Corellium Does Not Enable Access to the Apple App Store
By design, Corellium’s virtual iOS-based devices do not enable access to Apple services, including the Apple App Store. As a result, a Corellium user cannot directly download an app from the App Store for testing on a Corellium device, nor can they load an encrypted app that has been downloaded from the App Store on another device. To test an app on a Corellium device, users can only load a signed, unencrypted version of the app.
In cases where a user has developed the app themselves, or where the app’s source code is provided to the researcher by the original developer, loading the app onto a Corellium device is straightforward. The app is simply built and signed, and then it can be loaded to the device through a program like Xcode or with Corellium’s integrated Apps tool. However, Corellium’s users, and security researchers more generally, often have a specific need to test third-party applications from the Apple App Store that they have not developed themselves, and for which they do not have source code.
Requirements to Load an iOS App
To load an iOS app on a virtual device, it must be unencrypted and signed. If you're a pentester requesting an app from a client, please ensure your client provides you an unencrypted, signed copy of the app.
You will not be able to load the copy of the app that is distributed on TestFlight. TestFlight uses the App Store for distribution, so TestFlight apps are encrypted.
On a jailbroken device, you can simply upload the unencrypted, signed app via the Apps tab, and it should launch and run as normal. You can read more about loading apps here: Apps
On a non-jailbroken device, you will need to match the UDID of the virtual device with a UDID from the provisioning profile used to sign the app. You can read more about getting the UDID from your app here: Advanced Settings
The legitimate need to test third-party iOS Apps
Independent investigative research of third-party apps is an important and widespread practice that substantially contributes to the safety and security of end users. Third-party research of iOS apps has led to the discovery of numerous fraudulent, fleecing, and malicious applications, which would otherwise likely have continued to harm users without notice. Independent researchers are also a vital resource in helping large enterprises discover vulnerabilities that could be exploited to harm users.
A common scenario where a security researcher might need to test a third-party app from the App Store is a bug bounty, or an authorized third-party review of mobile applications with rewards for certain types of vulnerabilities discovered. For example, the multi-billion-dollar financial company Wise invites independent security testers to test and report security defects in their iOS mobile apps in exchange for up to $4,000 per vulnerability.
Another common scenario is to independently investigate the security of popular applications. For example, Google Project Zero performed a security analysis of popular App Store apps, including WhatsApp, to identify security defects that could be used by hackers to compromise a user’s device. There is ample evidence that such vulnerabilities, left undiscovered, are exploited by criminal hackers and foreign governments to compromise the physical devices of iOS users, including journalists. This type of independent investigative research plays a crucial role in protecting the safety and security of end users.
App Store DRM and the DMCA
Because the App Store is not enabled on Corellium virtual devices, if a researcher wishes to test a third-party app from the App Store, the researcher must first download the app on a physical device to obtain the required app in its binary form, called an IPA.
However, binaries sourced directly from the App Store cannot be audited as downloaded. This is because apps downloaded from the App Store are protected with Apple’s Digital Rights Management (DRM) technology called Fairplay. Fairplay encrypts parts of the application so that the code of the application cannot be viewed directly by reverse-engineering tools, and the application can only be run on authorized devices. Apple provides the DRM decryption key to authorized physical devices by tying the key to the physical hardware and Apple ID of the user in an obfuscated form. When the application is run by a user on the authorized device, iOS obtains and uses this key to decrypt and run the application.
Importantly, the App Store DRM encryption key does not – and is not designed to – provide any privacy or security advantage to the application, device, or user. Rather, Fairplay only serves to prevent App Store apps from being run, analyzed, or disassembled outside of an Apple-authorized environment.
In the United States, the Digital Millennium Copyright Act 17 U.S.C. 1201, or DMCA, makes it illegal and actionable to circumvent certain types of DRM. However, the DMCA also provides exemptions, such as for certain kinds of security research. A qualified attorney can help you determine if your research qualifies under the DMCA exemptions.
Third Party Tools
Corellium does not support running apps that are encrypted using Apple Fairplay DRM, and Corellium does not provide any tools, instructions, or legal advice for decrypting applications from the App Store. Additionally, while physical jailbroken devices may be used to decrypt apps, Corellium’s “jailbroken” virtual devices specifically do not enable access to the App Store and do not facilitate decryption of apps.
Other third-party tools are widely available for decrypting applications for security research purposes. Typically, this process makes use of a jailbroken physical device. Tools to decrypt App Store apps are widely used, and Apple has never sought to use the DMCA to prevent this. App Store decryption is sufficiently common that large numbers of high-profile cybersecurity firms and individuals overtly develop tools for this purpose, teach students to use these tools, and openly advertise using these tools as part of their cybersecurity practice. Corellium does not promote or endorse these tools, and Corellium strongly condemns the use of such tools for piracy. The decryption of apps for piracy is a violation of our terms of service and will result in account termination