In a world of continuous everything, security teams are struggling to keep up with testing on the latest versions of iOS before deploying applications designed to run on them. Mobile app security testing on iOS devices has proven to be a challenge due to the sandboxed environment, forcing analysts to rely heavily on the existence of a jailbreak in order to provide root level privileges. A major caveat with this approach is the waning frequency of public jailbreak methods.
The purpose of this document is to explain how automated testing on the latest versions of iOS is now possible, with jailed testing, via NowSecure Gadget technology, in the upcoming release of NowSecure Workstation 5.2.1.
Jailed testing is a term used to describe testing on a device that is not jailbroken; rather the device is factory standard running latest operating system. The unique NowSecure Gadget approach to jailed testing is to perform static, dynamic and behavioral analysis on iOS apps, while operating within the iOS sandbox on a factory standard device.
At runtime, NowSecure Gadget code is injected into a debug build of the app binary, inspects the app through dynamic and behavioral testing and generates results into a report. Since the NowSecure Gadget does not modify or require system level privileges, jailed testing can operate on the latest versions of iOS. And because the NowSecure Gadget is injected at test time, fully automated security testing can be completed without the need to add custom code, implement a proprietary SDK or create custom iOS application builds.
Furthermore, jailed testing can be done within apps that implement any jailbreak detection method, giving the security analyst a level of depth that was not possible previously.
With the capability to test on the latest iOS versions, jailed testing with NowSecure Gadget opens up the ability to test the latest and greatest app features and entitlements released with new versions of iOS.
For example, testing features that specifically use the camera in the iPhone X, which allows developers the option to leverage new functionality, such as, FaceID and Animoji support, directly within their mobile apps. Up until the recently reported iOS 11 jailbreaks, this feature could not be fully tested and has remained untested since the release of the iPhone X in September 2017.
Fundamentally, jailed testing solves the issue of testing on latest iOS releases, which gives organizations the ability to move faster and take advantage of the absolute latest functionality immediately.
You will continue to have the ability to conduct testing on jailbroken devices via NowSecure Workstation.
However, you should NOT upgrade NowSecure jailbroken devices to conduct jailed testing.
Jailed testing does not require additional configuration from NowSecure, so customers may leverage their own devices for jailed tests.