Notes on testing installed apps on iOS devices.
Independent investigative research of third-party apps is an important and widespread practice that substantially contributes to the safety and security of end-users. Third-party research of iOS apps has led to the discovery of numerous fraudulent, fleecing, and malicious applications, which would otherwise likely have continued to harm users without notice. Independent researchers are also a vital resource in helping large enterprises discover vulnerabilities that could be exploited to harm users.
A common scenario where a security researcher might need to test a third-party app from the App Store is a bug bounty, or an authorized third-party review of mobile applications with rewards for certain types of vulnerabilities discovered. For example, the multi-billion-dollar financial company Wise invites independent security testers to test and report security defects in their iOS mobile apps in exchange for up to $4,000 per vulnerability.
Another common scenario is to independently investigate the security of popular applications. For example, Google Project Zero performed a security analysis of popular App Store apps, including WhatsApp, to identify security defects that could be used by hackers to compromise a user’s device. There is ample evidence that such vulnerabilities, left undiscovered, are exploited by criminal hackers and foreign governments to compromise the physical devices of iOS users, including journalists. This type of independent investigative research plays a crucial role in protecting the safety and security of end-users.
Our Apps tool enables you to conveniently view, install, and manage applications on the virtual device. The Apps tool lists all applications (or packages, on Android) on the virtual device. For each app, it displays the name, date installed, type (System or User), and size of the file. It also provides buttons to launch or kill the app, and if the app can be uninstalled, a button to uninstall the app.
To load an iOS app on a virtual device, it must be unencrypted and signed. If you're a pentester requesting an app from a client, please ensure your client provides you an unencrypted, signed copy of the app. If you receive an error when uploading an app, please ensure your app is appropriately signed and that you can load it on a physical device.
All iOS applications must be signed before they can be installed on a real or virtual device. Corellium does not enable users to download apps from the App Store. Additionally, you will not be able to load the copy of the app that is distributed on TestFlight. TestFlight uses the App Store for distribution, so TestFlight apps are encrypted.
On a jailbroken device, you can simply upload the unencrypted, signed app via the Apps tab, and it should launch and run as normal. On a non-jailbroken device, you will need to match the UDID of the virtual device with a UDID from the provisioning profile used to sign the app. You can adjust the UDID of the virtual device in the Settings, then the Device IDs tab. Once you update the UDID, click "Save and Reboot" for the change to take effect.
Once your app is properly signed and the UDID is set accordingly, click the "Install" button on the Apps tab and select your signed .ipa file. A green progress bar will appear at the bottom of the screen indicating the progress as your app is uploaded and installed on the device. Once installation is complete, the app will appear in the list of Apps, as well as on the virtual device screen.
If you are having trouble loading an app, please check the following before contacting support:
Does your app load on a real device of the same model and OS version?
If you are loading an iOS app, is it properly signed? Does it have the proper entitlements?
By design, Corellium’s virtual iOS-based devices do not enable access to Apple services, including the Apple App Store. As a result, a Corellium user cannot directly download an app from the App Store for testing on a Corellium device, nor can they load an encrypted app that has been downloaded from the App Store on another device. To test an app on a Corellium device, users can only load a signed, unencrypted version of the app.
In cases where a user has developed the app themselves, or where the app’s source code is provided to the researcher by the original developer, loading the app onto a Corellium device is straightforward. The app is simply built and signed, and then it can be loaded to the device through a program like Xcode or with Corellium’s integrated Apps tool. However, Corellium’s users, and security researchers more generally, often have a specific need to test third-party applications from the Apple App Store that they have not developed themselves, and for which they do not have source code.
Because the App Store is not enabled on Corellium virtual devices, if a researcher wishes to test a third-party app from the App Store, the researcher must first download the app on a physical device to obtain the required app in its binary form, called an IPA.
However, binaries sourced directly from the App Store cannot be audited as downloaded. This is because apps downloaded from the App Store are protected with Apple’s Digital Rights Management (DRM) technology called Fairplay. Fairplay encrypts parts of the application so that the code of the application cannot be viewed directly by reverse-engineering tools, and the application can only be run on authorized devices. Apple provides the DRM decryption key to authorized physical devices by tying the key to the physical hardware and Apple ID of the user in an obfuscated form. When the application is run by a user on the authorized device, iOS obtains and uses this key to decrypt and run the application.
Importantly, the App Store DRM encryption key does not – and is not designed to – provide any privacy or security advantage to the application, device, or user. Rather, Fairplay only serves to prevent App Store apps from being run, analyzed, or disassembled outside an Apple-authorized environment.
In the United States, the Digital Millennium Copyright Act 17 U.S.C. 1201, or DMCA, makes it illegal and actionable to circumvent certain types of DRM. However, the DMCA also provides exemptions, such as for certain kinds of security research. A qualified attorney can help you determine if your research qualifies under the DMCA exemptions.
Corellium does not support running apps that are encrypted using Apple Fairplay DRM, and Corellium does not provide any tools, instructions, or legal advice for decrypting applications from the App Store. Additionally, while physical jailbroken devices may be used to decrypt apps, Corellium’s “jailbroken” virtual devices specifically do not enable access to the App Store and do not facilitate the decryption of apps.
Other third-party tools are widely available for decrypting applications for security research purposes. Typically, this process makes use of a jailbroken physical device. Tools to decrypt App Store apps are widely used, and Apple has never sought to use the DMCA to prevent this. App Store decryption is sufficiently common that large numbers of high-profile cybersecurity firms and individuals overtly develop tools for this purpose, teach students to use these tools, and openly advertise using these tools as part of their cybersecurity practice. Corellium does not promote or endorse these tools, and Corellium strongly condemns the use of such tools for piracy. The decryption of apps for piracy is a violation of our terms of service and will result in account termination.