Corellium will support security testing of Apple CSAM scanning feature


Corellium Apple CSAM scanning
It is offering funding and free access to its iPhone virtualization platform.
Photo: Corellium

Security research firm Corellium on Monday revealed its new Open Security Initiative, which will support independent research into the privacy and security of mobile apps and devices. Its first target is Apple’s controversial CSAM scanning feature, set to roll out to iPhone users later this year.

Corellium said it applauds Apple’s commitment to holding itself accountable, and it believes its platform of virtual iOS devices is best for supporting any testing efforts. It hopes that researchers will use it to uncover “errors in any component” of Apple’s feature, which could be used to “subvert the system as a whole, and consequently violate iPhone users’ privacy and security.”

Corellium has long been building virtual iOS devices designed to make it easier to conduct security research. It offers “jailbroken” versions of the latest iPhone models, running Apple’s most recent software, that can be used in a web browser. They help make testing easier and more affordable.

Until recently, Apple was fighting to have Corellium’s virtualization business closed down. But its 2019 lawsuit against the firm was last week dropped — a development experts called a significant win for security research. Now, to celebrate its fourth anniversary, Corellium is launching a new initiative that hopes to make our mobile devices even more secure.

Corellium targets Apple with Open Security Initiative

With its new Open Security Initiative, Corellium will support third-party, independent research into mobile apps and devices. It is offering funding and free access to its virtualization platform for one year in an effort to aid “research projects designed to validate any security and privacy claims for any mobile software vendor,” reads the announcement published Monday.

One of Corellium’s first targets is Apple’s recently announced CSAM scanning feature. It is designed to detect child abuse material uploaded to iCloud, but privacy advocates warn that it has the potential to be expanded in the future under government pressure. Apple has insisted that won’t happen, and it has welcomed independent research that will verify its security claims.

“Security researchers are constantly able to introspect what’s happening in Apple’s [phone] software, so if any changes were made that were to expand the scope of this in some way—in a way that we had committed to not doing—there’s verifiability, they can spot that that’s happening,” Apple SVP of Software Engineering Craig Federighi told The Wall Street Journal.

“We applaud Apple’s commitment to holding itself accountable by third-party researchers,” said Corellium. “We believe our platform is uniquely capable of supporting researchers in that effort.”

Others should follow Apple’s lead

“Our ‘jailbroken’ virtual devices do not make use of any exploits, and instead rely on our unique hypervisor technology. This allows us to provide rooted virtual devices for dynamic security analysis almost as soon as a new version of iOS is released. In addition, our platform provides tools and capabilities not readily available with physical devices.”

Corellium hopes that other mobile vendors will follow Apple’s example in “promoting independent verification of security and privacy claims.” Its Open Security Initiative is designed to encourage and aid important research into mobile privacy and security validation, and it is now calling for research proposals that will be part of its initial pilot.

The firm will be awarding up to three qualifying submissions a $5,000 grant and free access to the Corellium platform for one year. You can find details on project requirements and how to apply in Corellium’s announcement.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.