MASTG-TEST-0367: Runtime Use of Virtual Device Detection Techniques

Overview

This test verifies if the app implements checks to detect the presence of an iOS virtual device (like Corellium) by attempting to hook into common virtual device detection mechanisms.

See Virtual Devices Detection for a detailed overview about virtual device detection mechanisms and patterns performed by applications.

Out of Scope

This test does not cover robustness or effectiveness of these mechanisms, which can be very difficult to assess through automated testing alone and may require manual reverse engineering and custom instrumentation. See Hardening Against Virtual Devices for best practices on implementing virtual device detection effectively.

Steps

1. Use Installing Apps to install the app.
2. Use Method Hooking to hook the relevant API calls.
3. Exercise the app extensively to trigger as many flows as possible and enter sensitive data wherever you can.

Observation

The output should contain any instances of virtual device detection checks, along with the methods or APIs that were hooked.

Evaluation

The test case fails if no instances of virtual device detection checks are observed.

Expected False Negatives:

This test may produce false negatives if the app uses virtual device detection mechanisms that are not covered by the hooks or traces used, or if the virtual device detection logic is implemented in a way that evades detection (for example, through obfuscation, dynamic code loading, or anti-instrumentation techniques). In such cases, the absence of findings does not guarantee the absence of virtual device detection, and additional manual reverse engineering or custom instrumentation may be required to identify and analyze virtual device detection mechanisms.

Best Practices

MASTG-BEST-0053: Hardening Against Virtual Devices

Demos

MASTG-DEMO-0131: Detecting Virtual Device Detection Checks with Frida