Mobile Application Testing with Corellium

The hardest part about performing a pentest on a mobile application is keeping a device around for dynamic testing. Upkeeping a backlog of various devices and OS versions can be very cumbersome, especially for iOS devices. You may be thinking, "Well, I can just emulate an Android device”. This is true, using a solution like Android Studio to emulate an Android device is super easy to set up and mostly eliminates the need to keep a collection of Android devices around. But what about iOS devices? That’s where Corellium comes into play. If you’ve never heard of Corellium it is a cloud-based platform that uses ARM cloud devices to run both iOS and Android emulators natively on an ARM processor.

To show off the platform a little we are going to go through setting up a new iPhone and installing the OWASP MAS UnCrackable 1 for iOS to the device. After getting access to the platform and logging in you will be greeted with a screen like the one pictured below.

On this screen, you will select “Create device” which will take you to a new screen that will guide you through 4 to 5 steps for setting up a new device.  The first step will be selecting a project for your device to live in.

Corellium project selection

After selecting a project, you will be asked to select a device type. This is where you will select the specific Android or iOS device you want to use for emulation. Corellium has a massive catalog of devices to choose from so odds are you’ll find what you’re looking for. If you look under each device, you’ll notice a CPU core count and if you remember back to the project selection, each project has a limited number of CPU cores. When selecting devices make sure that you have enough CPU cores in your project to run the device. For this walkthrough, we went with an iPhone 12.

Corellium device select

The next step is to select the operating system version and whether or not to jailbreak the device. One of our favorite features in Corellium is the ability to specify if the device should be pre-jailbroken or not. This is super helpful when testing root/jailbreak detection of an application's security controls.

Corellium firmware selection

The last step for our setup is to confirm our configuration and name the device. If you want to customize the boot-up process you can check the box to set advanced boot options but for the sake of this walkthrough, we are going to ignore that. Once you have everything confirmed you will click “Create Device”

Corellium configuration confirmation

Now all we have to do is wait for the device to create and boot, this can take a little bit of time so go make yourself a cup of coffee and wait till it is completed.

Corellium Device Creation

Once the device is done building and a restore point is set you will see an active device in the browser that you can interact with via the browser.

iPhone 12 in Corellium

You can also interact with the device via SSH or a USB-based tool. To do either you will need to click the Connect tab on the left-hand side and follow the instructions for connecting. If you plan on using a USB-based tool you will need to follow Corellium’s instructions for setting up USB-Flux. With that out of the way, you can click the App tab to look at the installed apps as well as install an app via APK or IPA.

Corellium applications tab

This is as simple as clicking the Install App button and letting Corellium do its thing. Once it is done you will see your app pop up on the device screen. With that, you are good to go and you can start your dynamic application testing process.

iPhone 12 with Uncrakable installed

If you are a pentester who focuses on mobile applications we highly recommend adding Corellium to your arsenal. If you are interested in a mobile application penetration test please reach out to us at sales@valkyireops.com .

https://www.corellium.com/

Previous
Previous

Rapid Operation Deployment a framework for Red Team Deployments

Next
Next

BlackCat on the Run, FBI Online Crime Statistics and BEC Targeting the US Government.