Usage in the UI
One way to use our MATRIX solution is through the Corellium UI.
Create a Device
To get started, go to the Devices page and click “Create device”. Then choose a project under which to house the device.
Next up is to create a compatible device to run MATRIX. We currently support running MATRIX on rooted Android devices and jailbroken iOS devices. For this example, we'll use a jailbroken iPhone 15 Pro Max running iOS 17.7 to run MATRIX. For Android devices, you would interact with MATRIX in the same way.
On Android, you need to manually adjust the device to use 4 cores. During the creation process, choose the "Set advanced boot options" checkbox in order to adjust the amount of CPU cores on the Android device prior to running the tests. This adjustment is only needed when using MATRIX through the UI.
After selecting your device, click "Create device" and wait for the device to boot up. The time taken for a device to be in a state where it can be used after initial creation varies depending on the complexity of the device and whether or not the firmware file needs to be downloaded to the server.
Create a Test
Once the device is ready, click the "MATRIX" tab on the left. Previously ran MATRIX tests will show up here, this is known as the History page. To begin a new MATRIX test, click "New test".
Select the desired application you want to test from the list of installed applications or install a new app. We'll be running a MATRIX test against the Corellium Cafe application.
After the app has been selected and you've pressed the "Continue" button, you can optionally upload a "keywords" text file. This is a newline-separated list of keywords that are case sensitive and will be used to search for vulnerabilities in the application. This could include things like known credentials, API keys, or other sensitive information. To specify regular expressions (regexes) in your keywords .txt file, wrap them in regex(/.../). For instance, to find all credit card numbers that start with “1234,” create a new line in the .txt file that says regex(/^1234/).
Please review our Known Issues MATRIX page for more information regarding if your iOS device supports regex or not.
By pressing the "Save & continue" button, MATRIX will continue to the monitoring stage where you can perform the interactions with the device.
Monitor and Collect Data
Once you've created your test, begin collecting data from your virtual device by clicking "Start monitoring". You do not need to start the target application manually, the app will be automatically launched after clicking start monitoring. After monitoring has begun, the app will be automatically rebooted.
While the monitoring is in-progress, start performing all the desired interactions with the application. When you've finished, click the "Stop monitoring" button to stop collecting data. After stopping the monitor, the app will be automatically rebooted again.
Run the Test
Once the monitoring is complete, you'll be able to run the test, which includes the checks. Click the "Run test" button to begin.
The test and its checks will run automatically. Once complete, you'll be able to view the results.
View the Results
Finally, you can view your report! In our UI, the report will be broken down into two key areas: the Results and the Details. Results will give you an overview of the app, device, and report itself, as well as a high-level overview of how many tasks passed, failed, or errored. Details will give you a detailed breakdown of the security issues identified by the checks.
Alternatively, you can download the report as a JSON or HTML file by clicking the three dots in the top right corner of the results page. You can learn more about these formats on the Reporting page. You can filter the results (3) by category, test status, and severity.
Scroll down to see the results of each check. By clicking the chevron for a given check, you can learn the following:
- Explanation of the check.
- The impact a check has.
- How to remediate the security issue, applicable if a given check is failing.
- If a check fails, evidence is displayed to show why it failed.
In a future version of MATRIX, we intend to allow you to customize the status and severity of a check’s results to allow you to identify false positives, or tailor the results to your organization's security profile.
Viewing the Artifacts
You can view the artifacts generated by the test by clicking the "Artifacts" tab. You can learn more about these formats on the Artifacts page.
History and Retesting
You can view the results of your historical MATRIX tests and retest apps as needed. The MATRIX test history can be viewed from both an on and off device state. Click the "View History" button to view your previously ran tests. For more details, visit the History page.