Skip to main content

Testing iOS Apps

Independent investigative research of third-party apps is an important and widespread practice that substantially contributes to the safety and security of end-users. Third-party research of iOS apps has led to the discovery of numerous fraudulent, fleecing, and malicious applications, which would otherwise likely have continued to harm users without notice. Independent researchers are also a vital resource in helping large enterprises discover vulnerabilities that could be exploited to harm users.

A common scenario where a security researcher might need to test a third-party app from the App Store is a bug bounty or an authorized third-party review of mobile applications with rewards for certain types of vulnerabilities discovered. For example, the multi-billion-dollar financial company Wise invites independent security testers to test and report security defects in their iOS mobile apps in exchange for up to $4,000 per vulnerability.

Another common scenario is to independently investigate the security of popular applications. For example, Google Project Zero performed a security analysis of popular App Store apps, including WhatsApp, to identify security defects that could be used by hackers to compromise a user's device. There is ample evidence that such vulnerabilities, left undiscovered, are exploited by criminal hackers and foreign governments to compromise the physical devices of iOS users, including journalists. This type of independent investigative research plays a crucial role in protecting the safety and security of end users.

App Store Access & TestFlight

By design, Corellium's virtual iOS-based devices do not enable access to Apple services, including the Apple App Store. Additionally, you will not be able to load apps distributed through TestFlight, as TestFlight relies on the App Store for distribution and its apps are encrypted.

As a result, a Corellium user cannot directly download an app from the App Store for testing on a Corellium device, nor can they load an encrypted app that has been downloaded from the App Store on another device. To test an app on a Corellium device, users can only load a signed, unencrypted version of the app.

In cases where a user has developed the app themselves, or where the app's source code is provided to the researcher by the original developer, loading the app onto a Corellium device is straightforward. The app is simply built and signed, and then it can be loaded to the device through a program like Xcode or with Corellium's integrated Apps tool.

However, Corellium's users, and security researchers more generally, often have a specific need to test third-party applications from the Apple App Store that they have not developed themselves, and for which they do not have source code.

App Store DRM and the DMCA

Because the App Store is not enabled on Corellium virtual devices, if a researcher wishes to test a third-party app from the App Store, the researcher must first download the app on a physical device to obtain the required app in its binary form, called an IPA.

However, binaries sourced directly from the App Store cannot be audited as downloaded. This is because apps downloaded from the App Store are protected with Apple's Digital Rights Management (DRM) technology called Fairplay. Fairplay encrypts parts of the application so that the code of the application cannot be viewed directly by reverse-engineering tools, and the application can only be run on authorized devices. Apple provides the DRM decryption key to authorized physical devices by tying the key to the physical hardware and Apple ID of the user in an obfuscated form. When the application is run by a user on an authorized device, iOS obtains and uses this key to decrypt and run the application.

Importantly, the App Store DRM encryption key does not – and is not designed to – provide any privacy or security advantage to the application, device, or user. Rather, Fairplay only serves to prevent App Store apps from being run, analyzed, or disassembled outside an Apple-authorized environment.

In the United States, the Digital Millennium Copyright Act 17 U.S.C. 1201, or DMCA, makes it illegal and actionable to circumvent certain types of DRM. However, the DMCA also provides exemptions, such as for certain kinds of security research. A qualified attorney can help you determine if your research qualifies under the DMCA exemptions.

Third-Party Tools

Corellium does not support running apps that are encrypted using Apple Fairplay DRM, and Corellium does not provide any tools, instructions, or legal advice for decrypting applications from the App Store. Additionally, while physical jailbroken devices may be used to decrypt apps, Corellium's "jailbroken" virtual devices specifically do not enable access to the App Store and do not facilitate the decryption of apps.

Other third-party tools are widely available for decrypting applications for security research purposes. Typically, this process makes use of a jailbroken physical device. Tools to decrypt App Store apps are widely used, and Apple has never sought to use the DMCA to prevent this. App Store decryption is sufficiently common that large numbers of high-profile cybersecurity firms and individuals overtly develop tools for this purpose, teach students to use these tools, and openly advertise using these tools as part of their cybersecurity practice. Corellium does not promote or endorse these tools, and Corellium strongly condemns the use of such tools for piracy. The decryption of apps for piracy is a violation of our terms of service and will result in account termination.

How to Install Apps

Our Apps tool enables you to conveniently view, install, and manage applications on the virtual device. The Apps tool lists all applications (or packages, on Android) on the virtual device. For each app, it displays the name, date installed, type (System or User), and size of the file. It also provides buttons to launch or kill the app, and if the app can be uninstalled, a button to uninstall the app.

Install & Run Apps on Jailbroken Devices

On a jailbroken device, you can simply upload the unencrypted, signed app via the Apps tab, and it should launch and run as normal. If you encounter signing related issues when doing this, please try to re-sign the app with ldid using the below steps.

Re-sign Apps with ldid

This is the recommended approach for re-signing apps for jailbroken devices. You can find documentation for the ldid tool here.

info

Starting with the 7.3 release, it is no longer required to re-sign unencrypted apps for jailbroken devices. This only applies to iOS devices that have been created after the 7.3 release.

  1. Install the ldid tool. One way is through homebrew

    brew install ldid

  2. Unzip the .ipa.

    unzip /path/to/app.ipa

  3. Re-sign the app, referencing the path to the app's binary.

    ldid -S -M Payload/App.app/AppBinary

  4. Zip the app back up.

    zip -r signed-app.ipa Payload/

Install & Run Apps on Non-Jailbroken Devices

When testing on non-jailbroken devices, you'll typically fall into one of two scenarios, both assuming the app is unencrypted.

Scenario #1

  • App has been distributed through Xcode and signed with a paid Apple Developer account. Depending on the distribution method used, you'll need to follow specific steps to run the app on a non-jailbroken iOS device.

    For example, if your app was distributed via the Ad Hoc method, you need to apply a provisioned device UDID to the virtual iOS device then reboot the device in order to install the app. Here's an example script for extracting the provisioned device UDIDs from your app.

Scenario #2

  • You've obtained an unencrypted app and it's failing to install on non-jailbroken virtual iOS devices due to signature related issues. In this case, we recommend using Sideloadly.

Troubleshoot Application Crashes

A common reason for application crashes is jailbreak detection. If you need to test with this build of the application, you can try to install the app on a non-jailbroken virtual device with Sideloadly. Otherwise, you would need to defeat the app's protections in order to run it on a jailbroken device, or attempt to acquire a build of the app with protections removed to test with.

Another frequent reason for application crashes is when the app requires a physical GPU to be present. These are usually graphics-intensive applications, such as games. Since our virtual devices do not currently support Metal directly, any app that cannot fallback to software rendering will likely not work as expected.

If your app is crashing after launch or not working as expected and it’s not related to jailbreak detection or Metal, please collect the following information to help us troubleshoot:

  1. Does your app work to launch and run on a real device of the same model and OS version?
  2. What is the behavior being seen with the app?
  3. If possible, provide us the .ipa file for further investigation. If the app cannot be shared, try to gather the iOS syslogs and .ips files for your app like shown below.

Gather Logs

The logs can show valuable insight into why your application is crashing. You can manually create a log of the application that is crashing.

  1. Start the stream of iOS syslogs to a file:

    log > ios_syslogs.txt

  2. Launch the application.

  3. Produce the crash with the app. Use Ctrl + c to stop the log streaming.

  4. The log file is written to the device's filesystem, you can inspect it on the device or copy it back to your local workstation for review.

In addition to the iOS syslogs, .ips files also hold valuable info as to why the app is crashing. In the event of an iOS app crash, an .ips file is typically generated. This is stored on the device under /private/var/mobile/Library/Logs/CrashReporter/, the .ips file name will reference the name of the process and the timestamp of the crash report creation.