In our recent blog post on how to test mobile applications more effectively, we continued to build our case about why mobile application security testing should be done with Corellium’s virtual hardware platform. Our last blog post explored the challenges of Mobile Application Security Testing (MAST) tools.
Update Oct. 2025: Corellium now supports testing on iOS 26. This post focuses on jailbreak access challenges introduced in iOS 17 and 18—but many of the same issues persist and evolve in iOS 26. For the most current update, read our blog on iOS 26 jailbreak and root support.
Why Testing Mobile Apps is Harder on iOS 18 and Beyond
Let’s explore why the S in MAST, security, has become an increasingly difficult barrier to overcome when thoroughly testing mobile applications, especially for significant risks such as data leakage and exfiltration. This has become more and more apparent with the Associated Press investigation of how bad actors are targeting smart phones with zero-click attacks that leave no trace. These attacks are possible because mobile devices remain the weakest link in our cyber defenses.
Stronger OS Security = Less Visibility for Testing
Ironically, one of the challenges in mobile application security testing stems from the stronger operating system security now baked into iOS versions. In order to fully test mobile applications for CVEs and other potential exploits and vulnerabilities, testing must be done on a jailbroken device. Yet there is a continued push towards new iOS versions which are increasingly difficult to do thorough testing due to an inability for jailbreaking. iOS 17 began a trend of tighter security controls. Newer versions of iOS have seen this trend continue, which means there will not be a public jailbreak for devices on these versions anytime soon Their aggressive update policy also means there are less devices running lower iOS versions.
Why Jailbreaking Still Matters for Mobile Security Testing
While it’s possible to test mobile applications on non-jailbroken devices, the depth of security testing, especially for identifying data exfiltration or OS-level vulnerabilities, is limited without root-level access. Since, according to recent research, nearly 90% of devices run iOS 18.8, this means most application development teams are not doing deep testing for many mobile device users. Yet vulnerabilities, and applications with vulnerabilities being uploaded into the Google Play and Apple iStore remain persistent. Just as a few years ago Android malware Goldoson infiltrated 60 legitimate apps in the official Android store and this year 60 million Android users were infected by the malicious Vapor Application threat on Google Play.
Additionally, the overall number of common vulnerabilities identified annually continues to grow. While not all CVEs apply to mobile applications, the rapid increase underscores why it’s vital to test mobile applications comprehensively, especially as OS-level constraints limit data leakage detection capabilities.
This trend is concerning: in the last 10 years alone CVEs have increased from 7,000 to nearly 40,000 in 2024. These are just the CVEs that are identified, and the capabilities for this identification may decrease. Since 1999, the CVE’s mission has been to identify, catalog and define disclosed vulnerabilities. However, because of its operation as a U.S. government-funded initiative, budget cuts and staff reductions may begin to affect the discovery and sharing of data about common vulnerabilities.
So with the increase in vulnerabilities and potential risk growing, and the tightening of OS security constraints making it more challenging to thoroughly test for these risks, a virtual hardware platform like Corellium is critical. Our platform offers many options of jailbroken virtual iOS devices paired with the ability to mix and match the iOS operating system version for testing.
Want to learn more and understand the rest of the reasons why you should switch to a virtual hardware platform? Download our whitepaper about secure mobile application development.
Corellium iOS 26 Jailbreak Access and Support
As operating system security becomes stronger and vulnerabilities continue to rise, testing mobile applications thoroughly requires a smarter approach.
Corellium’s virtual hardware platform enables iOS mobile application security testing at a depth that physical devices can’t match—across versions including iOS 18 and now iOS 26.
Want to learn about iOS 26 root support? Check out our latest release update.
