Virtualization Is Transforming Mobile Security Research: Here’s How

Anthony Ricco
Chief Marketing Officer   Corellium

The Internet of Things (IoT) is taking mobile security research by storm. According to market research firm Statista, the number of IoT devices worldwide is forecast to include more than 29 billion IoT devices by 2030. Consumer internet and media devices like smartphones and smartwatches are expected to make up 17 billion of these devices, while devices for other use cases like connected vehicles, IT infrastructure, asset tracking and monitoring, and smart grid are forecast to make up the rest of this massive market.

These astounding numbers mean two things: the IoT device attack surface is rapidly expanding, as is the demand for an efficient way to develop, test, and secure these devices. This need has been underserved by today’s developer and security tools – until now.

Building a physical device lab is expensive and out of reach for many security researchers. Not only is there the initial cost of buying the heap of devices you need with the right combination of model and OS, but broken, lost, or bricked devices must be routinely replaced. Watching expensive devices become useless is frustrating. Additionally, testing requires devices to be constantly running, something their batteries were not designed to do. Burning through batteries is both a cost and safety risk. 

Physical devices are also inefficient for today’s remote work environment. Shipping alone is a logistical nightmare, not to mention how difficult it is to run even the most basic testing and research when devices are not made to work with common security and automation tools. With physical devices, the critical work of testing software for performance or security issues is often delayed simply because the hardware must be ready first. Setting up a device can take up to a couple of weeks! It’s tedious and boring. This leaves developers and security teams waiting for long periods of time, adding to the overall cost and efficiency of testing with physical devices.

Virtualized DevOps Accelerates Software R&D

By shifting from physical to virtual devices, developers can begin co-designing software without waiting for physical hardware to be complete, thus shortening time to market. They can also take advantage of cloud-based tools for testing automation and CI/CD, adopting simpler and more efficient workflows to meet demands for higher performance, faster delivery, and increased security.

Virtual devices give developers and security teams the convenience, efficiency, and scale of an emulator with the fidelity and performance of a real device. Virtualized DevOps enable continuous testing with the following benefits: 

  • Simplified deployment – On-demand combinations of device models, software, and mobile apps can be deployed to virtual devices.

  • Instant onboarding and control – Controlled access is granted to developers and testers around the world with no physical device procurement or shipping needed.

  • Powerful tooling – Manual and automated testing is performed through a powerful browser interface or integrated into existing test frameworks via APIs.

  • Enhanced collaboration – Snapshot and clone functionality facilities testing cycles and cross-team collaboration.

  • Faster feedback – Internal and external developer, test, and security teams can quickly report and share their findings.

  • Easier patching – Patches and updates are easily and quickly deployed.

One of the most important benefits of virtualized devices is the acceleration of software development lifecycles because you have access to an endless combination of device models and firmware versions. IoT device software and mobile app development, as well as testing, can all be done on a single platform, making it easier for teams to work more efficiently. To take full advantage of productivity gains, look for a solution that integrates with your existing developer, security, and DevOps tools.

Cutting-Edge Vulnerability and Exploit Research

For years, mobile security researchers have used virtual devices for vulnerability research, training, compliance, and auditing on iOS and Android devices. These virtual devices sit on top of a specialized hypervisor running virtual models on Arm, just like physical devices – combining native fidelity with on-demand availability – without the costs, logistics, and safety concerns of a physical device lab.

With a virtual hardware platform, security researchers enjoy a simplified connection of IDE, debugging, network and security tools, and comprehensive APIs. They can configure device buttons, sensors, location, environment, battery, device IDs, ports, cameras, and mics. They also have x-ray vision into the devices with powerful access and control over the OS, app, file, system call, console, kernel, and boot. Perhaps most importantly, researchers can root or jailbreak devices instantly without using additional code or security vulnerabilities. Now security teams can focus on their actual testing work without having to worry about cumbersome setup work and shipping times.

Endnote

It’s no wonder that virtualization is transforming mobile security and replacing many expensive, wasteful physical device labs. Mobile security researchers now have the ability to test the functionality on any combination of IoT operating system and model without having to own or store the hardware. Virtualization also creates a more reliable testing environment because virtual clones can be controlled and standardized.


Anthony Ricco

Tags: , , ,