Unlike the Android platform, the Windows Phone platform has received little attention from academia. A quick Google search shows that there are very few tools for analyzing Windows Phone applications. In this post, I will describe how Mono.Cecil can be used to build a static analysis tool for Windows Phone 8.1 applications. Specifically, I will show how Cecil can be used to determine if a given application uses the WebView component. For simplicity, the tool is implemented in IronPython.

Cecil is a library for generating and analyzing CIL format programs and libraries. Cecil is built on top of Mono, the open source implementation of Microsoft's .NET framework. Cecil is very easy to use and has a low learning curve. It essentially allows the tester to query the MSIL binary for various properties, including methods called, instructions of methods defined, etc.

Before performing any analysis, the application binary must be extracted. Luckily, the newer Windows Phone application package format (i.e appx ) can easily be opened using any zip utility (e.g. I used 7za). Note: unpacking applications in the older xap format is more difficult since the packages are encrypted and can only be decrypted on a Windows Phone device.

Once unpacked, we can access the contents of the application package. There are many components such as the manifest file and other resource files, but we are only interested in the application binary. The code below reads in the application binary and gets all the methods defined.

			try:
				asm = AssemblyDefinition.ReadAssembly("\some\app.exe")
			except SystemError:
				print "failed to read assembly"
				return 

			for module in asm.Modules:
				for type in module.Types:
					for method in type.Methods:
					print method.FullName
							

From here, finding whether an application uses WebView is straight-forward. There are a few ways to do this and one of the ways is by looking at all the instructions of all the methods, searching specifically for the newobj opcode whose operand's declaring type is Windows.UI.Xaml.Controls.WebView. If found, the application (at some point) creates a WebView object.

This is just an example of what can be built using Cecil. On my Github, there is a repository containing a Windows Phone analysis tool which scans applications for Javascript handlers (i.e. bridge between Javscript code inside a WebView and application code). If handlers are discovered, the tool checks if the handlers call a sensitive API function and performs data flow analysis to determine if data from Javascript is passed as arguments to sensitive API functions (via handler arguments). The data flow analysis part is tricky since the behavior of every opcode (with respect to stack) needs to be implemented and mimicked as the static analysis steps through the instructions of the handler.