Supporting mobile security testing and research in a world without jailbreaks.
At Corellium, we’re committed to providing the mobile security and app developer communities the ability to comprehensively test and analyze Apple’s mobile operating systems without having to jailbreak physical devices. To that end, we’re very proud to announce that our Corellium Virtual Hardware platform now supports iOS 17, including fully jailbroken iOS 17.
Jailbreaks are essential to iOS security work. Without jailbreaks, white-hat researchers wouldn’t be able to dynamically analyze mobile apps or discover security flaws in walled-off areas of the operating system. Researchers have relied on jailbreaks for significant, groundbreaking discoveries ranging from analyzing the Pegasus malware to dissecting the UAE-spy app ToTok to uncovering how malware may be loaded onto an iPhone’s Bluetooth chip even when the device is off. Most of the bugs reported to Apple’s Bug Bounty program wouldn’t have been discovered without a jailbreak, and you would be hard-pressed to find a mobile pen-testing team that doesn’t have a pile of jailbroken iPhones for application analysis.
Counterintuitively, while jailbreaks are essential for security research, achieving a jailbreak on a physical iOS device fundamentally requires the exploitation of security vulnerabilities. The purpose of jailbreaking is to enable users to do things that aren’t ordinarily permitted by the operating system – namely, to run their own code and to access lower levels of the system. Since iOS is not designed to enable this access by default, a user must find and leverage security flaws in the operating system to change the way it behaves. Typically, this is achieved by “patching” the iOS kernel.
Put another way: to find bugs in iOS, the security community has to exploit bugs in iOS. This creates an uncomfortable incentive for researchers to withhold known bugs from Apple, in order to maintain their ability to do their work.
Corellium’s approach is inherently different: it doesn’t rely on vulnerabilities at all. Instead, because the operating system is running in a virtualized environment, the OS can simply be configured to run with escalated privileges by default – the “patches” can simply be applied at the outset. Corellium’s virtual devices behave and function the same way a physical jailbroken device would, and they even come pre-loaded with common jailbreak tools like Cydia. In this way, Corellium is not only able to provide the security research community with immediate support for a jailbroken version of the latest OS, but it can do so without having to withhold any security vulnerabilities from Apple.
Public jailbreaks are increasingly rare
Apple invests considerable effort in continually improving the security of its operating system. As it hardens iOS with each new release, public jailbreaks are becoming more and more rare.
The reason for this is simple: it’s getting harder and harder to find bugs that can be used for a jailbreak. It used to be that a fully untethered jailbreak required just one or two vulnerabilities to achieve privilege escalation. Now, jailbreaks require a complex chain of exploits, and even then, they often don’t provide the same degree of access or persistence. From this perspective, Apple’s efforts to improve the security of iOS over time have arguably succeeded.
But this success has created something of a catch-22. As our CTO Chris Wade describes:
The more Apple locks down their operating system to improve end user security, the harder it becomes for the independent security research community to investigate and identify security vulnerabilities, both in the operating system itself and in the apps that run on it. That doesn’t mean vulnerabilities aren’t still there; it just makes it harder for the community to help find them before bad actors do. And the harder they are to find, the more valuable they are, so the more incentive researchers have to hold them instead of report them, and the more incentive bad actors have to go looking for them.
Indeed, as jailbreaks become harder to implement, they become increasingly valuable. This drives researchers, governments, and security companies to create their own private jailbreaks and hoard the bugs that enable them to protect their advantage for future security work.
iOS 17 features focus on narrowing attack surfaces
iOS 16 included a notable new feature aimed at limiting attack vectors called “Lockdown Mode” which focuses on protecting a small but highly vulnerable set of users, such as activists and journalists. Lockdown Mode strictly limits or disables certain iPhone features, as well as access to certain apps and websites. Lockdown Mode has now received an upgrade in iOS 17, including automatic geolocation data removal from photos when shared and blocking automatic connections to non-secure Wi-Fi networks.
Interestingly, the specific features of Lockdown Mode suggest that, in Apple’s assessment, the most common attack vectors on an iPhone today are malicious websites, infected iMessages or FaceTime videos, MDM profiles, and wired connections to the phone. Notably, Lockdown Mode does not seem to impact a user’s access to third-party app store apps. As Apple increasingly limits the attack surface for native features, the attack focus may shift to apps from the App Store – particularly given the limited review these apps undergo.
The Lockdown Mode upgrades in iOS 17 highlights an evolving and heightened focus on the security of iOS. High-profile stories – about malware like Pegasus or about a critical FaceTime bug discovered by a highschooler – have put increasing pressure on Apple to address even obscure attack vectors that are unlikely to affect an ordinary user.
As Apple continues to acknowledge and address the different threat profiles faced by different audiences, they are demonstrating an increasingly sophisticated and nuanced approach to user security. At the same time, this new iOS version continues the trend of tighter security controls, which will likely also mean a continuation of the trend of not seeing a public jailbreak for this new version anytime soon – if ever.
This is why we believe it’s as important as ever for Corellium to provide a place for white-hat developers to perform good-faith security research in a way that’s not possible on physical devices – a way that doesn’t require exploiting, withholding and retaining vulnerabilities. And given our platform’s widespread adoption by the world’s top security research and development teams, it seems the community would agree.