Independent investigative research of third-party apps is an important and widespread practice that substantially contributes to the safety and security of end-users. Third-party research of iOS apps has led to the discovery of numerous fraudulent, fleecing, and malicious applications, which would otherwise likely have continued to harm users without notice. Independent researchers are also a vital resource in helping large enterprises discover vulnerabilities that could be exploited to harm users.
A common scenario where a security researcher might need to test a third-party app from the App Store is a bug bounty or an authorized third-party review of mobile applications with rewards for certain types of vulnerabilities discovered. For example, the multi-billion-dollar financial company Wise invites independent security testers to test and report security defects in their iOS mobile apps in exchange for up to $4,000 per vulnerability.
Another common scenario is to independently investigate the security of popular applications. For example, Google Project Zero performed a security analysis of popular App Store apps, including WhatsApp, to identify security defects that could be used by hackers to compromise a user’s device. There is ample evidence that such vulnerabilities, left undiscovered, are exploited by criminal hackers and foreign governments to compromise the physical devices of iOS users, including journalists. This type of independent investigative research plays a crucial role in protecting the safety and security of end users.
How to Install Apps
Our Apps tool enables you to conveniently view, install, and manage applications on the virtual device. The Apps tool lists all applications (or packages, on Android) on the virtual device. For each app, it displays the name, date installed, type (System or User), and size of the file. It also provides buttons to launch or kill the app, and if the app can be uninstalled, a button to uninstall the app.
To load an iOS app on a virtual device, it must be unencrypted and signed. If you're a pentester requesting an app from a client, please ensure your client provides you with an unencrypted, signed copy of the app. If you receive an error when uploading an app, please ensure your app is appropriately signed and that you can load it on a physical device.
All iOS applications must be signed before they can be installed on a real or virtual device. Corellium does not enable users to download apps from the App Store. Additionally, you will not be able to load the copy of the app that is distributed on TestFlight. TestFlight uses the App Store for distribution, so TestFlight apps are encrypted.
On a jailbroken device, you can simply upload the unencrypted, signed app via the Apps tab, and it should launch and run as normal. On a non-jailbroken device, you will need to match the UDID of the virtual device with a UDID from the provisioning profile used to sign the app. You can adjust the UDID of the virtual device in Settings, then the Device IDs tab. Once you update the UDID, click "Save and Reboot" for the change to take effect.
Once your app is properly signed and the UDID is set accordingly, click the "Install" button on the Apps tab and select your signed
.ipa file. A green progress bar will appear at the bottom of the screen indicating the progress as your app is uploaded and installed on the device. Once installation is complete, the app will appear in the list of Apps, as well as on the virtual device screen.
If you are having trouble loading an app, please check the following before contacting support:
- Does your app load on a real device of the same model and OS version?
- If you are loading an iOS app, is it properly signed? Does it have the proper entitlements?
App Store Access
By design, Corellium’s virtual iOS-based devices do not enable access to Apple services, including the Apple App Store. As a result, a Corellium user cannot directly download an app from the App Store for testing on a Corellium device, nor can they load an encrypted app that has been downloaded from the App Store on another device. To test an app on a Corellium device, users can only load a signed, unencrypted version of the app.
In cases where a user has developed the app themselves, or where the app’s source code is provided to the researcher by the original developer, loading the app onto a Corellium device is straightforward. The app is simply built and signed, and then it can be loaded to the device through a program like Xcode or with Corellium’s integrated Apps tool. However, Corellium’s users, and security researchers more generally, often have a specific need to test third-party applications from the Apple App Store that they have not developed themselves, and for which they do not have source code.
App Store DRM and the DMCA
Because the App Store is not enabled on Corellium virtual devices, if a researcher wishes to test a third-party app from the App Store, the researcher must first download the app on a physical device to obtain the required app in its binary form, called an IPA.
However, binaries sourced directly from the App Store cannot be audited as downloaded. This is because apps downloaded from the App Store are protected with Apple’s Digital Rights Management (DRM) technology called Fairplay. Fairplay encrypts parts of the application so that the code of the application cannot be viewed directly by reverse-engineering tools, and the application can only be run on authorized devices. Apple provides the DRM decryption key to authorized physical devices by tying the key to the physical hardware and Apple ID of the user in an obfuscated form. When the application is run by a user on an authorized device, iOS obtains and uses this key to decrypt and run the application.
Importantly, the App Store DRM encryption key does not – and is not designed to – provide any privacy or security advantage to the application, device, or user. Rather, Fairplay only serves to prevent App Store apps from being run, analyzed, or disassembled outside an Apple-authorized environment.
In the United States, the Digital Millennium Copyright Act 17 U.S.C. 1201, or DMCA, makes it illegal and actionable to circumvent certain types of DRM. However, the DMCA also provides exemptions, such as for certain kinds of security research. A qualified attorney can help you determine if your research qualifies under the DMCA exemptions.
Corellium does not support running apps that are encrypted using Apple Fairplay DRM, and Corellium does not provide any tools, instructions, or legal advice for decrypting applications from the App Store. Additionally, while physical jailbroken devices may be used to decrypt apps, Corellium’s “jailbroken” virtual devices specifically do not enable access to the App Store and do not facilitate the decryption of apps.
Other third-party tools are widely available for decrypting applications for security research purposes. Typically, this process makes use of a jailbroken physical device. Tools to decrypt App Store apps are widely used, and Apple has never sought to use the DMCA to prevent this. App Store decryption is sufficiently common that large numbers of high-profile cybersecurity firms and individuals overtly develop tools for this purpose, teach students to use these tools, and openly advertise using these tools as part of their cybersecurity practice. Corellium does not promote or endorse these tools, and Corellium strongly condemns the use of such tools for piracy. The decryption of apps for piracy is a violation of our terms of service and will result in account termination.
Troubleshoot Third-Party iOS Apps
Whether the application is failing upon installation or crashes upon launch, this section aims to provide some further insight into these issues.
Corellium cannot help or advise you on how to obtain an unencrypted application, other than a test IPA file called
red.ipa which can be found on our public-facing GitHub. https://github.com/corellium/corellium-api/blob/master/test/Red.ipa.
App Verification on Jailbroken Devices
Installing applications on jailbroken devices requires the app's bundle to be verified in order for the iOS kernel to execute the binary. In this article, we will be verifying the application by signing the app's bundle with the extracted entitlements from the app's binary using the
Inspect the App Bundle
It is important to gather information about the application.
You can inspect the app's entitlements with the following command after unzipping the
After unzipping the
.ipa, a Payload folder will be created with the
.app file inside.
codesign -dvvv --entitlements - MyApp.app
For inspecting the Code Directory Hash:
codesign -dv --verbose=4 MyApp.app
Check the Authority labels and make sure they do not contain apples Authority when apps are uploaded to a virtual device.
Sign the IPA
We will be using the ldid tool to sign the app to work for jailbroken devices. Resigning the app with your own developer certificate will break the entitlements (push notifications, keychain, etc).
You can accomplish this task with the series of commands below.
Extract the entitlements.
ldid -e Payload/MyApp.app/MyApp > ents.xml
Sign the app bundle with the extracted entitlements with an Ad Hoc signature. Signing Ad Hoc ensures the cdhash is created to cover the executable code.
codesign -fvvvv -s - --entitlements ents.xml Payload/MyApp.app
zip -r signed-MyApp.ipa Payload/
Check the Logs
The logs can show valuable insight into why your application is crashing. You can manually create a log of the application that is crashing. Run the desired application first, then run the following in the virtual device's console:
log > logs.txt
After a couple of seconds stop the logs with ctrl + c (logs will populate very quickly). The log will then appear in the device's file system. Once you download the file to your computer, you can then use
grep to search the logs for any errors.