9

I am interested in performing a penetration test of a Windows Phone 8 application for which I do not have the source code. While I can easily validate network communication security, it is more difficult to validate that the application is not storing any sensitive data insecurely.

Because there is no public jailbreak/root for Windows Phone 8 at this time, this seems to be a difficult task.

I considered that if I could install the app into the Windows Phone 8 emulator/simulator that I could use WinDbg, Process Hacker, maybe Process Monitor, or even API Monitor to determine where files are being written/read in the simulator's file system.

My purpose is to ensure a Windows Phone 8 application enforces security as this application claims, and it is difficult to perform a penetration test without root/SYSTEM access to the device.

Is it possible to monitor a Windows Phone 8 app's filesystem activity either in the simulator or on a device (without the app's source)? If so, how?

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
Mick
  • 273
  • 1
  • 3
  • 11
  • More comments here: [ReverseEngineering StackExchange](http://reverseengineering.stackexchange.com/questions/1977/how-can-i-debug-or-monitor-a-windows-phone-8-application) – Mick May 13 '13 at 13:23

1 Answers1

3

I believe it is possible to jailbreak a windows 8 phone. Seeing as Microsoft can't keep people from pirating games for the XBOX 360, I don't expect Microsoft to be able to put up much of a fight in the jailbreak war.

A jailbroken device isn't the only way to conduct analysis of a mobile app. You can decompile Windows 8 apps which can shed light in their inner workings. As with iOS and Android hacking, you can MITM SSL/TLS connections by importing an your own certificate and intercept requests using a program like BURP.

rook
  • 46,916
  • 10
  • 92
  • 181