In our recent blog post, Depth and Breadth Matters in Mobile Application Security Testing Scans,we continued building our case about why mobile application security testing should be done on a virtual hardware platform. Our last blog post explored the challenges of Mobile Application Security Testing (MAST) tools.
In this post, we will explore why the S in MAST, security, has become an increasingly difficult barrier to overcome when thoroughly testing mobile applications, especially for significant risks such as data leakage and exfiltration. This has become increasingly apparent with the latest AP investigation of how bad actors are targeting smart phones with zero-click attacks that leave no trace. These attacks are possible because mobile devices remain the weakest link in our cyber defenses. You can read more about our post on this particular topic here.
Ironically, one of the biggest challenges of securely developing and testing mobile applications is the increasing challenge of stronger security being developed for OS releases, particularly iOS releases. In order to fully test mobile applications for CVEs and other potential exploits and vulnerabilities, testing must be done on a jailbroken device. Yet there is a continued push towards new iOS versions which are increasingly difficult to do thorough testing due to an inability for jailbreaking. iOS 17 began a trend of tighter security controls and iOS and the newest version 18, has seen this trend continue, which means there will not be a public jailbreak for these, or newer versions for iOS mobile devices. Their aggressive update policy also means there are less devices running lower iOS versions.
Security assessments for mobile applications can be done on non-rooted or non-jailbroken devices. However, it is much easier to do when there is access to the underlying OS as the root user. Since, according to recent research, nearly 70% of devices run iOS 18.8, this means most application development teams are not doing deep testing for many mobile device users. Yet vulnerabilities, and applications with vulnerabilities being uploaded into the Google Play and Apple iStore remain persistent. Just as a few years ago Android malware Goldoson infiltrated 60 legitimate apps in the official Android store and this year 60 million Android users were infected by the malicious Vapor Application threat on Google Play.
Additionally, the overall number of common vulnerabilities identified annually continues to grow. Although these are not all related to mobile applications, this trend is concerning, in the last ten years alone CVEs have increased from 7,000 to nearly 40,000 in 2024. These are just the CVEs that are identified, and the capabilities for this identification may decrease. Since 1999 the CVE’s mission has been to identify, catalog and define disclosed vulnerabilities. However, because of its operation as a United States government-funded initiative, budget cuts and staff reductions may begin to affect the discovery and sharing of data about common vulnerabilities.
So with the increase in vulnerabilities and potential risk growing, and the tightening of OS security constraints making it more challenging to thoroughly test for these risks, a virtual hardware platform like Corellium is critical. Our platform offers many options of jailbroken virtual iOS devices paired with the ability to mix and match the iOS operating system version for testing.
Want to learn more and understand the rest of the reasons why you should switch to a virtual hardware platform? Click here to download.
Ready to see how a virtual hardware platform can transform your mobile app development for yourself? Click here to get a free trial.
