The researchers at Corellium are under legal assault by Apple, and the security firm has responded to #Apple’s latest legal volley and effort to block its #iOS virtualization tool with the DMCA.
On December 27, Apple amended its lawsuit that it filed versus Corellium —a company that provides the frameworks of an iOS simulator used by security researchers. While Apple has stopped short of calling a jailbreak illegal, it is taking the tack that developing an emulator or similar iOS emulation to facilitate a jailbreaking tool’s creation is a copyright infringement.
In the filing, Apple is clear about the approach that it will take at trial.
This is a straightforward case of infringement of highly valuable copyrighted works, along with the trafficking of and profiting from technology that enables such infringement. Corellium’s business is based entirely on commercializing the illegal replication of the copyrighted operating system and applications that run on Apple’s iPhone, iPad, and other Apple devices.
The product Corellium offers is a “virtual” version of Apple mobile hardware products, accessible to anyone with a web browser. Specifically, Corellium serves up what it touts as a perfect digital facsimile of a broad range of Apple’s market-leading devices— recreating with fastidious attention to detail not just the way the operating system and applications appear visually to bona fide purchasers, but also the underlying computer code. Corellium does so with no license or permission from Apple.
Apple also says that legitimate security researchers using the virtual iOS environment to test exploits isn’t relevant to the case.
“Corellium’s conduct plainly infringes Apple’s copyrights. This is not a case in which it is questionable or unclear whether the defendant reproduced the rights-owner’s works, or more subtly, whether particular portions of the works that the defendant took are ultimately protected by federal copyright law,” Apple says. “Instead, Corellium simply copies everything: the code, the graphical user interface, the icons—all of it, in exacting detail.”
In response to the filing, Corellium has made a statement. It refutes that it is violating the Digital Millenium Copyright Act, and is using the suit as a test-case to clamp further down on jailbreaking and those who make the tools.
We are deeply disappointed by Apple’s persistent demonization of jailbreaking. Across the industry, developers and researchers rely on jailbreaks to test the security of both their own apps and third-party apps – testing which cannot be done without a jailbroken device. For example, a recent analysis of the ToTok app revealed that an Apple-approved chat app was being used as a spying tool by the government of the United Arab Emirates, and according to the researchers behind this analysis, this work would not have been possible without a jailbreak.
Not only do researchers and developers rely on jailbreaking to protect end users, but Apple itself has directly benefited from the jailbreak community in a number of ways. Many of the features of iOS originally appeared as jailbreak tweaks and were copied by Apple, including dark mode, control center, and context menus. In addition, jailbreak creators regularly contribute to the security of iOS. The developer behind the unc0ver jailbreak was acknowledged and credited by Apple for assisting with a security vulnerability in the iOS kernel – a vulnerability he discovered while using Corellium.
In August, Apple filed a lawsuit with the U.S. District Court for the Southern District of Florida over Corellium’s mobile device virtualization solution, claiming it infringes on a number of the iPhone maker’s software copyrights. Apple claimed it did not license the use of iOS, iTunes, or other user interface technologies for use by Corellium in its tools, which are used by security companies to search for issues with iOS.
In October, Corellium responded to the lawsuit with a number of defenses and counterclaims.
Corellium’s “relevant background” starts by claiming Apple “encouraged Corellium to continue developing its technology” before making its copyright infringement claim. During this time, Corellium was also approved to take part in the invitation-only Security Bounty Program, which has since been opened up to a larger pool of researchers.
“While Apple gladly accepted and utilized bugs submitted by Corellium as part of this program, it broke its promise to pay them,” the firm insists. Later, “Apple announced its own competing product and soon after sued Corellium,” with the virtualization company claiming “Apple never hinted that it believed Corellium was infringing its copyrights.”
Corellium goes on to suggest Apple’s behavior in relation to security research is “widely viewed as harmful to the public,” with Apple’s complaint used as an example of “its desire to exclusively control the manner in which security researchers identify vulnerabilities” in its operating systems.
The filing goes on to raise the iOS bugs found by Google’s Project Zero shortly after Apple filed its lawsuit, using it as an example of how Corellium’s technology is “intended to improve the security research and development community.”
Apple is asserting two claims of direct federal copyright infringement for computer software and graphical user interface elements, and one claim for contributory federal copyright infringement targeting users of Corellium’s products. The company is looking for an injunction that prohibits sale and access to Corellium products, an order to return owned intellectual property, destruction or impounding of infringing materials, damages and court fees.