Windows Phone Application Analyzer v1.0 Released

Friday, January 20, 2012

Security Ninja

4e21f96122846f32545687ad42b271e2

As we are now nearly half way through the first month of 2012 I thought I’d better write my first blog post of 2012!

If you follow me on Twitter or have liked the Security Ninja Facebook page you will have seen that I was doing some Windows Phone 7 app development over Christmas. I have actually published two apps into the Windows Marketplace and I have a few more app ideas as well!

The main reason I wanted to do the WP7 app development was to increase my knowledge about the WP7 application development and submission process

I have done a lot of mobile security research and even presented about Android and iOS security but I didn’t want to assume that knowledge would apply to WP7 so I got my hands dirty with some app development!

Even though my apps are pretty basic functionality wise it allowed me to learn a bit more about how WP7 apps are developed and put together. That has allowed me to understand how to start security code reviewing these applications if you have the source code.

In an ideal world if you have been tasked with performing a security code review you will have the source code but that isn’t always true so I felt it was important to understand how to turn the .xap (the finished app file) back into source code.

I had added functionality to do this for Android .apk files to a recent release of Agnitio so I had a good idea of how to approach this. It turns out that the WP7 .xap files are easier, or certainly require less work to turn back into the original source code than the Android .apk files.

When you try to reverse engineer a .apk file (and remember you should never do this to software/apps that you don’t own or have permission to reverse engineer) you would do the following things (this is how Agnitio works):

1) Unzip the .apk file

2) Decompress the AndroidManifext.xml file

3) Convert the classes.dex file into a .jar file

4) Decompile the .jar file so you have the Java source code

Things are much simpler when it comes to WP7 .xap files. When you build your WP7 app in Visual Studio all the files for your app (.XAML and .NET code) are compiled into a single DLL file. Any images or external DLL’s you add to the project are included in the .xap file but not as part of your app DLL file.

I have included an image below which shows the content of my Security News .xap file:

(click image to enlarge)

You can see that the .xap files include a couple of additional files on top the images and DLLs I explained above. The AppManifest.xaml and WMAppManifest.xml files are created automatically and I will touch briefly on the contents of the WMAppManifest.xml file later in this post.

We can get back to the original source code easier than we can with our Android .apk file; in fact we just need to do two things:

1) Unzip the .xap file

2) Decompile your application .dll file

Even though we only have to do two things to get back to the original source code I still hate doing manual work I know I can automate. That’s why I developed and would now like to introduce the Windows Phone App Analyser!

The Windows Phone App Analyser is similar to the static analysis tab in Agnitio. If you browse to any C# .cs files and click scan you will see the keyword highlighting that you might be familiar with from Agnitio:

(click image to enlarge)

If you browse to a .xap file Windows Phone App Analyser will unzip the .xap for you. You will then see the contents of the .xap in the left hand panel:

(click image to enlarge)

If you click on your applications .dll file and click scan again it will be decompiled and the left hand panel will refresh again to show you the original source code. You can then select any of the source code files and click scan again to see the code in the main panel with any keywords from the database highlighted. Click on the highlighted keywords for an explanation of why they have been highlighted, simples!

Those of you who looked at those images closely will have noticed that the biggest difference between the Windows Phone App Analyser and Agnitio is the automated review tab. If you write your WP7 apps in C# (I believe you can use F# and VB.NET if you really want to……..) you can launch CAT.NET and FxCop scans from the automated review tab.

I’m not sure if many of the rules in these tools are useful for WP7 app reviews yet but I thought I’d add this functionality anyway. I didn’t want to deal with problems that might arise from trying to bundle tools like these with my installer so if you want to use CAT.NET or FxCop you will need to download them yourself and browse to the installer before clicking the scan button:

(click image to enlarge)

(click image to enlarge)

You will also need to make sure the following directories/files exist on your system to use FxCop to analyse a WP7 app with or without the Windows Phone App Analyser:

  • C:\Program Files\Reference Assemblies\Microsoft\Framework\Silverlight\v4.0\system.dll
  • C:\Program Files\ReferenceAssemblies\Microsoft\Framework\Silverlight\v4.0\Profile\WindowsPhone\Microsoft.Phone.dll

There are likely to be other files needed as well but if you have all of the dll files in the above directories it should work fine.

I’m hoping to find a way to execute the scans from within the app analyser without needing to have these directories/files on your computer. I wanted to get this first version released quickly so it’s not perfect!

The third tool you can launch from within the Windows Phone App Analyser is the Capabilities Detection tool from Microsoft (same deal as above with downloading it yourself). Before I explain what this tool does it will probably make sense to quickly cover capabilities and the WMAppManifest.xml file I mentioned earlier in this post.

A WP7 capability is the same as permissions in Android apps to get straight to the point. There are some interesting things about capabilities that I will cover in another blog post but for now all you need to know is they are like permissions in Android apps.

The capabilities that your app uses such as phone dialer (capability: ID_CAP_PHONEDIALER) will be listed in the WMAppManifest.xml file. This means just like the AndroidManifest.xml file the WMAppManifest.xml file is good place to start your security code reviews. There are many more things I want to cover about WP7 capabilities but I will do that in another blog post soon!

So, as I mentioned above you can launch the Capabilities Detection tool from the Windows Phone App Analyser and view the output. What this tool does is analyse your applications .dll file and list the capabilities used by the application.

This allows you to double check that the capabilities listed in the WMAppManifest.xml file are the capabilities used by the application you are reviewing:

(click image to enlarge)

I know many of you won’t have any .xaps lying around to try my new tool out with so I’m giving you the .xap files of my two published apps to play with. You can download those here.

I think that’s everything I wanted to cover in today’s blog post so download the WPAA.msi and try it out. Let me know what you think of it! It is a little bit rough around the edges and lacks a few features that I think are important (keyword editor, store paths to scanning tools so you don’t have to browse to them, option to automatically execute automated scans etc) but they will be included in the next couple of releases!

Cross-posted from Security Ninja

Possibly Related Articles:
24175
Privacy Vulnerabilities Webappsec->General
Software Application Security Scanners Mobile Devices Development Secure Coding Android Agnitio Windows Phone Application Analyzer WP7 FxCop WPAA Security Ninja
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.