Future of Mobile App Security

(00:03:32)

Brian Robison

Good morning, good afternoon. Thanks for joining today. We're going to begin in just a minute. Good morning. Good afternoon, everyone. Welcome to our webinar today. We've taken a couple of months off, but I thought today would be a great day to jump back in and visit with all of you once again. I think this is our 17th webinar episode of our series. We've done a lot of these over the past year and a half or so, and welcome back everybody for coming in and hanging out with me today. I am on my own today, so you're just going to have to bear with me. I don't have any other technical experts on the line, but what I thought we would do today is go through a lot of what's new with Corellium. So this summer we've taken some time off of the webinars, but we have been extremely busy on the back end.

(00:06:15)

So there's some things I want to go through. We've got entirely new product lines we're going to go through today and some of the capabilities, and then we're also going to talk about some of the new features that have come out over the past few months, and we'll probably wrap with a quick look and update at where MATRIX is coming up this week. So with that, let's go ahead and kind of discuss a little bit of housekeeping. So all attendees are muted, but I do encourage questions, so please, please use that q and a tool on your screen to ask me questions. I will try to get to them as quickly as I can. Sometimes I don't see them pop up or I have to click to see them, but I will double check on those throughout the webinar today. The webinar is being recorded and will be posted for on demand shortly thereafter.

(00:07:10)

If you signed up, obviously you're going to get an email letting you know that the recording is available, or you can always check on our website, Corellium.com. I think it's events/webinars or something like that, at least it's ‘Events.’ And then today we're going to go through a few slides and then we're also going to, as I said before, we're going to look at some of the new features and capabilities within the Corellium platform. So let's go ahead and start talking today about some of the new Corellium offerings. As you know, up to this point, Corellium has really had just one kind of product line with some different levels of licensing tiers and different cost structures associated with it. So, this summer we've been working very difficult, very long and hard on basically trying to give more offerings to different customers, focused in different areas of security research or testing or other types of work. So let's introduce you to the new product lines that are available. First, there is Corellium Solo, and this kind of replaces our individual user accounts that we've had before in the past. There's a couple of different versions of those, and there's also some major updates there that I'll walk you through a little bit in the future.

(00:08:41)

Also, we have introduced a new product called Corellium Viper, which is essentially designed for people and businesses and professional services focused mainly around mobile application security testing. So, if you look at essentially what Corellium does, we've got a couple of different ways of work that we do. One is from the OS kernel up into the application stack, and that essentially is where Corellium Viper is focused. It's going to have a couple of different licensing tiers as well. That's where MATRIX will be sitting, all those kinds of fun things that are focused on mainly application testing. So from the kernel of iOS and Android up into the application layer. Now, a lot of traditional Corellium customers are going to live in the new Corellium Falcon line. So Corellium Falcon, while it does have kernel level and up, it also includes all of the tooling and capabilities for the kernel down into the hardware as well.

(00:09:46)

So if you're doing iOS and Android vulnerability testing, research, those kinds of levels of work, you're going to live in the Falcon product line. So we've essentially divided these up, whether you're an individual tester or maybe you just want to get some experience with the platform at a very low cost. Then there is the mobile application testing focused version of the product primarily in the commercial space. And then we have Falcon, which has predominantly been our traditional government type of research organization type of work in the kernel level of vulnerability research and exploit development, et cetera. So, let's go ahead and break these down into each individual component and talk about them for a moment. So, back up at Corellium Solo. Again, Corellium Solo is designed to be a much lighter weight version of the product that is easier to use and it's also capable.

(00:10:53)

So it includes all of this traditional virtualization capabilities like building any iOS device, any Android device with any OS and instant jailbreak access, all that kind of fun stuff, same as what you had before with the individual plans. However, the removal of the two core limit has been completed. So instead of being the biggest device or the most modern device you used to be able to run with our individual plans was an iPhone 7, you can now run all of the most modern iOS devices. So you can run, for example, here on the screen we have an iPhone 15 Plus or a Pro Max or whatever that utilizes more cores. So you're still limited on the number of devices, but we've removed that core concept from the individual plants. You're no longer limited to a device that only has two cores. You can have a much more modern device and that gives you access to fun things like jailbroken access to iOS 16, 17, and now 18.

(00:12:07)

But it does include all of the base tool set that's there in the more advanced versions. But again, it's designed for that individual tester or individual experiment person who's doing some low-level experimentation and doesn't want to have necessarily a multi-user environment. You may want the ease of just purchasing it on a credit card and moving forward that way, but it does include all of the fun basics of things like the virtualization of Snapshot and cloning and all that kind of fun stuff. But it also includes in the professional version, it also includes some of the ability to conduct some level of kernel research. Not all of the features that you would get within the Falcon product line for example, but it does give you some capabilities that you are able to utilize to do some of that level of research.

(00:13:08)

So on our website, I just tried to kind of summarize a couple of things here that I want to highlight for you. With Corellium Solo, there's essentially two additions. There's Explorer and Professional Explorer is literally just 3 bucks to run on one device for one hour. So again, we've removed that core limitation. So it's not limited to number of cores, it's simply one device at a time, and you can run it for as much as you want or as little as you want. It's $3 an hour flat fee, but there are some of the tools that you do not get when you're using the Explorer version versus the professional version.

(00:13:51)

Again, you get the basic types of stuff, but you don't get some of the more interesting things around bypassing biometrics for example, or location and motion control. It is also important to notice that there are some features that simply aren't available in the Solo product line like MATRIX or Snapshot sharing network monitor, those advanced Network Monitor. Anyway, those kinds of things are not available in the Solo price packaging concept here. Solo Professional is a much more featured version of the product. It kind of aligns with Falcon a little bit in that it includes some of the core essential capabilities for doing OS level vulnerability research and exploit development. It also includes pretty much all of the functionality around the more advanced functionality within the application testing world. But again, as you see, there are some things that are just not available in Solo as well as Solo does not have the enterprise level multi-user capabilities and things like that that one would want if you're going to be using this with more than one person at a time or a team or sharing results or sharing clones of snapshots and things like that with each other.

(00:15:18)

So that is Solo. There is, again, it is purchasable through our website. You can just go sign up for a trial and when your trial is complete, you can convert that trial into a subscription if you wish and continue on with the way it goes. It is important to note that Professional does have a bare minimum. You will be basically paying for 50 hours a month at that $8 per-device-hour concept for all the additional tooling that's there.

(00:16:00)

Also, Corellium Solo is only available as a cloud-hosted service from us. It is not available in any of the on-premises hardware or appliances that we sell, nor is it available in a private cloud type of thing, even if you have your own AWS environment. So, it's one of those very simple. You really don't even have to talk to us to obtain it. You just go sign up for it on the website, put your credit card information in, and off you go and you can begin doing your work. So if you're interested in that, I do encourage you to sign up for a Corellium Solo trial. Each of the platforms, Solo, Falcon, and Viper all have their own trials associated with them, so you can try them before you do decide to purchase them.

(00:16:54)

OK, moving on to Viper. So Viper is going to include quite a bit more as far as the tooling and capabilities. It also has the ability to be on-prem or in the cloud. It's going to include the MATRIX automation testing framework that we have built in, and we're going to do a quick update on that here towards the end of this discussion. It also includes a lot of the traditional enterprise-level things that you would want, like single sign on, multi factor authentication, multi-user accounts, all of that kind of fun stuff that you can get in and administer and manage an entire team working within the Viper framework. So, you can share snapshots with each other, you can clone them across projects. You're going to be able to have much more capability for design for a larger team of testers. It also includes all of the CLI and API integration.

(00:17:59)

So, you can integrate with if you choose to integrate within the CICD pipeline for example, you can even do that and integrate even in MATRIX tests and run automated security assessments at every app build or something like that that you would like to try to do. So there's a lot of capabilities that are in the Viper product line that allow you to do that kernel level and up application layer focused testing automation, multi-user, all that kind of fun stuff that one would want. So, as you can see here, there are essentially two different lines available within Viper: Viper Essentials, which is kind of the starter version of Viper, includes basically all of the main kind of key tools that one would need for access management. Like I said before, your single sign-on multifactor team management projects, all that kind of fun stuff. But it also does have a fantastic tool stack that's included with it.

(00:19:07)

However, it does not include some of the more advanced types of things as well as the MATRIX automation component. It's not in the Essentials package. So, this would be mainly designed for a team that wants to continue doing manual security assessments, manual pen testing. There is automation, but there is not access to the MATRIX testing automation reporting framework. So there's a few other limitations here. Again, this is just a snapshot from the website. So if you want to get the full picture, Corellium.com, go to under ‘Products,’ pull it down, and there'll be Solo Viper and Falcon there that you can dig into a little bit more. Viper Advanced is the top end package for the Viper line, and it’s designed around that full manual plus the automated pen testing capabilities. So, we've always talked about MATRIX as being kind of that automated testing framework, that good baseline analysis type stuff that one would maybe spend a day or two in their initial testing cycles.

(00:20:19)

That is something that MATRIX is going to be able to get down into that first six or seven minutes kind of concept and allow you to get that automated baseline security assessment online, automated inventory, et cetera. Questions are coming in, which is great. Is the Solo edition suitable for a medium-sized company that occasionally uses Corellium on-demand? I would say, “Yes it is.” It's perfectly acceptable, especially the Professional edition for those of you who just use it occasionally. However, there are limitations there. So if you're more than one person, you would each need a professional account and you can't share work across that kind of thing like that. That's where you would get into the capabilities with Viper, where you can actually get in and have a central group of people and you can take a snapshot of a device, for example, and share it with somebody else in that area.

(00:21:28)

You can clone devices and do all that kind of fun stuff with multiple users. So depending on the size of the team and your capabilities desired there, I would definitely look at the Viper line, but you could definitely get started with something like a professional account and as you ramp up your usage and things like that, it would probably behoove you to look at Viper. Also, Viper comes with a much bigger hour consumption basis built into its pricing model. So, we don't go through pricing on webinars and things like that except for the individual. So, visiting with one of our sales reps is the best way to get an idea of what Viper Essentials or Viper Advanced is going to cost and how many hours if you choose cloud deployment, it's going to essentially come with, OK, moving forward. So Viper is where you get into the multiple deployment model method.

(00:22:32)

So, you have the ability to purchase Viper in different methods, which are where our on-prem appliances, and we have a couple of different styles there. We've talked about them before, but we do have a traditional kind of two U rackmount appliance that you would deploy within an IT environment. It's quite scalable. You can run a lot of devices in that model there. In the on-prem model, there is no per hour usage charge. It's an all-you-can-eat, all-you-can-test, all you can run kind of concept only in the cloud service when you choose cloud is there the kind of the consumption based model on certain number of hours, whether it's like 1,250 hours or 2,000 hours a month kind of stuff pre-built into your account. There's also a little tiny desktop appliance that is available for individual testers who want to run Corellium Viper, for example on a desktop.

(00:23:33)

Maybe it's just not practical for you to deploy a server in your environment. So, we have a little tiny desktop appliance that is much smaller, it's quiet, easier to just kind of place on the corner of your desk. It is designed for an individual tester, but it does have the full Viper stack included on the appliance, so you can utilize that. We also have a private cloud availability as well, so we can come in and kind of build it for you or host a version of Viper in our cloud for you. So, essentially you could have your, instead of being in our traditional cloud tenant, you could actually have your own dedicated instance, and this might plug into if you're using your private cloud, your AWS environment, we can build it into there. So, let's say your apps need to run and connect to a QA network or a staging development network or something like that that is running within your private cloud.

(00:24:37)

It's very possible to deploy that into your private cloud with Viper. It's another concept around the on-premises appliances as well. A lot of times there's a private testing network or even a private deployment network that is not available on the internet. So having your virtual devices running in the cloud somewhere isn't really practical. They need to be physically attached to that private network, and again, that's where the on-premises hardware can come in. Or if your use case simply requires you to be completely air gapped from the Internet or you want to run without any sort of communication going to and from the devices, that's also where you would deploy Corellium on-prem. OK, moving on to Falcon. So, Falcon's focus again is really on kernel level vulnerability research and exploit development is an example offensively or defensively depending on what you're doing. So it includes a ton more capabilities around debugging the kernel.

(00:25:47)

It includes things like MicroSnapshotting, very specific functions so that you can build, you can design a fuzzer and you can test multiple inputs within milliseconds and be resetting things extremely fast as you're doing those kind of development, that kind of research and development work, it is designed again for that deeper level of kernel work that you would be doing on iOS or Android or other iot devices if you choose to model or use other systems that we have. So it also does include the app level as well, so you kind of get the full stack. So Corellium Falcon is really kind of what the old version of our product was, is the full stack capabilities, and it includes a lot of those new features that I was mentioning that are not just in Viper but are also in the Falcon line, where you've got the ability to dig deeper both at the application layer as well as at the kernel level.

(00:27:02)

So really Falcon is really designed for those high introspection-type of folks that have been utilizing Corellium for quite some time to do a lot of that deep vulnerability research and testing within the mobile devices. So again, like Falcon and Solo, there are two different kinds of additions of Falcon and there is both an Essentials version, which basically includes a lot of the core capabilities that you would get, including all of the app pen testing capabilities built in. So, you get a good chunk of the kernel level capabilities as well as the app-level capabilities. So that's kind of our biggest package, if you will, that is also offered in the cloud. So this is the version of Falcon that is offered in the cloud. The Falcon Premium is not offered in the cloud. It is only offered on an on-premises deployment with either the two U rackmount or the desktop appliance.

(00:28:18)

So, this is where you can get into some really low level stuff because you're getting access not just to the introspection tools that are built into Corellium, but you're also getting access to the appliance itself, which also is capturing a lot of information out of the hypervisor layer and giving you access to a lot more capabilities locally that you just do not have in the cloud. So as you can see here, some of those interesting things would be OS beta support or the ability to upload your own IPSW firmwares and things like that. You have the MicroSnapshot fuzzy, which I talked about a moment ago, which gives you the ability to take very, very tiny snapshots and to do that, it's command line driven. It's not in the UI, so it has to have access to that appliance. There's also other capabilities that are available to you with that on-prem appliance and other levels of debugging and introspection to other tools as well, like IoT.

(00:29:28)

So again, here, Falcon Essentials is available in all three capabilities. However, Falcon Advanced or Falcon Premium is only with the on-prem. It is not available in the cloud. So just kind of keep that in mind as you are looking at those capabilities. Again, Falcon Premium is really kind of that on-prem air gapped environment. You don't want anything communicating to or out from those appliances, and Corellium is perfectly happy and designed to work in that type of environment. These appliances, nor do the Corellium platform, have to do any sort of call home licensing or anything like that that is fully contained in an air-gapped environment on-prem.

(00:30:22)

All right, so that is a quick summary of where we are with the new kind of product lines. Again, hit the website, we'll give you some further explanation, give you good little check boxes about what's included in each different package. I encourage you to look through those if you want to try it out. Again, there's a trial for each one of the platforms, the Solo, the Viper, and the Falcon. There is also, again with Solo, the ability to just go ahead and purchase it and get started, and we have removed the restriction on the individual accounts being only supporting the iPhone 7s with iOS 15 and below. So now you can run the latest and greatest iPhone 15, or we are working on newer devices that have come out more recently. You'll have access to those as well as the latest and greatest shipping versions of iOS and Android.

(00:31:28)

So, I do want to highlight a few cool capabilities that we have worked on and have been kind of expanding throughout the year, and I think you're going to like a lot of these. So for the enterprise deployments, we have added SSO this year, earlier this year through the Open ID Connect (OIDC) capabilities where it can connect you to Azure AD or through Ping or other different service providers, and those are documented on our website of how to get that working later this summer. We also added LDAP support so you have a much stronger capability of handling your SSO into the environment, or you can still just use the built-in user management capabilities that are within the platform and go that route. But SSO has definitely been stepped up significantly in those roles for you.

(00:32:27)

MATRIX continues to be a full-court press from our engineering team. I am going to show you kind of a quick update about where we are currently with MATRIX. I'm going to give you a preview of the 6.6 release, which is going to be going out the door imminently and available for folks both on-prem as well as in the cloud. Some of the big highlights here is we have completed the CICD integration through our CLI with API, and we also have a great new resource on board with us who's willing to talk with any of you out there. His name is Jason and he is essentially a solution architect that helps build out these integrations for you so he can help design your full CICD pipeline integration if you really want to automate MATRIX security assessment testing after you do a new build of an app or something like that.

(00:33:28)

He's also been spending a lot of time building some really cool GitLab runners and things like that to do all this work and automate the UI clicking and dynamic testing, all that kind of fun stuff. So, we're definitely happy to have him onboard and he's available to help all of you out with getting this done. So obviously MATRIX without new checks, new content, new capabilities is pretty limited. So this has been our #1 focus. Again, the goal of MATRIX, and we've kind of said this from the beginning, is to automate the automatable portions of guides like the oas, MAS Vs, and the M-A-S-T-G. So if it is something that can be automatable or can be done through programmatic automation, evidence gathering, inspection, all those kinds of things, whether it's static or dynamic, that's the goal of kind MATRIX is to automate that much as much as possible.

(00:34:32)

So Android has had a full court press on it early on. iOS is catching up significantly, and we've got some great resources around some of the people who have kind of written the books essentially on iOS application testing, working on stuff now for us. So that's going to be coming online a lot faster as we get further into the year. But look at MATRIX as kind of a continual roadmap of new content, new checks, new tests, it's never going to be done. Yes, we're going to do some cool things in the UI to make it easier to use and dashboarding and all these other kinds of fun things down the road a little bit. But again, we're focusing on getting the actual testing framework built out and working. Snapshot sharing is a really cool new feature that is new in the cloud environment. It doesn't really apply to the on-prem, but it does apply in the cloud.

(00:35:38)

So we've had snapshot cloning forever where you can basically take a snapshot of a virtual device and clone it to another user or project or something like that, or you just want to create 20 clones of the same snapshot. That's been something we've had built in. However, Snapshot Sharing allows you to take a snapshot of a device and share it with anyone you want. You can share it with a password, you can share it with a token key, you can share it with whatever that other person can receive it and basically enter the password or enter the token and then begin using a snapshot of a device that you created. So, it makes it a lot easier to share it amongst other team members or even other people outside your organization. You can share snapshots. So the concept here would be if you look at the full loop is let's say MATRIX finds something that is an issue before in the current world that's out there, you as a tester would be limited to maybe a video recording of the issue or screenshots of the issue or something like that. In this case, what you can do is you can actually take a snapshot of the device that's exhibiting the issue and actually share that with your developers or somebody else who may or may not even necessarily have an account within the system. So instead of getting into this loop of, I can reproduce the issue here, but the developer says, well, it works fine on my device or whatever, you can actually share them the actual snapshot of the device that actually has the issue on it, and they can actually use that device directly.

(00:37:29)

iOS updates this year; I mean obviously we released Android 14, both rooted and unrooted. We've also updated iOS pretty regularly throughout the year. The release that is imminent also has the current versions in it as well. So you're going to expect 17 and 18 to hear eminently depending on when we finish that QA cycle, and they will be available to you very soon. The other thing that we have made some progress on this year, it is not quite all the way there, but I think it's made a lot of progress and it's a good thing to look at is what I call consumption transparency, or basically if you're on a subscription plan, you need to know how many hours have you used, we send you automated warnings if you've exceeded 85% of your monthly plan because we don't want you to go over your monthly plan and get into burst pricing and all that kind of stuff. Although burst pricing is very inexpensive to get into if you needed it. But we also want to just make sure that you're, if you've left devices on or something like that by mistake, we want to make sure that you have visibility into the consumption that you have consumed within the cloud environments. OK, so let's take a look at some of the new capabilities within MATRIX. One of the first ones I'm going to go through is the SSO capability. So bear with me a moment here.

(00:39:19)

So, in the single sign on, we're just going to log out of this and log in. Oh, let's see. I'm actually logged in as a domain admin I believe. So if we come in here and we take a look at some of the capabilities that are available, you've got authentication. So you can use your local authentication database, you can go ahead and add your open ID provider or you can enable LDAP authentication here within the console. Makes life pretty darn easy to work with and again, supporting as many of those SSO and MFA capabilities that you would need for your environment. So, snapshot sharing is also here. This is where you have snapshots that are shared with you that are shared by you. You can add snapshots, access code or password guarded, all that kind of fun stuff. And basically, again, gain access to somebody else's snapshot that they provided for you.

(00:40:28)

Again, with a code or a password or you can share your own. It is a global feature that the administrator can disable or enable for you so that if this isn't turned on in your account, you can actually turn this on and you'll now get this new menu up here at the top. Teams really hasn't changed that much. You can create a team of users. Users is pretty much the same thing. You can invite your users, obviously if you're using a different authentication system, this is kind of bypass and that other third party authentication system is used versus this one.

(00:41:10)

Alright, so let's take a look at some of the features that are available in the environment. As you can see here, for example, I've got a couple of devices that are booted up with kind of the latest and the greatest oss. And again, this is a release that we're working on right now. This is in its final testing phases and it's planned to be going out the door kind of imminently. But as you can see here, I've actually done a little bit of work on this 17.7 device and what I've done is I've run a MATRIX test against our Corellium Cafe application. So you can access Corellium Cafe through the Corellium.com/scenarios page where you can look at pen testing scenarios or we even have an application vulnerability scenario that you can run through. So just as a quick update here, I'll show you the MATRIX capabilities on iOS have been steadily increasing and we've actually created a new section called Artifacts.

(00:42:18)

So a lot of what you would do in the first phases of a base security assessment on an application is you're going to want to explode it and look at it for things like certificates and PLIST files and things like that. They're not necessarily pass or fail checks, but they are just a good amount of evidence to look through. So as before, you've got both static and dynamic tests that are running simultaneously. So you can have, for example, your static analysis pouring through PLIST files. We found certain settings that are set that are considered a failure. You shouldn't do this, you should have this disabled, essentially, things like that. But we also have dynamic capabilities as well at the same time. So, if we look at sensitive values stored securely, we've provided a keywords file for this test. We can see for example, that in this database after the dynamic test was completed, we actually stored some sensitive information including the credit card number, the name, those kind of fun things, but we also have static findings here in the PLIST files of some hardcoded credentials or maybe their API keys or there's something that is sensitive to the application or to our organization.

(00:43:49)

So just a really quick update on MATRIX, essentially looking at pass fails, all those kinds of fun things. And then of course, artifacts. So artifacts are nice because it's, again, it's not a pass or fail, it's more of an informational finding. It's an inventory kind of based finding. These are things that would be interesting to look at for further information. For example, you want to take a look at the code signing of the application or you want to see what databases were created. This is a bug we're tracking where it doesn't show the actual database name fully. Hopefully we'll get that fixed prior to release. But basically it lists out all the databases for you. You've even got some geolocation stuff. So this is kind of fun when you're running the application, we're basically going to map for you kind of who and where the IP addresses of that application are actually talking to throughout that procedure. So as you can see here, we've got some connection to Corellium.com when we ran the application, but we can also kind of visually see what countries in the world this app is communicating with during the dynamic test.

(00:45:05)

So, that's always kind of a fun one to play around with. We also dump the keychain while we're there, so we're getting more into doing some more memory stuff, some stuff outside of the traditional pen testing space as far as automation, but definitely getting better and better. Also, inventory of the PLIST files that were discovered as we began looking at the application. So just as a side note on the Android side, again, MATRIX very similar. You'll see that there's quite a few more checks if you will, that are created on the Android side. One, it's a little bit easier to create a lot of these tests, and so there is actually less that can be created on the iOS side, but we're making as much progress as fast as we can on that. So again, the same kind of thing over here on Android, you're going to get static findings.

(00:46:07)

Some things like, oh, we looked through the source code and we've noticed in a couple of files that you've actually got some settings here that are potentially vulnerable. We could maybe make an exploit attempt on this if we wanted to, things like that. And on the Android side, we've also added the artifacts capability here as well. So you're going to see things like, OK, hard-coded URLs. Again, it's not bad or good, it's just something that you would want to know so that you could investigate. Are these URLs actually part of my application? Are they required? Are they a part of something else? And again, we're going to point you to which actual evidence file contained that URL exported intents. And again, here on the Android side, we can also do the geolocation, which does give us a cool mapping and you can be able to see if that app is communicating to other countries, let's say, even if it's not supposed to. So that's a super quick update on MATRIX, which again, has been a big focus of us throughout the year getting this more and more and more tests within MATRIX. You're going to see pretty substantial improvements over the next few months in workflow and some of the things that are available here.

(00:47:38)

You can view multiple tests, you're going to be able to see your results over time, etc, if you have more than one run. All those kind of fun things are here within the MATRIX framework. Now, one thing I do want to highlight as well as we get close to ending today's webinar, we'll end a bit short just to give you guys a little bit of time back on our MATRIX landing page, which is just Corellium.com/MATRIX. I do want to highlight that we actually have built a savings calculator for our prospects and customers. So this is a good tool. We have some assumptions built in here around the amount of time it takes to do internal security assessments or audits versus internal pen testing. Whether or not you hire people out to do the assessment or hire the pen testing, you should be able to come in here and put in some of the values around how many apps, binaries you're testing, how many days it takes you to do a baseline on a binary, that kind of thing.

(00:48:46)

And then it's going to produce what your potential savings are. The one thing I would like to highlight, we released this when we launched MATRIX back in August, but we just made one big enhancement, which is I can now take this information that I'm entering here in my report and actually create a personalized version of that. And I like this because this is designed basically for you to communicate with your management about the value that Corullium brings to your organization, not just the dollars and cents, but the time savings, other things like that. And you're free to personalize this with your name, your company name. We do not save this information. This information that you enter here is not saved by us. It is only there to produce the report and I will pop open a report.

(00:49:44)

So, this is essentially what the report looks like when you create it. So basically you get your customization again, it's just in the PDF, it's not saved by Corellium or anything like that. So you basically have your company name that you entered in and then your personal name, and it gives you kind of an executive summary that if you were to do this kind of thing, we estimate that you're going to save 632 hours or days per year and 1.2 million in external cost testing. I put in some big numbers, like 20 apps, all that kind of fun stuff. But then you get basically a breakdown of each of the sections that you filled out. If a section does not apply to you, you just enter zero in the first tab and then there won't be any calculation done for you. But basically you have your time savings from internal security assessments if you need it to help management chain kind of understand what the level of work being done is.

(00:50:52)

We have some kind of boilerplate text here that you can use as a starting conversation starter with that management. And then we also have essentially kind of a, so what does this mean for us? Yes, you say you're going to save up to 90% of an effort, but what are we going to do with that time and how does that actually play out? So again, this is designed to help just kind of work with management, probably not necessarily your immediate manager trying to do this. They probably understand the issue, but when you guys start working outside of your group and you start working with other C-level executives within your organization, hopefully this kind of text will help you have those conversations and be able to extrapolate the value that you would get by purchasing Corellium at the different packages you wish to. So I just wanted to highlight this.

(00:51:52)

This was just released this week. I just put the finishing touches on it, and so I just wanted to show you that is available now. And if you use it or anything like that, please let us know. Again, you don't have to talk to any of us to actually utilize it. You can just go right ahead and go for it and see what you can figure out. Let me know if you like it, if you don't like it, if some of the assumptions that we're making based upon talking to other industry experts and things like that are wrong or are they kind of aligned with what you guys are thinking as well. So with that, I don't see any further questions. If you do have a question, please throw it in the Q-and-A. I'll keep an eye on it for a moment here.

(00:52:39)

But with that, I want to thank you for attending today's webinar. We've got some great webinars lined up for October, November as well, some more how to type stuff. So we hope to see you on a future episode. And with that, I'll go ahead and end today's webinar and give all of you a few minutes of your day back. Thank you very much, and I really appreciate you coming and hanging out today. I did see a question pop in. So yes, we do list out the capabilities within MATRIX. They're all in our support center, so the names of the checks and what they are, things like that. And we are also working on publishing a list of how they appear compared to the OWASP, but which tests are actually covered out of OWASP, which still might need some manual work. So keep an eye out for that. But yes, in the Support Center under the MATRIX documentation is the current list of capabilities within MATRIX. OK. Oh, someone would like to see a quick demo on how to create a new test within MATRIX. Heck yeah, we can do that. Let's pop over and do that.

(00:53:59)

Let me get to the right page. So to create a new test with MATRIX, it's actually quite simple. Let's just clear that out so I can see my screen a little bit. OK, so what you see here is basically I have already finished a dynamic run of MATRIX, so I could basically restore my snapshot and do another one. But to create a test, what you do is you pick your application. So in this case, I'll pick for example, our Corellium Cafe application. So this is an application that's already installed on the device as you can see here. And once you have your application picked, you want to pick a keywords file because this is really the key thing around eliminating false positives or creating absolute great findings and what the keywords file is. I'm going to go over here and I will show you what the keywords file is.

(00:55:00)

The keywords file is essentially a set of strings or regular expressions or literal strings or whatever that are sensitive to you, your organization or your testing framework, for example. So in this case, with this I would consider potentially the clearest leakage of my name or a 16 digit number that ends in 1, 2, 3, 4. That's the test I'm going to put in. Or maybe there's a literal string for a credit card number. I've got some hard coded things that are sensitive that I want to look for. Again, the keywords file is something that contains those sensitive values that you're going to be looking for in your organization that are, again, they're sensitive for you. So if you're working with an external vendor today that is putting together a test for you, things like that, they're going to work with you to develop this kind of list of things to look for that are specifically within your application.

(00:56:15)

So once you provide that keywords file, and this is optional, you do not have to provide a keywords file if you don't want to. And we're working on content right now that's actually going to do a pretty good job of finding things like API keys and things like that based upon words around them and things like that. So you're not going to have to necessarily do that, but if you're going to be entering sensitive information into the application or it's stored that you know of, things like that, signing up usernames and passwords that you're going to use during a signup procedure, you just want to make sure you're not capturing those things in clear text over the air or on disc. So once that is done, you create the test, and once the test has been created, you can start a monitoring procedure. And start monitoring basically is going to use a lot of the built-in tools within Corellium to kind of kick off and run in kind of a black box flight data recorder mode.

(00:57:22)

So you can then begin exercising your application, like ordering a cup of coffee. You can add the item, you can go through your data entry of your checkout procedure, entering in your information. And again, if you're going to look for any 12 digit number followed by the 1, 2, 3, 4, again, we've told Corellium to look for that as a credit card number and expose that as a data leakage issue. All the other values we're not really about. Maybe you want to try a promo code to see if it's exposed in memory or something like that. And when you're finished running your dynamic test, you tell Corellium to stop all the monitoring, gather all of the evidence, put it aside, get it ready, and then when that is complete, you're going to start the run test. So as soon as it's gathered all of the evidence and it's got the APK and it's getting ready to do all of its testing, then you'll be able to click run test and it'll begin running through that nearly a hundred different tests on Android and iOS.

(00:58:41)

There's a little bit fewer, but again, the procedure is exactly the same both on iOS and Android to run the test. So again, it's exactly the same workflow. It looks the same, it works the same, it's just your app exercising is going to be a little bit different. And then again, like I said before, all of the things that you're doing here, including app and keywords and clicking and dragging and entering information, all that is available through the API and CLI. So there you go. There's a one second or a few second demo of Corellium MATRIX and how to start a test.

(00:59:28)

Let's see. Question. Surprised you haven't mentioned ai. Yeah, well, we're not all about buzzwords right now. So we have actually had some folks use us with ai, which is interesting. I think it was back in March of this year. Maybe it was February, I'm not sure. I did a webinar with David Manouchehri, one of our partners, and he actually built a full automated QA test where he ran an application on a Corellium device and using the API and other tools, he was able to take screenshots and send them over to an AI OCR tool that could recognize whether the test passed or failed and produce automated AI delivered bug emails and things like that. So if you're interested in doing that sort of thing with ai, you might want to check out that webinar from February or March. I don't remember which one it is, as well as there was a technical writeup on our blog about that, but they, David, basically created a way to utilize our automated environment to do some functional QA testing utilizing AI to actually determine whether or not the test pass or fail.

(01:00:49)

Now, what we are doing with AI is still kind of yet to be determined because again, up until MATRIX, we really haven't done a lot of testing on behalf of you. We have been a platform for you to conduct testing, but there are definitely ways that using some AI intelligence around some of the automated testing that we're doing now could play out in the future. I don't have anything I could talk about right now, but there are definitely interesting areas that we could begin exploring. So thank you all for hanging out. We're going to go right up to the top of the hour now, which is great. Thank you so much for your questions, great discussion points, and I look forward to seeing you all on the next webinar from Corellium. So stay tuned for that. Thank you all again. Have a great fantastic week and take it easy and we'll see you next time.