Mobile security research and testing have traditionally been extremely difficult and time-consuming endeavors. And most of that time is spent doing things other than the actual research.
Whether searching for vulnerabilities in a mobile OS, penetration testing a mobile app, or conducting research into mobile threats and malware, all are bound by the restrictions imposed by the manufacturers on the mobile devices and their operating systems.
In the PC world, these restrictions do not exist, which makes it easier to reverse engineer software or to inject debuggers directly into the OS kernel. However, in the mobile device world, bypassing these “walled gardens” often requires specific devices with very specific operating systems combined with the tools and techniques necessary to break out of these walls.
Without root access to the device, how can security researchers and testers prove that apps are not storing or transmitting sensitive data insecurely? Are we left with “trusting” that device manufacturers have our best interests in mind and are doing their best to keep our data safe?
The Era of Dumpster Diving
Many mobile security professionals spend a significant amount of time scouring the world for a few specific devices. They spend hours searching the used device markets on places like Facebook Marketplace or Craigslist looking for just the right device, essentially dumpster diving, trying to find that special needle in the haystack. Once a device is located, it would need to be acquired, which often happens in person in a parking lot exchanging cash for the device, like some sort of black-market goods exchange.
Why do researchers need to go to all this trouble? It is not about having a specific model of iPhone because it is the coolest version or that model holds specific sentimental value. Researchers seek out specific devices due to the device’s characteristics and operating system.
Researchers require root-level access to the device to properly gather evidence and look for vulnerabilities. To gain root-level access, a process known as “jailbreaking” is required. Jailbreaking has been around for a long time, originally so that users could more easily tweak iOS or install non-app store apps that are written outside the vendor’s walled garden.
In the area of mobile security research, especially when conducting penetration testing or malware research, root access to the device is required to inspect secured areas of the operating system where apps store their data or to inspect the network to capture and analyze communications.
The process of jailbreaking usually requires exploiting a vulnerability in the device or software that yields higher (than normal) access to the operating system where specific changes can be made.
For many years, this process was made relatively simple due to a known vulnerability in the device’s chipset. Since this vulnerability was physically present in the chipset, it was essentially “unpatchable.” This vulnerability led to the development of a BootROM exploit called Checkm8, which yielded the researcher the ability to take advantage of the higher-level access to the device, and to inject desired changes or software.
Any iOS device running the A5 through the A11 chips was susceptible to this vulnerability, yielding a plethora of models that could be used, such as the iPhone 4S through the iPhone X, as well as models of iPads, AppleTVs and iPods.
One such tool, checkra1n, was developed and released for many different versions of iOS up through iOS 16.
This means security researchers can spend a tremendous amount of time dumpster diving for these specific models so they can utilize the checkra1n software to jailbreak the device, gain root access to the device, and conduct their research or testing.
But the problems don’t stop there. Due to the age of many of these devices, they may be physically damaged, have inoperative batteries, or have a host of other issues. Some of these issues can be ignored (depending on the testing required), but if the device is not booting reliably or has issues running for long periods of time – all the time spent acquiring the device could be for nothing.
The Device OS Version Battle
Even if the device works well, the researcher then must put a desired version of iOS on the device. Many iOS device users love keeping their devices updated to the latest and greatest version of iOS. However, the researcher may need a specific version of iOS on that specific model, such as an iPhone 6 with iOS 12.1.4 – which contains a known vulnerability that they would like to work with.
The latest version of iOS supported on the iPhone 6 is 12.5.7, which means to get 12.1.4 on the device, the researcher would have to down flash the device to the older version. Down flashing, especially when Apple stops officially signing a version, becomes a difficult process, wasting even more time.
Once the desired version of iOS has been successfully installed, the jailbreaking process can begin. The researcher needs to acquire and apply the jailbreak to gain access. Jailbreak packages like checkra1n make this procedure relatively straightforward but can be somewhat troublesome or finicky, sometimes requiring multiple attempts. Often the jailbreak package may not support the specific version of iOS needed for the research or the current version supported on the device.
So, after all the work and time required to acquire the device, getting it to the correct version of iOS and applying the jailbreak – the researcher can begin their work, right? As long as they don’t have to reboot the device.
The Dispersed Team Dilemma
Mobile security researchers are a rare and specialized breed, often requiring companies to hire talent where it exists regardless of where their office is located. This presents multiple issues when dealing with physical devices.
Acquiring the device, flashing the desired iOS version, and applying the needed jailbreak get multiplied in effort and time for each device, different version of iOS, or team member needs. Oftentimes, the devices need to be physically shipped between team members – perhaps even internationally. What if the device is lost or damaged in shipping? All the time spent to this point becomes time wasted.
Assuming the device arrives in one piece, the jailbreak must be re-applied. Modern jailbreaks are not “permanent” and must be tethered to a computer, and the jailbreak reapplied every time the device is rebooted or crashes (during testing).
Each team member may require a small batch of devices configured differently for their work, creating a multiplier effect of these time-wasting issues. The actual research or testing still has not begun yet.
The Tooling Epidemic
Mobile security research and testing cannot be accomplished without a slew of additional tools and techniques. These tools must be procured and maintained separately from the mobile devices.
Teams usually have sets of tools in two different areas: reverse engineering (static testing) and dynamic testing. Common tools in static testing are IDAPro, Ghidra, Hopper, and JADX, just to name a few; usually a team will consolidate on one tool. In dynamic testing, another set of tools is required, such as Burp Suite, Frida, Objection, Charles Proxy, XCode, and many others. Some tools are commercially supported, but many are open source, requiring a little more effort from teams to maintain.
Each member of the team will have their own stack of tools, which means at any time, versions could be out of sync, or some versions may have issues that cause a test to fail. Additionally, some tools only run on specific computers and OSs that a company may not support for employees.
Every tool that a team uses comes with a cost of time that needs to be considered. Constant updates, features that break, commercial or community support; the time wasted can be quite high.
The End of Dumpster Diving - Corellium
Based in virtualization (not simulation or emulation), which solves the device and OS (including jailbreaking and rooted) time wasted, Corellium’s platform allows remote teams to collaborate and work together in a single place with a simple web browser. Additionally, teams can use the built-in introspection tools, saving time spent on installing and maintaining tools on their own systems.
Corellium is changing the entrenched paradigm in mobile security by eliminating the need for physical devices, allowing teams to reduce distractions and eliminate wasted time.
Brian Robison
Leave a Comment