Mobile app security testing has come a long way. Many development teams now check their apps against the OWASP Mobile Top 10 list as a minimum standard. But here's the hard truth: basic testing often misses critical vulnerabilities that sophisticated attackers can exploit.
The challenge isn't just knowing what to test for-it's having the right tools to detect issues that physical devices simply can't reveal. This is where virtual devices are changing the game for mobile security testing.
According to a leading industry report, nearly 60% of iOS apps and 43% of Android apps were found vulnerable to PII data leakage. The report also highlights that over 60% of iOS apps and up to 34% of Android apps lacked basic code protection, making them more susceptible to reverse engineering. These findings underscore the need for comprehensive mobile security strategies that address both application and device-level threats.
The Limits of Traditional Mobile Testing
Standard mobile testing typically faces several roadblocks:
- Limited access to system internals: Without root/jailbreak, you can't see what's happening under the hood
- Time-consuming setup: Configuring physical devices for proper security testing takes hours
- Inconsistent environments: Different devices behave differently, making results hard to reproduce
- Inability to monitor low-level operations: Many security issues happen at the system call level
These limitations mean that even when following OWASP guidelines, testers often can't execute the tests properly. It's like being told to check if your house is secure but only being allowed to look through the windows instead of going inside.
Mapping OWASP MASVS Requirements to Virtual Testing Capabilities
Let's look at how virtual devices like Corellium make it possible to properly test each OWASP Mobile Application Security Verification Standard (MASVS) category:
1. Architecture, Design, and Threat Modeling (MASVS-ARCH)
Traditional testing challenge: Identifying insecure data flows requires visibility into how data moves through the app and where it's stored.
Virtual device solution: Corellium's file system access and snapshots let you examine data storage before and after operations. You can capture the exact state of the app's data at any point and compare changes. This helps verify that sensitive information is properly encrypted and stored in secure locations.
Real-world example: One financial services app we tested seemed to follow best practices, but virtual testing revealed they were storing hashed passwords in a location accessible to other processes-a finding impossible to detect without full file system access.
2. Data Storage and Privacy (MASVS-STORAGE)
Traditional testing challenge: Confirming proper encryption requires examining raw data on the device, which is restricted on non-rooted/non-jailbroken devices.
Virtual device solution: With Corellium, you get immediate root access to iOS and Android devices without jailbreaking or rooting. You can directly examine SQLite databases, Keychain/Keystore implementations, and shared preferences to verify encryption.
Real-world example: During a client engagement, we found an e-commerce app that claimed to encrypt all user data but actually stored credit card verification values in plaintext within a buried cache file-something only discoverable with complete file system access.
3. Cryptography (MASVS-CRYPTO)
Traditional testing challenge: Verifying proper cryptographic implementation requires tracing API calls and examining key management.
Virtual device solution: Corellium's CoreTrace feature lets you monitor all cryptographic API calls in real-time, revealing weak algorithms, hardcoded keys, or improper certificate validation.
Real-world example: A messaging app advertised "end-to-end encryption" but CoreTrace revealed it was using outdated ECB mode encryption without proper key derivation, making messages vulnerable to pattern analysis.
4. Authentication and Session Management (MASVS-AUTH)
Traditional testing challenge: Bypassing authentication requires manipulating app state and network traffic, which is difficult on standard devices.
Virtual device solution: Corellium lets you combine network monitoring with system state manipulation. You can intercept authentication requests while simultaneously manipulating local storage to test session persistence vulnerabilities.
Real-world example: We discovered a banking app that properly implemented biometric authentication but stored an authentication token that remained valid for 30 days—allowing account access if the device was compromised.
5. Network Communication (MASVS-NETWORK)
Traditional testing challenge: Certificate pinning often prevents proper testing of network security.
Virtual device solution: Corellium's SSL/TLS inspection capabilities let you bypass certificate pinning without modifying the app, allowing you to inspect encrypted traffic and verify proper implementation.
Real-world example: A healthcare app used certificate pinning but virtual testing revealed it wasn't validating the full certificate chain, making it vulnerable to certain man-in-the-middle attacks despite pinning being implemented.
6. Platform Interaction (MASVS-PLATFORM)
Traditional testing challenge: Verifying proper permission usage and platform API interactions requires visibility into system calls.
Virtual device solution: System call tracing shows exactly which platform APIs an app accesses and when, revealing excessive permissions or improper platform usage.
Real-world example: A fitness app requested location permission "only while using the app" but our testing showed it was calling location APIs during background refresh—a privacy violation that would trigger regulatory concerns.
7. Code Quality and Build Settings (MASVS-CODE)
Traditional testing challenge: Identifying memory corruption issues and debug flags requires specialized tools.
Virtual device solution: Corellium provides memory analysis tools and build configuration verification that can identify buffer overflows, unhandled exceptions, and debug flags left enabled in production.
Real-world example: An investment app had properly obfuscated code but left debug flags enabled in production builds, exposing sensitive internal logging information.
8. Resilience Against Reverse Engineering (MASVS-RESILIENCE)
Traditional testing challenge: Testing anti-tampering measures requires sophisticated tools not available on standard devices.
Virtual device solution: Virtual environments let you test code obfuscation effectiveness, anti-debugging measures, and tampering responses by modifying runtime behavior and monitoring app responses.
Real-world example: A payment app claimed to have anti-tampering protections, but testing on Corellium revealed it only checked for debugger attachment at startup—not during sensitive transactions.
Real-World Impact: Catching What Others Miss
The difference between basic OWASP compliance and thorough security testing can be dramatic. Let's look at real-world security incidents that could have been prevented with more thorough testing:
Case Study: TikTok's Clipboard Access Controversy
In 2020, iOS 14's new privacy features revealed that TikTok was regularly accessing users' clipboards without their knowledge. This privacy violation went undetected for years because clipboard access monitoring wasn't available on physical devices.
With Corellium's system call tracing, this type of behavior would have been immediately apparent during security testing, as the platform can monitor all UIPasteboard API calls and flag when they occur without user interaction
Beyond Checklist Compliance
Real security isn't about checking boxes on the OWASP list—it's about truly understanding your app's security posture. Virtual testing enables:
- Continuous security testing: Automated testing can be integrated into CI/CD pipelines
- Broader coverage: Test across more device types and OS versions simultaneously
- Deeper inspection: Examine areas of the system typically hidden from view
- More realistic attack scenarios: Model sophisticated attacker capabilities
Conclusion
The OWASP Mobile Top 10 provides an excellent starting point for mobile app security, but proper testing requires tools that can look beneath the surface. Virtual device testing platforms like Corellium provide the visibility, access, and capabilities needed to conduct thorough security assessments that find what traditional testing misses.
By combining the structured approach of OWASP guidelines with the powerful testing capabilities of virtual devices, security teams can finally close the gap between security theory and practice—catching the vulnerabilities that matter before attackers do.
Ready to see what your mobile security testing might be missing? Meet with our team for a demonstration of how virtual device testing can transform your security program.
