cover about WP7 capabilities but I will do that in another blog post soon!

So, as I mentioned above you can launch the Capabilities Detection tool from the Windows Phone App Analyser and view the output. What this tool does is analyse your applications .dll file and list the capabilities used by the application. This allows you to double check that the capabilities listed in the WMAppManifest.xml file are the capabilities used by the application you are reviewing:

I know many of you won’t have any .xaps lying around to try my new tool out with so I’m giving you the .xap files of my two published apps to play with. You can download those here.

I think that’s everything I wanted to cover in today’s blog post so download the WPAA.msi and try it out. Let me know what you think of it! It is a little bit rough around the edges and lacks a few features that I think are important (keyword editor, store paths to scanning tools so you don’t have to browse to them, option to automatically execute automated scans etc) but they will be included in the next couple of releases!

SN

This entry was posted on January 20, 2012 at 7:39 am and is filed under Application Security, Ninja News and Updates . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 comments   >

  1. Tommy says:

    Hi SN!

    Nicely done! No exciting news for people who are familar with application architecture of Silverlight, because the approach applies to Silverlight-XAPs as well. All the single steps are well documented in the different SDKs. But nevertheless the tool does a good job, summarizing all together to address people who just want to take a peek at WP7-XAPs without the need to dig deeper.

    In my opinion the more challenging task, regarding WP7-App security analysis, is to obtain a alien XAP file from another publisher, e.g. an App I recently installed from WP7 Marketplace on my device. Does your tool offer options to get the XAP out of a phone to analyze it? I can imagine ways to get the App – maybe one may try to pull the XAP out of the network traffic, while downloading the app. I think a feature like that would be a real benefit for the tool.

    Cheers,
    Tommy

  2. Security Ninja says:

    Hi Tommy,

    Very true, they aren’t very different to Silverlight .xap files at all and I’d imagine you could do the same/very similar analysis of those files with the WPAA.

    The second point you made is something I considered including in the tool but then I came across this application: http://mktwp7.codeplex.com/ and decided not to reinvent the wheel. It doesn’t do exactly what you were saying because it downloads free apps directly from the marketplace which is exactly what I did to test the WPAA :)

    SN

  3. Markus says:

    Hi SN!

    Pretty nice tool you’ve made there :) My normal workflow included the manual extraction of the XAP file, followed by loading the DLL files into IlSpy. Your tool greatly improves this unnecessary steps, well done!

    Regarding code analysis, I want to add another good tool by Behrang Fouladi called XapSpy (http://www.sensepost.com/blog/6081.html). It allows you to monitor the called methods during the application’s runtime inside the WP Emulator. Unfortunately it only works with 32Bit Windows Versions because of the used libraries. It is also limited to the Emulator, as normal developer unlocked devices do not allow to attach a console or debugger to applications without source code.

    I made myself a little extension to XapSpy called XapSpyAnalysis (http://xapspyanalysis.codeplex.com), which allows to graphically display the called methods over time. It’s not very pretty and still buggy, but its a starting point ;)

    Maybe you will find these two usefull.

  4. Security Ninja says:

    Hi Markus,

    Thanks for the comment. It’s certainly not a revolutionary tool by any means but I hate doing things manually that I can automate and I know the keyword highlighting, being able to execute other tools etc within one tool has been beneficial to me as a security code reviewer in the past.

    Thanks for the two tools/links you posted as well. I’ve taken a quick look at those and your tool in particular I think is very interesting. If you are interested in working with me to include similar functionality in WPAA let me know because I think that kind of thing along with the existing functionality would be awesome for a code reviewer to have in one single tool!

    SN

  5. Pingback: Windows Phone 7 ‘not fit for big biz … unlike Android, iOS’ – Register | AndroBerry

  6. Pingback: Windows Phone 7 ‘not fit for big biz … unlike Android, iOS’ | Technophile

Leave a comment

VIDEOS & SLIDESHARES

Look at our latest security Videos & SlideShares

EVENTS & SEMINARS

Upcoming Security Events & Seminars

PODCASTS & DOWNLOADS

Check out our Podcasts & White Papers