Security Research Around iOS Began Showing Signs of Stagnation

• Almost no security researchers are using Corellium’s iOS virtualization solution anymore.
• Offensive testing has taken a blow, and the effects of this will become evident in the iOS ecosystem soon.
• The US Department of Justice is worried about the ongoing legal battle and has decided to intervene.

The ongoing legal battle between Corellium and Apple has finally taken its toll on the iOS security research community, as many are reporting to be afraid to touch the controversial emulation software. The last time we visited the case was in January 2020, when various tech and legal experts were publicly expressing their worries about where things were going with Apple’s lawsuit. By declaring Corellium’s iOS virtualization solution illegal, no independent offensive security research would be possible anymore, and that could put millions of Apple product users at risk.

This, however, didn’t convince Apple to change its mind. On the contrary, they started targeting people who were speaking in favor of Corellium, threatening anyone who was using virtual copies of iOS with legal action. Yesterday, the US Department of Justice decided to intervene and requested a delay in the deposition of Corellium’s co-founder Chris Wade. The DOJ wants to look into the evidence that Apple is planning to produce on court, but no one knows exactly what kind of interest the government has in this case. Corellium’s lawyer has previously warned about the national security concerns that arise from Apple’s legal action, so maybe this is why DOJ felt it should step in.

Motherboard has interviewed several security researchers who were using Corellium’s products for many years now and reports a rapidly degrading scene. All of those who talked to Motherboard chose to do it anonymously, as they are afraid of Apple taking retributory action against them. As they say, there can be no offensive security research on iOS without Corellium’s virtualization solutions, but right now, there’s no one out there who dares to use their products. Only Elias Naur had the courage to state that he still uses Corellium to test code written in Go and that he doesn’t believe Apple will go after the researchers for doing so.

Apple maintains that it simply wants to stop jailbreaking, but Corellium feels that the tech giant wants to control the security research field and to decide who gets to test software on iOS. Whatever happens from now on, one thing is certain, and this is that the iOS security testing will soon become a closed ecosystem based on Apple’s internal teams and direct partners. Apple wants full dominance of everything that happens around the iOS, and we’re sure that they won’t back down even after DOJ’s intervention.