Windows Mobile Application Security – Part II

Now Next Step is accessing an application internal storage

Accessing Internal Storage of application using reg editor

Windows do not allow access to the internal storage of its application even when the “mass storage” mode is enabled.

Not Able to Access Internal Storage of Application
Failed To Access Internal Storage of Application Windows

To get an access to the internal storage we need to perform an “Interop Unlock”.
For an Interop Unlock there are various procedures mentioned in the “xda-developers” forum.
I have used simple techniques which allows an Interop unlock on windows Lumia 920 without using SD Card.

Below are the steps for the same (SD Card is not required):

  • Deploy the Application “vcREG_1_2_BOOTSTRAP.xap” using Application Deployment Tool found on location “C:\Program Files (x86) \Microsoft SDKs\Windows Phone\v8.1\Tools\AppDeploy”
    Deploy Application vcRegBootstrap
  • Go to “settings” menu in the windows device, scroll download and select the highlighted application as shown in below screenshot. It will launch Lumia Registry Editor, now go to “template” menu

Launch VReg on Windows Phone

Go to Templates Setting on Windows Phone

Check Box Interop Unlock

  • Now reconnect the device with USB J
  • Now you can access the internal storage of the application that is being mounted on your system.
    Internal Applications Storage Location: Phone\Data\PROGRAMS\{GUID}

Internal Storage Access of Application

Performing Static Analysis of XAP File

XAP is the file format used to distribute and install application software and middleware onto Microsoft’s Windows Phone 7/8/8.1/10 operating system
(Note: XAP can be installed on mobile device with the help of Application Deployment tool provided by Microsoft.)

  1. Extracting XAP file is similar to APK extraction method.
  2. Rename XAP extension with Zip and Extract the file

Extracting XAP File 1

Extracting XAP File 2

Extracting XAP File 3

Static Analysis of the Store Application

Microsoft Store do not provide any XAP file to download to check its content.
We need to perform below activities for extracting internal content of the application:

  1. Install the application using Microsoft Store and traverse to the location
    ” Phone\Data\PROGRAMS\{GUID}”
    Note: GUID is application identifier.
  2. Now we can see the application file including DLL file.

Accessing Internal Storage of Application to Extract XAP Content


  • Most of XAP files contains DLL file and other resources.
  • DLL file can be decompiled using the various available tool.
  • I have used ILSpy_Master portable tool for decompiling DLL file.

dll reverseengineer

Verify the Application Permission (Review WMAppManifest)

In Windows Phone, capabilities notify the end user of the security or privacy critical functionality required by the application. Capabilities are also used to provide the security of the least privilege chamber (LPC) and reduce the attack surface by only provisioning ACLs for what the application requires. The capabilities are configured based on the application requirement. Based on this capabilities must be reviewed. Application should only be assigned capabilities which are required to perform their functionality and any unused capabilities should be removed.

Note: You must mark the appropriate capabilities in the manifest file so that the user is correctly notified of the functionality that application uses. If you don’t mark the correct capabilities, your app may exit unexpectedly when it is being installed on a user phone.


Review Capabilities

Dynamic Analysis of Windows Application

Windows by default creates temporary location where application stores the runtime information.

Path of Temporary Location “Windows Phone\Phone\Data\Users\DefApps\APPDATA”

In the above location we may find the file containing the database(SDF) or other file format file which stores sensitive information.

Dynamic Analysis of File Strage


For intercepting the HTTPS traffic of application via Burp Suite we need to import the burp certificates on the windows phone.

First, Export Burp certificate on your operating system and then send email on windows phone device

  1. Download the certificate on mobile device as shown in below screenshot
  2. It will ask to install the certificate kindly click install.
  3. Once done configure the burp proxy and you are good to go :)
  4. Now you can intercept HTTPS traffic from your windows mobile device.







Vinesh Redkar
Vinesh Redkar
Senior Security Researcher

Security professional with over 9 years of experience in the security domain across various industries such as Finance, Insurance, Telecom, and government