Apple Sues Corellium for Selling Access to Cloud-Based ‘Perfect Replicas’ of iOS

Apple CEO Tim Cook at the 2019 Apple Worldwide Developers Conference.

Apple CEO Tim Cook at the 2019 Apple Worldwide Developers Conference.

Apple is suing a company, Corellium LLC, that it says is illegally reselling virtual copies of its iOS operating system under the pretense of legitimate security research, Bloomberg reported on Thursday.

Corellium advertises itself as “the first and only platform to offer iOS, Android, and Linux virtualization on ARM.” Per TechCrunch, the company allows users to interact with simulated iOS devices such as an iPhone or iPad via a web portal—which allows for researchers to do things like quickly compare iOS versions to see how long a bug has persisted, or simply boot up another instance if their meddling renders the virtual device inoperable. As TechCrunch noted, prior coverage of Corellium has emphasized that some of its founders have roots in the iOS jailbreaking scene.

According to Bloomberg, Apple accused Corellium in court filings of copying its “operating system, graphical user interface and other aspects of the devices without permission” and additionally violating copyright by selling access to the simulated iOS devices. While Corellium says its goal is enabling white hat hackers (those whose intention is discovering and reporting rather than exploiting vulnerabilities), Apple wrote in the suit that the company’s “true goal is profiting off its blatant infringement. Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”

Apple further accused Corellium of copying new versions of iOS and not implementing any requirements that users report discovered vulnerabilities in its products to Apple, Bloomberg wrote:

“For a million dollars a year, Corellium will even deliver a ‘private’ installation of its product to any buyer,” Apple said. “There is no basis for Corellium to be selling a product that allows the creation of avowedly perfect replicas of Apple’s devices to anyone willing to pay.”

Apple said “enough is enough” when it comes to Corellium advertising its products, including ones that compete with the Apple Developer Program, according to the complaint.

Apple’s lawsuit closely follows the expansion of their bug bounty programwith an increased maximum payout of $1 million for critical vulnerabilities, such as ones that could allow an attacker to gain total control of a device with no interaction by a user, as well as the distribution of “dev” iPhones with special access to trusted security researchers.

Corellium’s intellectual property policy states that the company “respects the intellectual property rights of others and expects its users to do the same.” However, Ars Technica noted its website does not explain how the company’s products comply with Apple copyrights.

According to Motherboard, the move has angered some in the cybersecurity community, comparing the move to a theoretical Microsoft crackdown on virtual machines. As VentureBeat noted, Apple has so far declined to go after the relatively small and mostly hobbyist community running so-called “Hackintosh” devices—essentially any computer running macOS outside of Apple’s approved limitations—but it ensured that other than screen mirroring that there is no way for researchers to bring “iPhone’s or iPad’s full interface onto a computer screen for even indirect user manipulation.” Apple appears to be targeting Corellium because appears to be “selling emulated iOS access for profit,” VentureBeat argued, as well as its desire for total “control over how and where its operating systems can be run.”

One Apple employee speaking under the condition of anonymity told Motherboard that “You really couldn’t ask for a lawsuit more than Corellium has”:

The employee explained that the way Apple licenses its software, you can’t run a virtual version of MacOS on VMware or other virtualization platforms if it’s not running on a Mac computer. Corellium does something similar, but with iOS.

According to Ars Technica, Apple wrote in the lawsuit that Corellium has advertised itself “as an alternative to purchasing ‘jailbroken iPhones on eBay” and accused it of working with jailbreakers and exploit brokers. Corellium says on its website that it indemnifies end users against charges that its software violates copyright, Ars Technica added.

In its lawsuit, Apple is asking for an order blocking the sales of Corellium’s Apple product, for the company to notify its customers they are violating Apple copyrights, destruction of any infringing products, and damages, Bloomberg wrote.

[“source=gizmodo”]