At Corellium, we’re committed to providing the mobile security research and app developer communities the ability to comprehensively test and analyze Apple’s mobile operating systems without having to jailbreak physical devices. To that end, we’re very proud to announce that our Corellium Virtual Hardware platform now supports iOS 16, including fully jailbroken iOS 16.
Jailbreaks are essential to iOS security work. Without jailbreaks, white-hat researchers wouldn’t be able to dynamically analyze mobile apps or discover security flaws in walled-off areas of the operating system. Researchers have relied on jailbreaks for significant, groundbreaking discoveries ranging from analyzing the Pegasus malware to dissecting the UAE-spy app ToTok to uncovering how malware may be loaded onto an iPhone’s Bluetooth chip even when the device is off. Most of the bugs reported to Apple’s Bug Bounty program wouldn’t have been discovered without a jailbreak, and you would be hard-pressed to find a mobile pen-testing team that doesn’t have a pile of jailbroken iPhones for application analysis.
Counterintuitively, while jailbreaks are essential for security research, achieving a jailbreak on a physical iOS device fundamentally requires the exploitation of security vulnerabilities. The purpose of jailbreaking is to enable users to do things that aren’t ordinarily permitted by the operating system – namely, to run their own code and to access lower levels of the system. Since iOS is not designed to enable this access by default, a user must find and leverage security flaws in the operating system to change the way it behaves. Typically, this is achieved by “patching” the iOS kernel.
Put another way: to find bugs in iOS, the security community has to exploit bugs in iOS. This creates an uncomfortable incentive for researchers to withhold known bugs from Apple, in order to maintain their ability to do their work.
Corellium’s approach is inherently different: it doesn’t rely on vulnerabilities at all. Instead, because the operating system is running in a virtualized environment, the OS can simply be configured to run with escalated privileges by default – the “patches” can simply be applied at the outset. Corellium’s virtual devices behave and function the same way a physical jailbroken device would, and they even come pre-loaded with common jailbreak tools like Cydia. In this way, Corellium is not only able to provide the security research community with immediate support for a jailbroken version of the latest OS, but it can do so without having to withhold any security vulnerabilities from Apple.
Public jailbreaks are increasingly rare
Apple invests considerable effort in continually improving the security of its operating system. As it hardens iOS with each new release, public jailbreaks are becoming more and more rare. Nearly a year after the release of iOS 15, a public jailbreak for this version has yet to be made available.
The reason for this is simple: it’s getting harder and harder to find bugs that can be used for a jailbreak. It used to be that a fully untethered jailbreak required just one or two vulnerabilities to achieve privilege escalation. Now, jailbreaks require a complex chain of exploits, and even then, they often don’t provide the same degree of access or persistence. From this perspective, Apple’s efforts to improve the security of iOS over time have arguably succeeded.
But this success has created something of a catch-22. As our CTO Chris Wade describes:
The more Apple locks down their operating system to improve end user security, the harder it becomes for the independent security research community to investigate and identify security vulnerabilities, both in the operating system itself and in the apps that run on it. That doesn’t mean vulnerabilities aren’t still there; it just makes it harder for the community to help find them before bad actors do. And the harder they are to find, the more valuable they are, so the more incentive researchers have to hold them instead of report them, and the more incentive bad actors have to go looking for them.
Indeed, as jailbreaks become harder to implement, they become increasingly valuable. This drives researchers, governments, and security companies to create their own private jailbreaks and hoard the bugs that enable them to protect their advantage for future security work.
iOS 16 features focus on narrowing attack surfaces
iOS 16 includes two notable new features aimed at limiting attack vectors. One is called “Lockdown Mode,” which focuses on protecting a small but highly vulnerable set of users, such as activists and journalists. Lockdown Mode strictly limits or disables certain iPhone features, as well as access to certain apps and websites.
Interestingly, the specific features of Lockdown Mode suggest that, in Apple’s assessment, the most common attack vectors on an iPhone today are malicious websites, infected iMessages or FaceTime videos, MDM profiles, and wired connections to the phone. Notably, Lockdown Mode does not seem to impact a user’s access to third-party app store apps. As Apple increasingly limits the attack surface for native features, the attack focus may shift to apps from the App Store – particularly given the limited review these apps undergo.
Another new feature, “Developer Mode,” aims to protect people from “inadvertently installing potentially harmful software on their devices” and to “reduce attack vectors exposed by developer-only functionality,” according to Apple. As a byproduct, this feature also introduces additional friction to installing and running third-party code, including apps from alternative app stores. Apple is of course facing intense regulatory scrutiny over its monopoly of app distribution, and this wouldn’t be the first time it used security as a pretext for preserving control of the iOS ecosystem.
The addition of Lockdown Mode and Developer Mode in iOS 16 highlights an evolving and heightened focus on the security of iOS. High-profile stories – about malware like Pegasus or about a critical FaceTime bug discovered by a highschooler – have put increasing pressure on Apple to address even obscure attack vectors that are unlikely to affect an ordinary user.
This has resulted in a new iOS version that, for the first time, acknowledges and addresses the different threat profiles faced by different audiences, demonstrating an increasingly sophisticated and nuanced approach by Apple to user security. At the same time, this new iOS version continues the trend of tighter security controls, which will likely also mean a continuation of the trend of not seeing a public jailbreak for this new version anytime soon – if ever.
This is why we believe it’s as important as ever for Corellium to provide a place for white-hat developers to perform good-faith security research in a way that’s not possible on physical devices – a way that doesn’t require exploiting, withholding and retaining vulnerabilities. And given our platform’s widespread adoption by the world’s top security research and development teams, it seems the community would agree.
For more information about our latest code release, check out https://www.corellium.com/updates.
