Skip to content
Home Mobile Security Tools Corellium
CO

Corellium

NEW
Category: Mobile Security
License: commercial
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated March 23, 2026
7 min read
Key Takeaways
  • The only platform offering virtualized iOS devices with instant jailbreak access, running on ARM-native hardware via the proprietary CHARM hypervisor — no emulation, no exploit-based jailbreaks.
  • Won a landmark copyright fair use ruling against Apple in December 2020 (upheld on appeal in May 2023), establishing legal precedent for iOS virtualization in security research.
  • MATRIX automated testing engine runs hundreds of OWASP-aligned security checks on mobile apps in minutes, covering authentication, cryptography, storage, network, and platform categories.
  • Acquired by Cellebrite for $170M in 2025; used by government defense and intelligence agencies, enterprises, and independent security researchers worldwide.
  • Available as cloud service (AWS Graviton), on-premises appliances (air-gappable for classified environments), or dedicated private servers.

Corellium is a virtual hardware platform that creates ARM-native digital twins of iOS and Android devices for mobile security testing, vulnerability research, and app development. It is the only platform in the world that offers virtualized iPhones with instant jailbreak access — without relying on any iOS exploits.

Founded in 2017 by Amanda Gorton (CEO) and Chris Wade (CTO), Corellium runs on ARM hardware through its proprietary CHARM (Corellium Hypervisor for Arm) type-1 hypervisor. Unlike Android emulators that translate ARM instructions to x86, Corellium uses ARM-on-ARM virtualization, which means virtual devices behave identically to their physical counterparts at the firmware and kernel level.

Cellebrite acquired Corellium in December 2025 for $170 million, with CFIUS (Committee on Foreign Investment in the United States) approving the deal under a national security agreement. Corellium continues to operate its platform and product lines. The MATRIX automated testing engine runs hundreds of OWASP-aligned security checks on mobile apps, covering 7 test categories including authentication, cryptography, and data storage.

Key Features

Corellium virtual device dashboard showing a virtualized iPhone 14 Pro Max running iOS 16.1 with network monitor, filesystem browser, and app management panels

FeatureDetails
Virtual iOS DevicesJailbroken or non-jailbroken iPhones across all iOS versions, typically supported within days of release including betas
Virtual Android DevicesRanchu-based Android models with root access and permissive SELinux enforcement
CHARM HypervisorType-1 bare-metal hypervisor purpose-built for ARM device virtualization
MATRIX TestingAutomated security testing engine aligned with OWASP MASTG covering 7 test categories
Frida IntegrationPre-installed Frida daemon in all jailbroken iOS and rooted Android VMs
HyperTraceKernel execution path mapping for coverage-guided fuzzing and diagnostics
CoreTraceSystem call tracing for runtime behavior analysis
Network MonitorTraffic inspection by process/port/PID with transparent SSL pinning bypass
SnapshotsSave, restore, and clone entire device states for reproducible testing
REST API & CLIFull automation support for CI/CD integration and scripted workflows
ARM-Native Virtualization
Runs iOS and Android on actual ARM hardware through the CHARM hypervisor. No emulation, no instruction translation — apps and OS behave exactly as they would on physical devices.
Instant Jailbreak Access
Because Corellium controls the entire software stack, it provides root access without relying on iOS vulnerabilities. Jailbroken devices are available across all supported iOS versions within days of release.
MATRIX Automated Testing
Runs hundreds of security checks aligned with the OWASP Mobile Application Security Testing Guide. Covers authentication, cryptography, data storage, network, platform, code quality, and resilience categories.

Corellium MATRIX automated testing workflow showing five stages from virtual device provisioning through security testing to assessment report generation

Corellium MATRIX security assessment report showing test results with 62 passed checks and 18 failed items for a mobile application

How Corellium Works

Corellium’s architecture has four layers. At the base, ARM-native server hardware (AWS Graviton in the cloud, or custom Arm appliances on-premises) provides compute. On top of that, the CHARM hypervisor manages multiple virtual device instances on bare metal. Each virtual device runs actual device firmware (iOS, Android, or custom IoT images) as a digital twin. The tooling layer then provides browser-based UI, CLI, and API access with built-in security research instruments.

Compared to Android emulators like the ones in Android Studio — which translate ARM instructions to x86 and introduce behavioral differences — Corellium’s ARM-on-ARM execution produces higher fidelity results. Timing-sensitive bugs, hardware-specific behaviors, and low-level vulnerabilities manifest the same way they would on a physical device.

Product Lines

Corellium offers four distinct products targeting different user segments:

  • Corellium Viper — Enterprise solution for mobile app security testing and DevSecOps integration. Includes MATRIX automated testing, team collaboration features, and CI/CD pipeline integration.
  • Corellium Falcon — Government and defense solution for deep vulnerability research, mobile forensics, and threat analysis. Supports air-gapped deployments for classified environments.
  • Corellium Atlas — Automotive solution for software-defined vehicle development. Provides ARM-native virtualization for ECU software testing without physical silicon.
  • Corellium Solo — Individual researcher and student offering with pay-per-use pricing for mobile security exploration and learning.

Use Cases

Mobile App Penetration Testing

Corellium gives pentesters an environment where they can test mobile apps with full device access. Unlike testing on physical devices, there is no need to find and maintain jailbreaks for each iOS version. Testers get instant root access, can monitor all network traffic with automatic certificate pinning bypass, trace system calls with CoreTrace, and hook into running processes through the built-in Frida console.

MATRIX can automate the routine portion of a pentest, handling up to 75% of repetitive testing tasks according to Corellium. This lets pentesters focus on the parts of the assessment that require human judgment and creative exploitation.

Vulnerability Research

Security researchers use Corellium to discover zero-day vulnerabilities in iOS and Android. HyperTrace maps kernel execution paths, which can feed into coverage-guided fuzzers. Custom kernels and device trees can be uploaded for targeted research. Device snapshots allow researchers to save and share exact device states for reproducing vulnerabilities.

Malware Analysis

Threat intelligence teams use Corellium’s virtual devices to detonate and analyze mobile malware in a contained environment. System call tracing, network monitoring, and filesystem inspection reveal malware behavior without risking physical device compromise. The snapshot feature allows analysts to restore a clean state instantly after each analysis run.

Government and Defense

US Department of Defense agencies and intelligence organizations use Corellium for defensive cybersecurity research. The CFIUS national security agreement with Cellebrite underscores the platform’s role in government security operations. On-premises appliances can run air-gapped for use in SCIFs (Sensitive Compartmented Information Facilities) and other classified environments.

Strengths & Limitations

Strengths:

  • Only platform offering virtual iOS devices with true ARM-native execution
  • Instant jailbreak across all iOS versions without depending on exploit chains
  • Deep kernel-level introspection not available on any other cloud platform
  • Built-in Frida integration removes setup friction for dynamic analysis
  • MATRIX automates OWASP-aligned testing and generates assessment reports
  • Available as cloud, on-premises, or dedicated private server deployments
  • Legally validated through the Apple fair use ruling

Limitations:

  • Commercial platform with enterprise-level pricing; entry point starts at $9,995 for business plans
  • Solo tier targets individual users with pay-per-device-hour pricing (free trial limited to students)
  • No free tier for professional researchers outside academia
  • Virtual devices, while high-fidelity, cannot perfectly replicate all physical hardware behaviors (Bluetooth, NFC, cellular baseband)
  • Cellebrite acquisition raises questions for some security researchers about the platform’s future direction, given Cellebrite’s law enforcement focus
Apple v. Corellium: The Landmark Case
In 2019, Apple sued Corellium for copyright infringement over its iOS virtualization technology. In December 2020, a US federal court ruled in Corellium’s favor, finding that virtualizing iOS for security research constitutes fair use under copyright law. Apple appealed, and the Eleventh Circuit upheld the fair use ruling in May 2023. The parties reached a final confidential settlement in December 2023. This case established an important legal precedent for security research tooling.

Getting Started

1
Choose your product tier — Viper for enterprise app security, Falcon for government vulnerability research, Solo for individual student access. Request a trial at corellium.com.
2
Spin up a virtual device — Select an iOS or Android device model and OS version. Devices boot in seconds with root/jailbreak access already configured.
3
Install your target app — Upload an IPA or APK through the browser UI, CLI, or API. Apps install just like on a physical device.
4
Run security analysis — Use built-in tools like Frida, CoreTrace, and the network monitor for manual testing. Run MATRIX for automated OWASP-aligned assessment with generated reports.
5
Automate with the API — Integrate device provisioning, app installation, and MATRIX scans into CI/CD pipelines using the REST API or CLI for continuous security testing.

How Corellium Compares

Corellium sits in a different category from most mobile security tools. Unlike application scanners such as NowSecure or Oversecured that analyze apps, Corellium provides the virtual device infrastructure layer that makes mobile security testing possible at scale. This distinction matters most for iOS, where physical device jailbreaking has become increasingly difficult and unreliable.

For teams doing mobile app penetration testing, Corellium replaces physical device labs entirely. Compared to maintaining a fleet of physical test devices, Corellium offers instant provisioning across iOS versions, consistent jailbreak access, and snapshot-based state management. For vulnerability researchers, it provides kernel-level access that physical devices cannot offer without fragile jailbreak chains. For organizations with compliance requirements, MATRIX provides automated OWASP-aligned evidence generation.

Open-source alternatives like MobSF cover static and basic dynamic analysis for free, but they cannot virtualize iOS devices or provide kernel-level introspection. Frida is the standard for dynamic instrumentation and comes pre-installed on Corellium, but Frida alone does not provide virtual device infrastructure. Drozer focuses on Android-specific attack surface enumeration and does not address iOS testing.

Best for
Security research teams, mobile app pentesters, and government agencies that need virtual iOS and Android devices with root access, kernel debugging, and automated security testing. Removes the need to manage physical device labs or hunt for jailbreaks.

For a broader overview of mobile security tools and how they compare, see the mobile security tools category page.

Frequently Asked Questions

What is Corellium?
Corellium is a virtual hardware platform that creates ARM-native digital twins of iOS, Android, and IoT devices. Unlike emulators, it runs actual device firmware on ARM hardware through its proprietary CHARM hypervisor, giving security researchers and developers full root access, kernel debugging, and dynamic analysis capabilities in the cloud or on-premises.
How is Corellium different from an emulator?
Emulators like Android Studio translate ARM instructions to x86, which causes performance loss and behavioral differences. Corellium runs ARM-on-ARM virtualization through its proprietary CHARM type-1 hypervisor, meaning apps and OS code execute on native ARM hardware. This produces higher fidelity results — bugs and vulnerabilities found on Corellium behave the same way on physical devices, making it more reliable for security testing.
Is it legal to virtualize iOS with Corellium?
Yes. Apple sued Corellium in 2019 over iOS copyright infringement. In December 2020, a US federal court ruled that Corellium’s iOS virtualization qualifies as fair use under copyright law. The Eleventh Circuit Court of Appeals upheld the fair use finding in 2023, and the parties reached a final settlement in December 2023.
What security testing tools are built into Corellium?
Corellium includes Frida for dynamic instrumentation, CoreTrace for system call tracing, HyperTrace for kernel execution path mapping, a network monitor with automatic SSL pinning bypass, a filesystem browser, and the MATRIX engine for automated OWASP-aligned security assessments. It also supports connecting external tools like Burp Suite, IDA Pro, and GDB.
Does Corellium support CI/CD integration?
Yes. Corellium provides a REST API and CLI that can be integrated into CI/CD pipelines for automated mobile app testing. MATRIX security scans can run as part of the build process, generating pass/fail results with remediation guidance for each OWASP test category.
Who uses Corellium?
Corellium is used by US Department of Defense agencies, intelligence organizations, enterprise security teams, mobile app pentesters, security researchers, and educational institutions. It was acquired by Cellebrite in 2025 for $170M, with CFIUS approval under a national security agreement.
How we review tools Suggest an edit

Other Mobile Security Tools

Apktool
Apktool

Android APK resource decoding & rebuild

Appdome
Appdome

No-Code Mobile Defense Automation

AppKnox
AppKnox

300+ Enterprises, Gartner Recognized

Data Theorem Mobile Secure
Data Theorem Mobile Secure

#1 Gartner Cloud Native Apps

Drozer
Drozer

Android attack surface assessment framework

esChecker
esChecker

DAST + IAST for Mobile, OWASP MASVS

See all Mobile Security tools

Complement with DAST

Pair mobile security with dynamic testing for broader coverage.

Acunetix
Acunetix

Multi-Platform Easy-to-Use DAST

AppCheck
AppCheck

Former Internal Pentest Tool

See all DAST tools

Learn More

iOS vs Android Security Testing Mobile API Security Mobile App Penetration Testing OWASP MASVS & MASTG What is Mobile Application Security Testing?

Explore all Mobile Security guides and tools