Routing Real SMS Messages from Twilio to Corellium via Cloudflare Workers

Routing Real SMS Messages from Twilio to Corellium via Cloudflare Workers

In the realm of mobile security research, SMS communication still plays a critical role in assessing the potential risks and vulnerabilities in mobile devices. SMS messaging, specifically, is an essential aspect of mobile security research, as it is often employed in various attack vectors, such as phishing and targeted remote code execution attacks. To effectively analyze and mitigate these risks, security researchers need powerful, simple, and safe tools. This is where Twilio, Cloudflare Workers, and Corellium come together to create a potent solution that enables researchers to receive real-time SMS messages and route them efficiently.

In this blog post, we will explore how these three technologies can be integrated to build a robust SMS handling system for mobile security research. Twilio, a cloud communications platform, will serve as our SMS gateway, enabling us to receive SMS messages programmatically. Cloudflare Workers, a serverless computing platform, will be responsible for processing incoming SMS messages and forwarding them to the appropriate destination. Finally, Corellium, a virtual device platform, will provide the ability to work with remote iOS devices, allowing researchers to test and analyze the impact of SMS-based threats on mobile devices. And the total cost for all of this? Less than $5.

Our objective is to demonstrate the process of receiving real-time SMS messages, routing them from Twilio to a virtual iOS device on Corellium via Cloudflare Workers, and showing how this integration can enhance mobile security research workflows. Let's dive in and see how these technologies can work together to create an efficient and cost-effective SMS handling solution for security researchers.

1. Creating a Cloudflare Worker

A. Setting up a Cloudflare account

To create a Cloudflare Worker that's reachable over the internet, you'll first need a Cloudflare account. If you don't already have one, simply visit the Cloudflare website and sign up for a free account.

For our use-case, you do not need a domain on Cloudflare. We will use the free * subdomain that Cloudflare offers.

B. Writing the TypeScript code to handle incoming Twilio requests and forward them to Corellium

For a beginner's guide on writing your first Worker for Corellium, please see our previous blog post. For this blog, we're just going to jump right into our src/index.ts.

export interface Env {

            CORELLIUM_API_KEY: string;

            CORELLIUM_INSTANCE_ID: string;



export default {

            async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise<Response> {

                        // Parse the incoming Twilio request

                        const formData = await request.formData();

                        const fromPhoneNumber = formData.get("From");

                        const messageBody = formData.get("Body");


                        // Send the SMS data to Corellium

                        const response = await fetch(`${env.CORELLIUM_INSTANCE_ID}/message`, {

                                    method: 'POST',

                                    headers: {

                                                'Authorization': `Bearer ${env.CORELLIUM_API_KEY}`,

                                                'Content-Type': 'application/json',


                                    body: JSON.stringify({

                                                number: fromPhoneNumber,

                                                message: messageBody,




                        if (response.ok) {

                                    return new Response("Sent", { status: 200 });


                        else {

                                    return new Response("Error", { status: 500 });




For our wrangler.toml, we're going to define CORELLIUM_INSTANCE_ID.

name = "corellium-blog-20230417"

main = "src/index.ts"

compatibility_date = "2023-03-18"



CORELLIUM_INSTANCE_ID = "f9a7b8ea-b699-4655-b870-2450dcebcb85"

This code listens for incoming Twilio requests, extracts the sender's phone number and the SMS message content, and forwards this information to the Corellium API. 

C. Deploying the Cloudflare Worker

To deploy the Worker in production, run:

wrangler publish # command circled in red, take note of the resulting URL in yellow 

wrangler secret put CORELLIUM_API_KEY # command in circled in green

A screenshot of the code needed to deploy a Cloudflare Worker in production.

Take note of the URL in yellow, we're going to need it for the next section.

A screenshot showing the successful creation of a CORELLIUM_API_KEY.

D. Monitoring events

To watch for incoming HTTP requests, run:

wrangler tail

A screenshot depicting the code needed to monitor incoming HTTP requests.

2. Setting Up Twilio

A. Creating a Twilio account and obtaining a phone number

To begin, you'll need to set up a Twilio account if you don't already have one. Twilio offers a wide range of communication services, but in this tutorial, we will focus on using their SMS capabilities. Follow these steps to create an account and obtain a Twilio phone number:

  1. Visit the Twilio website and sign up for a free account.
  2. Once you've signed up and logged in, navigate to the Phone Numbers section in the Twilio Console.
  3. Click on the "Get a Trial Number" button to obtain a new phone number with SMS capabilities. You can also search for a specific number by clicking on "Search for a number" and selecting the appropriate options.

If all went well, you should see you have a number. In our example, we have +1-775-402-9665.

B. Configuring Twilio to send incoming SMS messages to a webhook 

To forward incoming SMS messages to a webhook, you'll need to configure your Twilio phone number's settings. Follow these steps to set up the webhook: 

1. In the Twilio Console, navigate to the Phone Numbers section.

A screenshot of the Twilio Console "Phone Numbers" section. The phone number obtained earlier is circled.

2. Click on the phone number you obtained earlier to view its configuration settings.

A screenshot of the configuration settings for the previously selected phone number in Twilio.

3. In the "Messaging" section, locate the "A MESSAGE COMES IN" webhook configuration.

A screenshot of the Twilio Messaging tab with "Messaging" and "A MESSAGE COMES IN" circled.

4. Enter the URL of your Cloudflare Worker (which we created in the previous section) in the "Webhook" field. The URL should look like

A screenshot depicting what should be entered in the "Webhook" field.

5. Make sure the "HTTP POST" option is selected, as we will be using the POST method to send the incoming SMS data to our Cloudflare Worker.

6. Click "Save" to apply the changes.

With the Twilio configuration complete, your Twilio phone number is now set up to forward incoming SMS messages to the specified webhook. Our Cloudflare Worker is now set up to process these messages and route them to our Corellium virtual iOS device!


3. Testing SMS Routing

A. Sending test SMS messages to the Twilio phone number

We're now going to open the messages app on our virtual iPhone, and wait for a text. Within a few seconds of sending a text message to our +1-775-402-9665 number, the message pops up. Success!

A screenshot of what should show up in the Corellium virtual device after the aforementioned text is sent.

B. Monitoring the Cloudflare Worker logs

In our wrangler tail log window, we can also see the incoming POST request from Twilio.

A screenshot showing the incoming "POST" request from Twilio.

4. Security Considerations and Best Practices

In our example, we are not validating the authenticity of the POST request from Twilio. This can be done by following Twilio's documentation

In practice, I would also recommend adding basic authentication to the endpoint (and validating the Twilio message signature).

5. Conclusion

A. Summary of the integration between Twilio, Cloudflare Workers, and Corellium

In this blog post, we've demonstrated how to integrate Twilio, Cloudflare Workers, and Corellium to receive real-time SMS messages on a virtual iOS device. We began by creating a Cloudflare Worker, wrote TypeScript code to handle incoming Twilio requests and forward them to Corellium, and deployed the worker. Next, we set up a Twilio account and obtained a phone number, then configured Twilio to send incoming SMS messages to a webhook and updated the webhook URL in Twilio with the Cloudflare Worker URL. Finally, we tested the integration by sending an SMS message to the Twilio phone number and verifying that the message was received on the virtual iOS device.

B. Potential use cases and benefits of real-time SMS handling for testing

Integrating Twilio, Cloudflare Workers, and Corellium for real-time SMS handling offers several benefits and use cases for security testing and app development: 

  1. Security testing: Security researchers can use this integration to analyze how apps handle incoming SMS messages, identify potential vulnerabilities, and test the effectiveness of security measures.
  2. Phishing and fraud prevention: Security researchers can use this setup to investigate and analyze malicious SMS messages, helping them develop better strategies for preventing and mitigating phishing and fraud attacks.
  3. Feature testing: Developers can test app features that rely on SMS messages, such as two-factor authentication, notifications, and messaging, in a controlled environment.
  4. Load testing: By simulating a large number of incoming SMS messages, developers can evaluate how well their apps handle high traffic loads and identify potential bottlenecks or performance issues.
  5. Automated testing: Combining this integration with test automation frameworks can help developers create comprehensive test suites that include SMS-based functionality, ensuring a higher level of quality and reliability for their apps.

Overall, the integration of Twilio, Cloudflare Workers, and Corellium for real-time SMS handling can significantly enhance the app development and testing process, enabling developers and security researchers to build more robust, secure, and reliable applications.