BlogCorellium Open Security Initiative
August 16, 2021
6 min read

Corellium Open Security Initiative

In honor of Corellium’s fourth birthday, we’re announcing the Corellium Open Security Initiative to support independent public research into the security and privacy of mobile applications and devices.

Corellium

Today, in honor of Corellium’s fourth birthday, we’re announcing the Corellium Open Security Initiative. This initiative will support independent public research into the security and privacy of mobile applications and devices through a series of awards and access to the Corellium platform.

Rewarding Independent Research

More than any other field of computing, security depends on the existence of a large, diverse, unofficial community of researchers. While advancements in areas like hardware design often emerge from well-funded private labs, the majority of progress in cybersecurity over the last several decades has come from “the security research community,” a community that includes not only credentialed academics and corporate professionals, but hackers, dropouts, and hobbyists too. 

Conducting third-party research on mobile devices remains difficult, inefficient, and expensive. Particularly in the iOS ecosystem, testing typically requires a jailbroken physical device. Jailbreaks rely on complex exploits, and they often aren’t reliable or available for the latest device models and OS versions. 

At Corellium, we recognize the critical role independent researchers play in promoting the security and privacy of mobile devices. That’s why we’re constantly looking for ways to make third-party research on mobile devices easier and more accessible, and that’s why we’re launching the Corellium Open Security Initiative. 

As an initial pilot for this program, we will be calling for proposals on a specific topic. Over time, we will evaluate adding more topics and more opportunities for awards. If you’re interested in sponsoring or partnering with us on this initiative, please reach out to us at securityinitiative@corellium.com

 

First Call for Proposals

Topic: Validating Vendor Security Claims

The security research community plays a pivotal role not only in identifying and defending against security threats, but also in holding software vendors accountable for the security and privacy claims they make about their products.

Just last week, Apple announced that it would begin scanning photos uploaded into Apple’s iCloud service for Child Sexual Abuse Material (CSAM). Setting aside debates on the civil and philosophical implications of this new feature, Apple has made several privacy and security claims about this new system. These claims cover topics as diverse as image hashing technology, modern cryptographic design, code analysis, and the internal mechanics and security design of iOS itself. Errors in any component of this overall design could be used to subvert the system as a whole, and consequently violate iPhone users’ privacy and security expectations. 

Since that initial announcement, Apple has encouraged the independent security research community to validate and verify its security claims. As Apple’s SVP of Software Engineering Craig Federighi stated in an interview with the Wall Street Journal, “Security researchers are constantly able to introspect what's happening in Apple's [phone] software, so if any changes were made that were to expand the scope of this in some way—in a way that we had committed to not doing—there's verifiability, they can spot that that's happening.” 

We applaud Apple’s commitment to holding itself accountable by third-party researchers. We believe our platform is uniquely capable of supporting researchers in that effort. Our “jailbroken” virtual devices do not make use of any exploits, and instead rely on our unique hypervisor technology. This allows us to provide rooted virtual devices for dynamic security analysis almost as soon as a new version of iOS is released. In addition, our platform provides tools and capabilities not readily available with physical devices.

We hope that other mobile software vendors will follow Apple’s example in promoting independent verification of security and privacy claims. To encourage this important research, for this initial pilot of our Security Initiative, we will be accepting proposals for research projects designed to validate any security and privacy claims for any mobile software vendor, whether in the operating system or third-party applications. 

Awards

In the initial pilot of the Corellium Open Security Initiative, we will be awarding up to three qualifying submissions a $5,000 grant, to be awarded upon acceptance of the proposal, and free access to the Corellium platform for one year. 

Eligibility

Having a track record of security research is helpful, but not required.

Requirements

  • Any vulnerabilities discovered in the course of your research must be reported to the vendor. We encourage you to follow the disclosure guidelines of the relevant vendor.

  • You must provide us with regular updates about the progress of your research. If your proposal is accepted, we will coordinate with you to set a timeline for updates, depending on the length of your project.

  • You must submit a final report to us providing a detailed technical explanation of the project and its outcomes. This report will be featured on our blog as part of our commitment to open access to security and privacy research. It must be submitted no later than 30 days from the end of your project, or after any disclosure requirements are met. 

  • Any use of the Corellium platform is governed by our Terms of Service.

Criteria

Awards will be granted at our sole discretion. We will review submissions based on the following criteria:

  • The likely impact of the proposed research on improving mobile security or privacy.

  • The novelty and feasibility of the proposed research.

  • The likelihood that the project will be completed successfully.

  • The technical merits of the proposed research.

How To Apply

Please email your proposal to securityinitiative@corellium.com by or before 5:00pm EST October 15, 2021. 

In your proposal, please include the following details:

  • Name: the name(s) of the researcher(s) that will be performing the research.

  • Organization (if applicable): your institutional affiliation, if any.

  • Project Description: a detailed description of the research you intend to perform.

  • Impact: a detailed description of why this research is important and the impact you expect it to have on improving mobile security or privacy.

  • Plan and Timeline: when you expect to start the research and how long you expect it to take.

  • How Corellium can Help: why you would benefit from using Corellium to perform your research.

  • Supplemental Information: any prior research or other details that might help us review your submission.

We will review and respond to all proposals by 5:00pm EST October 31, 2021. 

If you have further questions or suggestions, or are interested in supporting our mission to improve privacy and security through independent third-party research, please feel free to reach out to us at securityinitiative@corellium.com

 

Stuff the lawyers make us say: We can’t accept proposals from individuals who are on sanctions lists or from individuals in embargoed countries. You are responsible for any taxes on applicable awards, depending on your country of residency and citizenship. Additional restrictions may apply, depending on your local law. All awards are issued entirely at our sole discretion, and we can cancel the program at any time. Your research must not violate any law.


Keep reading

Thoughts, stories and ideas from the Corellium team.

Keep reading

Thoughts, stories and ideas from the Corellium team.

View all posts
Corellium supports mobile security research on iOS 16

Amanda Gorton • 12 Sep 2022

Corellium Support for iOS 16

Corellium Support for iOS 16

Supporting mobile security research and testing in a world without jailbreaks

Chris Williams • 19 Aug 2022

Mapping iOS Persistence Attack Surface using Corellium

Mapping iOS Persistence Attack Surface using Corellium

Learn how to create a map of a device’s attack surface to discover vulnerabilities that can be used for maintaining a foothold after reboot.

Technical Writeups
The home screen of a white iPhone.

Anthony Ricco • 7 Jun 2022

Using the Safari Web Inspector with Corellium

Using the Safari Web Inspector with Corellium

How to Get Started Debugging JavaScript on your Corellium Device

Technical Writeups
Person looks at a screen of code reflected in his glasses

Anthony Ricco • 14 May 2022

Where does Mobile App Security Testing fit into the latest NIST SSDF and CISA Zero Trust publications?

Where does Mobile App Security Testing fit into the latest NIST SSDF and CISA Zero Trust publications?

It’s hard to find useful, well contributed to information on mobile security testing and best practices. Recent cybersecurity publications from U.S. gov agencies often confuse the search. Here’s one interpretation of how they’re interrelated.

Technical Writeups
developer using Corellium platform

Hayden Bleasel • 17 Dec 2021

$25M to Accelerate Arm Testing, Research, and Development

$25M to Accelerate Arm Testing, Research, and Development

We've raised a Series A round with our friends at Paladin and Cisco Investments.

Media Room
fireworks

Amanda Gorton • 29 Oct 2021

Announcing the 2021 COSI Award Winner

Announcing the 2021 COSI Award Winner

Today, we're very excited to announce that the winner of the 2021 COSI Award is James Sebree, a Principal Research Engineer at Tenable.

Media Room
View all posts