It’s difficult to find technically useful, well contributed information on mobile security testing and mobile software development life cycle (SDLC) best practices. There is a lot of high-level info scattered around, and it seems like new government cybersecurity publications are popping up all the time which makes it hard to tell how everything fits together. So I set out to research the topics on my own, and this blog covers what I’ve found. As I continue, and as comments come in, I’ll make corrections and updates.

Let’s start with very useful, seminal work on mobile security testing, with OWASP® contributors doing a wonderful job with two foundational works. Any searches on the topic of mobile security testing should have landed on them, but in case yours didn’t.

The first is the Mobile Security Testing Guide (MSTG)1 from OWASP. From its introduction:

“The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS), and provides a baseline for complete and consistent security tests.”

If you haven’t seen it before, at first glance you may get the impression that it’s merely a high-level overview of basic principles that any mobile developer or security expert already knows. But in fact, it’s quite comprehensive and technically detailed, a great living work by all its contributors, and a very useful resource for new and advanced mobile security gurus alike.

The MSTG is comprised of three primary sections, again from the Guide’s overview: 

“The General Testing Guide contains a mobile app security testing methodology and general vulnerability analysis techniques as they apply to mobile app security. It also contains additional technical test cases that are OS-independent, such as authentication and session management, network communications, and cryptography.

The Android Testing Guide covers mobile security testing for the Android platform, including security basics, security test cases, reverse engineering techniques and prevention, and tampering techniques and prevention.

The iOS Testing Guide covers mobile security testing for the iOS platform, including an overview of the iOS OS, security testing, reverse engineering techniques and prevention, and tampering techniques and prevention.”

The second work from the OWASP Mobile Security Project™ and its contributors, is the Mobile AppSec Verification Standard (MASVS)1.

From its introduction, “The MASVS is a community effort to establish a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android.”

You must admit, this is a bold undertaking to produce and keep current, but it’s a sorely needed one and a job well done. A useful summary from the document:

“The MASVS defines two security verification levels (MASVS-L1 and MASVS-L2), as well as a set of reverse engineering resiliency requirements (MASVS-R). MASVS-L1 contains generic security requirements that are recommended for all mobile apps, while MASVS-L2 should be applied to apps handling highly sensitive data. MASVS-R covers additional protective controls that can be applied if preventing client-side threats is a design goal.

Fulfilling the requirements in MASVS-L1 results in a secure app that follows security best practices and doesn't suffer from common vulnerabilities. MASVS-L2 adds additional defense-in-depth controls such as SSL pinning, resulting in an app that is resilient against more sophisticated attacks - assuming the security controls of the mobile operating system are intact and the end user is not viewed as a potential adversary. Fulfilling all, or subsets of, the software protection requirements in MASVS-R helps impede specific client-side threats where the end user is malicious and/or the mobile OS is compromised.”

And now for what’s happening from the U.S. gov end of things and recent cybersecurity standards and guidance news. Let’s start with the National Institute of Standards and Technology (NIST) which produces many publications on the topic of cybersecurity.

The recent news has been around the NIST 800-218 publication in 2021 and updated in February 2022, entitled “Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities”.

It’s a comprehensive and relevant work as it applies to mobile software development and testing. Excusing the pun, it sets the new standard as far as past security frameworks for SDLC go. It contains numerous references to useful resources, and the OWASP MASVS resource is primarily referenced within the Produce Well-Secured Software (PW) section.

I find the NIST SSDF publication to be well thought-out and as you read through the examples for each “task”, it makes for a good checklist to walk through for your mobile software development practices (or any software development). Some tasks are easier said than done, but it provides for a great “you are here” resource for understanding your current SDLC security posture and what you need to keep an eye on moving forward.

Having no affiliation with it, I found this blog useful when reading NIST 800-218:

I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For, by Dan Lorenc.

When searching for other NIST cybersecurity initiatives that are currently underway, I found the following particularly interesting. They are looking into consumer labeling practices for both software and IoT devices. In a nutshell, when software or IoT devices are made available for end-use, the level of security testing performed or achieved would be clearly indicated. According to the links below, an initial summary report is to be published by May 12, 2022. This will be interesting to say the least and I’ll update this blog with relevant information.

Recommended Criteria for Cybersecurity Labeling of Consumer Software

Consumer Cybersecurity Labeling Pilots: The Approach and Contributions

There also have been recent news headlines made by the Cybersecurity & Infrastructure Agency (CISA), first established in 2018.

Zero Trust Maturity Model, introduced in September 2021, and

Applying Zero Trust Principles to Enterprise Mobility, newly introduced in March 2022.

These works, to me at least, are more indirectly related to mobile security testing and SDLC best practices. This makes sense as Zero Trust refers to user access privileges and hence the in-production phases of SDLC.

But I would have hoped that Zero Trust would have extended to cover the design and development phases of the SDLC as more and more vulnerabilities are likely to be introduced well before software deliveries.

In the Zero Trust Maturity Model document, the topic of app security development and testing is included in the Application Workload pillar and its Application Security guidance, but that’s about it. It doesn’t use the acronyms, but it’s basically implying a shift from DevOps to DevSecOps. 

Traditional – Agency performs application security testing prior to deployment, primarily through static and manual testing methods.

Advanced – Agency integrates application security testing into the application development and deployment process, including the use of dynamic testing methods.

Optimal – Agency integrates application security testing throughout the development and deployment process, with regular automated testing of deployed applications.”

Looking through the Applying Zero Trust Principles to Enterprise Mobility document, you eventually reach “Table 1: Enterprise Mobile Security Components”. And wading through each, mobile security testing lands on its relatively small Mobile App Vetting (MAV) component.

Not bad I suppose for a CISA framework where the Zero Trust context aims at a different aspect of mobile security and different phase of mobile software development. Would have been helpful if CISA’s MAV and NIST’s SSDF were linked or cross-referenced.

I’d keep an eye on CISA “Zero Trust” publications, but looks like the NIST “SSDF” publications are currently more directly relevant to the topic of mobile security testing and mobile SDLC.

To learn more about Corellium and what we do, visit us at Corellium.com 

1 OWASP trademarks and published works belong to and are under copyright by The OWASP Foundation. The OWASP works are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. For any reuse or distribution, you must make clear to others the license terms of the works.

It’s hard to find useful, well contributed to information on mobile security testing and best practices. Recent cybersecurity publications from U.S. gov agencies often confuse the search. Here’s one interpretation of how they’re interrelated.

Where does Mobile App Security Testing fit into the latest NIST SSDF and CISA Zero Trust publications?

2021 has been an incredible year for us. Like most of the world, it's been a year of change, hope, and growth. We've proudly welcomed hundreds of new businesses, government agencies, and security community professionals to our virtualization platform. And we’ve been expanding our developer and customer success teams as quickly as possible to support our fast pace of innovation.

Today, we're excited to announce that we've raised $25M in Series A funding led by our friends at Paladin Capital Group, Cisco Investments and a few other strategic supporters.

This equity-only round will be used to accelerate our growth, support partnership initiatives, and expand our platform to deliver a wider variety of virtual IoT devices.

For the last four years, our focus has been on creating an incredible security research tool for iOS and Android by bringing a better alternative to the mobile device emulator and device lab markets. While this is still a key focus for us, we're using this new funding to broaden our horizons, with the goal of becoming the go-to platform for testing, research, and development on all Arm-powered IoT devices - from routers to cars to robots.

“In a world of increasing security threats, malware attacks, and dynamic security regulations, effective full-stack system testing - apps, firmware, and hardware - is more critical and complex than ever. As the world’s 13 million Arm developers shift to DevSecOps, Corellium provides the tools they need in a scalable, repeatable, high-performance, high-accuracy, and cost-effective solution. We are excited to be partnering with Corellium in its next phase of growth as the company continues to expand its technical offerings.”

— Mourad Yesayan, managing director at Paladin Capital Group

Because our virtual models run natively on Arm, developers can run production code without making changes, and they run with native-like speed. Combined with our powerful security tools, our advanced virtual environment vastly improves and accelerates end-to-end development, testing, and security acceptance lifecycles on Arm. And to best meet our diverse customer needs, we offer our virtual platform as a Cloud service or as on-site server appliances.

"We know our customers need to be supported across hybrid processor environments. That’s why we are excited to invest in Corellium because it gives customers a new virtualized development paradigm, enabling effective penetration assessment, application testing, and security and threat intelligence research at scale.”

We have big plans for 2022 and we’re grateful for the love and support of the security community and remain steadfastly focused on creating products that work like magic. ✨

If you're excited about what we're working on and want to join us on our journey, check out our open roles. You can also read more about our Series A funding on Forbes, BusinessWire or the Cisco Investments Blog.

We've raised a Series A round with our friends at Paladin and Cisco Investments.

$25M to Accelerate Arm Testing, Research, and Development

Imagine being on vacation and receiving this SMS shortly before your flight home:

But you didn’t check in online… You’re not flying Southwest… And what’s up with that URL? We can inspect the link using Android or a jailbroken iOS device, along with some of Corellium's built-in tools.

We’ll start by using the built-in Network Monitor. We’ll cover using a virtual device with a proxy, such as Burp or Charles, in a later post.

Log into your Corellium account and click “Create Device.” 

Navigate to the last device in the list, or search for “Android.”

Select the Android device and click “Next.”

The default OS version is the latest one, click “Select.”

The default device name is “Android,” but you’re welcome to change it.

When you’re ready, click “Create Device.”

Corellium will take about a minute to set up your virtual Android device.

Before loading the browser, make sure you enable the Network Monitor to capture the traffic.

Click “Network” to the right of your virtual device.

Captured HTTP and HTTPS traffic will appear in the Overview panel next to the device. Click on any of the captured packets to view more information, including the request and the response.

Open the browser, type in the suspicious URL and hit enter.

The URL sends you to accounts.google.com, what’s going on?

Let’s use the Network Monitor to investigate!

The Network Monitor captures two packets when loading the URL. (Note: starting the browser resulted in the Monitor capturing a handful of packets before we entered our URL. We cleared the log first to create the screenshot below.)

Entry #1 looks pretty interesting! Click on the packet to view the request.

The request goes to “wallet-api.urbanairship.com” and takes us to a Google sign-in page. The response includes “pay.google.com”, which belongs to Google’s digital wallet platform. 

If we Google “wallet-api.urbanairship.com”, we find a link to Airship's Wallet API. There’s also a Reddit post stating Southwest Airlines uses a third-party to deliver mobile boarding passes. And Airship confirmed on Twitter that the “airsp.co” link is legitimate. 

If we load the URL on a jailbroken iOS device (just to compare), Safari says it “cannot download this file.” Here’s the response:

If we Google “vnd.apple.pkpass”, we find a link to Apple’s Wallet Developer Guide. 

All these different breadcrumbs point to the SMS and link containing a legitimate Southwest boarding pass… It’s not ours, but probably the result of someone mistyping their phone number. At least it wasn’t something nefarious! 

Certain applications, including Apple Wallet, aren’t supported on our virtual iOS devices. This is why Safari could not “download this file.” On a physical iOS device, clicking the link causes Apple Wallet to load the boarding pass.

Ever received a suspicious SMS with a link? Here's how to determine whether the link is just spam or something more nefarious.

Checking Suspicious Links in Corellium

Our latest release adds website improvements, an API update, bug fixes, and a new user profile page.

Responsive design enhancements to the front end

Updated response for the createUser() API call

Added modal reporting for user during error states

Enhanced stability for VMs during deployment

Fixed issue preventing Xcode DDI mount on iOS 15.4

Corellium version 3.9.0 contains updated Frida support as well as bug fixes and improvements to the user experience.

Updated Frida for Android to version 15.1.16

Improvements and bug fixes to the user interface

Fixed an issue causing the network monitor to crash

Improvements to query images uploaded to the project 

Fixed an issue with blocked navigation links in Firefox

Added support links to headers for device features, e.g. Connect, Files, Apps, Console

Support downloading files simultaneously from the device filesystem 

For this release we have added support for iOS 15.4 & 15.4.1.

The Corellium team is excited to announce the release of many user experience improvements, simulate receiving SMS to iOS, frames of various Android devices, Android 12 upgrade, as well as bug fixes. 

Device tools have been stacked vertically for easier navigation. 

"Peripherals" renamed to "Sensors” in device tools. 

Device selection has been updated to not require unselecting of current device. 

Simulate receiving an SMS message on the iOS virtual device.

11 Android device frames have been added. 

Upgraded AOSP 12 from beta 1 to revision 26.

Allow shell scripts to be used as the main executable of a process.

Fixed Cydia Installations in iOS 15.2 and later. 

On-Site: Bug fix when instance gateway is set to “default."

Broken links for Knowledge Base articles updated. 

In this latest release, we've added iOS 15.3 and iOS 15.3.1, STUN for WebRTC to allow for functional displays in strict firewall environments, improved snapshot functionality, added a start timestamp to the instance object on the Corellium-API, and other various bug fixes. 

STUN for WebRTC enabling displays on strict firewall environments.

Improvements for multiple snapshot creation.

Added start timestamp field to Corellium-API. Attribute is useful for knowing how long an instance has been in the current state.

Fixed bug on Android devices related to networking issues on a soft-restart.

Bug fix for Android Settings crash when launched.

We are excited to announce in this release that we've added Pop-Out Displays for Virtual Device Screens, and a bug fix for cloning Snapshots.

Pop-Out Display of Virtual Device Screens

This release provides iBoot for iPhone 12, improved API instructions for on-site customers, and bug fixes for custom kernel uploads & API internet access toggling.

Improved API instructions for on-site customers

Fixed a bug that prevented turning on internet via API in projects

Fixed a bug that stuck devices in deleting state when uploading custom kernels

In this release, we've added support for iPhone 13 and iOS peripherals, including Biometrics and Accelerometer. We also improved our error handling.

Support for toggling iOS biometrics to pass / not pass

Support for iOS sensors, including accelerometer / motion

Our latest release brings support for iOS 14.8 and iOS 15, as well as support for GPS on iOS device.

Reduced frequency of payment attempts for past due invoices

Current credit balance now displayed in the UI

Fixed an error in changing the IP Address for the on-site installer

Enables GPU acceleration for all Android devices on Enterprise accounts

This update adds support for iOS 14.7 and iOS 15. Since iOS 15 is still in beta, it's only supported for on-site customers.

Support for iOS 15 betas 1-4 (on-site only)

In this update, we're very excited to add support for Sensors and Camera for our virtual Android devices, as well as beta support for Android 12!

Note: Sensors and Camera may not be available or may behave differently on any pre-existing Android devices created prior to this update.

Added support for sensors for Android devices

Added support for camera pass-through for Android devices

Implemented an API for shell access (ShellExec)

Fixed a bug that allowed improperly formatted UDIDs to be applied

Fixed a bug that caused the CoreTrace thread & process list not to populate for iPhone 12 iOS 14.6

Added the ability to export a pcap of the log from the Network Monitor tool

Fixed a bug that caused some apps to timeout on launch on iOS 14.5.1 with PAC enabled

(For on-site customers, Release 2.9.1 incorporates Release 2.9)

Improve the load time of images in the Create Device modal

Increase trial time from one hour to six hours

Fix a Frida-related panic on iOS 14.5+ and enable integrated Frida tab on 14.5+

Disable certificate pinning by default for applications on jailbroken iOS devices

Automatically connect to the device display 

Improves CoreTrace reporting on XNU and Linux

Increases minimum password length for accounts

Adds support for multiple connections to a project or instance via the same openvpn client configuration

This cloud-only release provides support for variable screen sizes in the API, as well as minor bug fixes.

Support for variable screen sizes in the API

Support for toggling GPU acceleration per domain

Fixed a bug that caused Network Monitor to be displayed for non-jailbroken no-agent devices

Fixed an issue with the API that allowed users to create projects without a name

Fixed an issue that prevented re-subscribing after canceling a usage-based account

Fixed a bug that caused Enterprise Team Leads to see an option to invite users and manage teams when this functionality was not available at this permission level

This release provides support for 14.5 betas and Network Monitor for iOS.

Added support for Network Monitor for iOS-based device models

Fixed a bug that could cause errors in upgrading on-site installations

Fixed backwards compatibility with iOS 14.0 betas

This release provides on-site customers with the new ability to load their own models to the hypervisor. It also adds support for copying and pasting data to iOS-based device models. 

Added support for loadable firmware models for on-site users

Added Copy/Paste for iOS devices. Note that for both Android and iOS-based device models, copy/paste behavior is inconsistent across different web browsers. In particular, data is unable to be pasted into a VM in the Firefox browser, and data is unable to be copied out of a VM in the Safari browser. 

Fixed a bug in switching from monthly to usage-based subscriptions

Fixed a bug that prevents resubscribing after cancelling a usage-based account

Fixed a bug that could cause snapshots to becoming stuck in a Restoring state

Fixed a bug causing incompatibility between A14 iPhone device models and Xcode

Fixed a bug that caused graphical glitches in apps that use WKWebview

Implemented missing ACM protocol extensions and messages for iOS-based device models

This update provides support for iOS 14.4 and adds Frida support for iOS-based devices.

Added support for Frida console for iOS devices

Fixed an intermittent bug causing A14-based models to freeze during restore in Graviton environments

Fixed an error causing IPSWs to fail to upload in Graviton environments

Fixed an error causing iPhone XR and XS device models to panic when APRR was set

This update provided minor bug fixes for the cloud.

Fixed an NVMe panic after pause or reboot from a READ timeout

Fixed a bug that caused ffmpeg to cause unknown device error

Fixed a bug that cause the Kill button in the app tab to occasionally not respond to a click

Added a connection token to vstrm servers, telegfx, and crlm-stream

Resolved an issue with a device that was stuck in the Deleting state

We're very excited to announce that this release brings Apple device models to Individual accounts. With this release, Individual accounts will also see new advanced settings, including the ability to upload custom kernels and ramdisks. In addition, all accounts will now be able to adjust the number of CPU cores and the amount of RAM assigned to generic Android devices. 

Support for Apple device models in Individual accounts

Support for custom kernel and ramdisk in Individual accounts

Improve error messaging for custom kernel and ramdisk

Enable users to change the amount of CPUs and RAM for generic Android devices

Update to the latest AOSP 10 and 11 revisions

Improve stability of links for latest OpenGApps versions

Upgraded the Android 8 Linux kernel version from 3.18 to 4.4

This update brings Enterprise customers support for the Apple A14 devices, including iPhone 12, iPhone 12 mini, iPhone 12 Pro, and iPhone 12 Pro Max. It also implements encryption for AWS S3 backed volumes, and fixes some minor bugs in iOS 14 support. 

Added support for iPhone 12, iPhone 12 mini, iPhone 12 Pro, and iPhone 12 Pro Max

Implemented encryption for AWS S3 backed volumes in the cloud

Fixed a bug preventing keyboard input on iOS 14

Fixed a bug that caused Cydia UI not to display on iOS 14

With this update, we're very excited to now offer Usage-Based Billing for our cloud subscribers. Users can now subscribe to Individual or Enterprise Usage-Based accounts, where devices they create are charged for on an hourly basis. Please visit the Subscription page in your account to view additional details about subscribing to Usage-Based accounts.

Allow writing to filesystems on Android 11

Prevent user from taking an Android snapshot before a device is fully shut down

In this release, a key highlight is that users are now allotted Stored Device slots, enabling users to store Off devices without occupying CPU cores. For each On device permitted on the user's account, up to 5 total devices can be stored. For example, a user with a 3-device Individual account will now have 15 "stored device" slots. Note that On devices count toward the total stored device count, so a user with a 3-device account could have 3 On devices and 12 Off devices.

Here is the full list of changes in this release:

Enabled users to store Off devices without occupying CPU cores

Updated support for iOS versions 14.1 and 14.2 with fixes for the panic patch and display firmware versions

Enabled support for copy and paste to a VM

Fixed a bug that caused iOS 14.0+ devices to fail to connect to network

Fixed a bug that caused large files and apps to sometimes fail to upload to cloud accounts

Fixed a bug that caused the Data folder to be inaccessible on iOS 13.4.1+

Fixed a bug that caused Flutter apps to fail to start on Android devices

Support for Network Monitor for Android devices

Support for Frida Console for Android devices

Checking Suspicious Links in Corellium

Step 1: Create your virtual device

Step 2: Start the Network Monitor

Step 3: Load the suspicious URL

Step 4: Review captured packets

A note about virtual iOS devices