Apple yesterday sued Corellium, a company that sells access to virtual machines that run copies of the operating system used in iPhones and iPads.
Corellium markets iOS virtualization as “a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software,” according to Apple’s complaint (PDF) filed in US District Court for the Southern District of Florida. But “Corellium’s true goal is profiting off its blatant infringement,” Apple wrote. “Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”
Corellium offers access to copies of iOS in a cloud service and in private installations on a customer’s premises, with the latter costing $1 million a year, the lawsuit said. “Corellium does so with no license or permission from Apple,” the lawsuit said.
Corellium says on its Twitter account that it is the “first and only platform to offer iOS, Android, and Linux virtualization on ARM,” and that it is not merely a “simulator.” Corellium tweets also touted the ability “to run virtual iPhones in the cloud” and “run any version of iOS.” With Corellium virtualization, “It’s possible to pause, rewind, and fast-forward everything that’s done on the [virtual iOS] device… whilst Corellium reveals the internal code to help hackers discover what went wrong (or right) when they started tinkering,” according to a Forbes article from February 2018.
“Straightforward” copyright case
Apple’s lawsuit touted its own commitment to security research, writing that it “has never pursued legal action against a security researcher” and that the company offers up to $1 million per security report to researchers through its bug bounty programs. “Apple has also announced that it will provide custom versions of the iPhone to legitimate security researchers to allow them to conduct research on Apple devices and software,” the lawsuit said.
Corellium, by contrast, “makes no effort whatsoever to confine use of its product to good-faith research and testing of iOS,” Apple wrote. Apple quoted one of Corellium’s founders, Chris Wade, as saying on a podcast that researchers who find security flaws “might want to keep it to themselves, because it will be worth a lot of money to a lot of people.”
But Apple’s case doesn’t rely solely on its claim that Corellium’s goals are less than noble. According to Apple, “This is a straightforward case of infringement of highly valuable copyrighted works.”
Apple’s lawsuit continued:
Corellium’s conduct plainly infringes Apple’s copyrights. This is not a case in which it is questionable or unclear whether the defendant reproduced the rights-owner’s works, or more subtly, whether particular portions of the works that the defendant took are ultimately protected by federal copyright law. Instead, Corellium has simply copied everything: the code, the graphical user interface, the icons—all of it, in exacting detail.
Corellium explicitly markets its product as one that allows the creation of “virtual” Apple devices. For a million dollars a year, Corellium will even deliver a “private” installation of its product to any buyer. There is no basis for Corellium to be selling a product that allows the creation of avowedly perfect replicas of Apple’s devices to anyone willing to pay.
Corellium has touted its product “as an alternative to purchasing ‘jailbroken iPhones on eBay,'” Apple’s lawsuit said. Corellium also publicly acknowledged “that it had given access to its platform to the developers of an iOS exploit called ‘unc0ver,’ so the developers could test the exploit ‘on any device running any firmware.’ Within weeks, those developers released a new exploit of iOS 12,” Apple said. Unc0ver lets iPhone users jailbreak their phones.
Apple’s complaint further argued:
Corellium has no plausible defense to these acts of copyright infringement. On information and belief, Corellium is indiscriminately marketing the Corellium Apple Product to any customer, including foreign governments and commercial enterprises. Corellium is not selectively limiting its customers to only those with some socially beneficial purpose and/or those who promise to use Apple’s copyrighted works, through the Corellium Apple Product, only in lawful ways (though it is highly doubtful whether, under the circumstances, such uses actually exist). Instead, Corellium is simply unleashing Apple’s copyrighted works for the world-at-large to use, period.
Apple is seeking financial damages and a permanent injunction that would shut down Corellium’s iOS virtualization service.
Corellium warns customers about infringement
We contacted Corellium about Apple’s lawsuit today and will update this story if we get a response. Corellium is based in Florida. Its website doesn’t let potential customers purchase access to virtual machines directly. Instead, it provides an email address for contacting Corellium’s sales department.
Corellium’s intellectual property policy says the company “respects the Intellectual Property rights of others,” and that it terminates the accounts of Corellium customers “who infringe or are repeatedly charged with infringing the Intellectual Property rights of others.” The company also says that customers may not “make any copies” of Corellium’s software or “resell, distribute, or sublicense” the Corellium Software. But the intellectual property policy doesn’t explain how Corellium selling access to copies of iOS complies with Apple’s copyrights.
Corellium says it indemnifies its customers against claims that Corellium’s software infringes other companies’ intellectual property rights.