Mobile security testing, as any pentester or vulnerability researcher can tell you, is full of time-consuming and tedious tasks, like sourcing and jailbreaking physical devices. But time and headaches aren’t the only issue. Security teams have to test on physical devices because alternatives, like emulators, are unreliable or simply don’t have the necessary access and capabilities. For example, there are no emulators for iOS — a major shortcoming.
With billions of new smart devices expected to be connected over the next decade, it’s becoming critical for security and developer teams to have an effective and efficient way to conduct in-depth research, testing, and analysis to discover vulnerabilities and exploits before bad actors do.
There are three major limitations holding back what’s possible in mobile security testing and research. Let’s take a look at each of those challenges and explore potential alternatives.
Challenge 1: Sourcing Physical Devices with a Specific OS
Sourcing physical devices in and of itself is not difficult. All it requires is a credit card and submitting an order to a vendor. The painstaking part is sourcing specific devices with specific operating systems that can also be jailbroken.
Older devices in particular can be tricky to find, and you might not get exactly what you need when relying on the refurbished market. Physical device labs are also an option, but often limited in scope, meaning they likely won’t have all the devices you are looking to test.
Overall, sourcing physical devices is unreliable, and if you are continually flashing devices, jailbreaking them, and firing them up just to destroy them and shut them down, you’ll need a steady stream of new devices with the full range of operating systems you need to test on.
Challenge 2: Gaining Access to Operating Systems
From the security research perspective, it’s absolutely critical to have devices that you can jailbreak or root for both Android and iOS operating systems. Without full access to the file system, researchers can’t perform “data at rest” dynamic testing, which is essential for ensuring that data stored in a static location is encrypted, for example, and not unintentionally being leaked or exposed.
Currently, it’s difficult to get jail breakable modern devices, particularly for iOS versions. There are emulators for Android devices and services that offer access to physical iOS devices, but very few of these services offer access in the same platform, using the same APIs, etc. In addition, services like these have only a few operating system versions, rather than the entire suite that needs to be tested.
Challenge 3: Finding the Time and Energy to Manage It All
The final challenge is just finding the time, energy, and resources to manage and maintain hardware or other services so that you can get to the actual work of security testing and research. Security and research teams spend time keeping devices live, updating them (or not), jailbreaking them, and even shipping physical devices to team members around the world. All of this is a distraction that can be solved through virtualization.
Changing What’s Possible in Mobile Security Research and Testing
The next step for mobile security research and development is virtualization, which cuts out the need for physical devices while still providing security teams with the access they need to conduct real-world testing. For example, a virtual hardware platform provides endless combinations of mobile device models, operating systems, and mobile apps, all in one place. You can get the convenience, efficiency, and scale of an emulator with the fidelity and performance of a real device.
Security and developer teams using virtualization have more time to focus on strengthening their defensive cybersecurity capabilities through research, testing, and analysis and spend less time on repetitive tasks like jailbreaking and device sourcing.
Physical devices are holding you back. Virtual devices propel your R&D, security testing, and research into the future.
Anthony Ricco
Tags: Corellium, Mobile Devices, Mobile Security