As we are now nearly half way through the first month of 2012 I thought I’d better write my first blog post of 2012! If you follow me on or have liked the Security Ninja you will have seen that I was doing some Windows Phone 7 app development over Christmas. I have actually published two apps into the and I have a few more app ideas as well!

1. Windows Phone Xap Files

The main reason I wanted to do the WP7 app development was to increase my knowledge about the WP7 application development and submission process I have done a lot of mobile security research and even presented about Android and iOS security but I didn’t want to assume that knowledge would apply to WP7 so I got my hands dirty with some app development! Even though my apps are pretty basic functionality wise it allowed me to learn a bit more about how WP7 apps are developed and put together. That has allowed me to understand how to start security code reviewing these applications if you have the source code. In an ideal world if you have been tasked with performing a security code review you will have the source code but that isn’t always true so I felt it was important to understand how to turn the.xap (the finished app file) back into source code. Solarwinds orion 10 3 keygen download. I had added functionality to do this for Android.apk files to a recent release of so I had a good idea of how to approach this. It turns out that the WP7.xap files are easier, or certainly require less work to turn back into the original source code than the Android.apk files. When you try to reverse engineer a.apk file (and remember you should never do this to software/apps that you don’t own or have permission to reverse engineer) you would do the following things (this is how Agnitio works): 1) Unzip the.apk file 2) Decompress the AndroidManifext.xml file 3) Convert the classes.dex file into a.jar file 4) Decompile the.jar file so you have the Java source code Things are much simpler when it comes to WP7.xap files.

When you build your WP7 app in Visual Studio all the files for your app (.XAML and.NET code) are compiled into a single DLL file. Any images or external DLL’s you add to the project are included in the.xap file but not as part of your app DLL file. I have included an image below which shows the content of my Security News.xap file: (click image to enlarge) You can see that the.xap files include a couple of additional files on top the images and DLLs I explained above. The AppManifest.xaml and WMAppManifest.xml files are created automatically and I will touch briefly on the contents of the WMAppManifest.xml file later in this post. We can get back to the original source code easier than we can with our Android.apk file; in fact we just need to do two things: 1) Unzip the.xap file 2) Decompile your application.dll file Even though we only have to do two things to get back to the original source code I still hate doing manual work I know I can automate. That’s why I developed and would now like to introduce the Windows Phone App Analyser!

The Windows Phone App Analyser is similar to the static analysis tab in Agnitio. If you browse to any C#.cs files and click scan you will see the keyword highlighting that you might be familiar with from Agnitio: (click image to enlarge) If you browse to a.xap file Windows Phone App Analyser will unzip the.xap for you.

Windows Phone Xap Files

You will then see the contents of the.xap in the left hand panel: (click image to enlarge) If you click on your applications.dll file and click scan again it will be decompiled and the left hand panel will refresh again to show you the original source code. You can then select any of the source code files and click scan again to see the code in the main panel with any keywords from the database highlighted. Click on the highlighted keywords for an explanation of why they have been highlighted, simples!

Those of you who looked at those images closely will have noticed that the biggest difference between the Windows Phone App Analyser and Agnitio is the automated review tab. If you write your WP7 apps in C# (I believe you can use F# and VB.NET if you really want to.) you can launch CAT.NET and FxCop scans from the automated review tab. I’m not sure if many of the rules in these tools are useful for WP7 app reviews yet but I thought I’d add this functionality anyway.