Mobile virtualization company suspects ulterior motive is behind litigation
Virtualization software company Corellium has vowed to keep fighting Apple’s copyright infringement lawsuit, telling The Daily Swig that it will “strongly defend” its customers’ right to use its products.
Corellium’s software allows users to create virtual iOS devices within a browser, in order to test applications and uncover security vulnerabilities – and has done so unchallenged for years.
However, back in August, Apple sued the Florida-based company, claiming (PDF) that Corellium was infringing its copyright by replicating Apple’s iOS operating system, iTunes and other Apple-owned apps “with no license or permission from Apple”.
Corellium is fighting back, suggesting that the lawsuit was prompted by a failed acquisition attempt, rather than any genuine belief that it had violated the Cupertino-based tech firm’s copyright.
It says that in January last year, Apple – after attempting to buy Corellium’s predecessor, Virtual, which was later sold to Citrix – entered into negotiations to buy Corellium itself.
For years, the company claims, Apple actually encouraged Corellium to develop its products and approved it for its bug bounty program. Only when the acquisition fell through over an inability to agree a purchase price did Apple decide to sue, the company alleges.
Corellium CEO Amanda Gorton told The Daily Swig, its product is no different from other virtualization tools such as VMware or Virtual Box.
“Just as desktop virtualization revolutionized enterprise IT, so too does our mobile virtualization provide revolutionary advances in efficiency, capability, and scalability for purposes such as research, training, testing, and empowering new technologies,” she said.
“Corellium’s proprietary technology does not contain and is not sold with Apple code. Users interested in running the iOS software are able to download the software file directly from Apple’s servers.”
The lawsuit has generated some consternation among security researchers.
One, Maria Markstedter, the founder of Azeria Labs, says that using Corellium, for free, has saved her significant sums in terms of their investment on research devices.
“It is disappointing to see Apple use their power to try and destroy a start-up with so much potential,” she told The Daily Swig.
“It seems to me that this lawsuit is really just an attempt to make non-invited security research on their platform prohibitively difficult.”
Just days after filing the lawsuit, Apple launched a scheme to provide selected security researchers with special “pre-hacked” iPhones, allowing them to look for flaws in iOS.
But in its response to the litigation, Corellium argued that the tech giant is trying to control who is permitted to identify vulnerabilities.
It also questioned whether Apple will necessarily disclose identified vulnerabilities to the public – something the infosec community generally considers to be a best practice.
Thomas Reed, director of Mac and mobile at security firm Malwarebytes, points out that Apple does prohibit the use of macOS on non-Mac hardware, even in a virtual machine (VM).
This is the reason that companies such as MacStadium have to run their VMs on banks of Mac Minis.
“I think that Apple is trying to take the reins when it comes to iOS security research, because not being in control of that research is scary for them. But at this point there are too many horses in the field,” he told The Daily Swig.
“They may or may not succeed in controlling Corellium, but with things like the checkra1n jailbreak – based on the checkm8 vulnerability – in the wild, doing security research on iOS without Apple’s assistance is much easier today than it was just a few months ago.”
He added: “I hope that Corellium is able to continue their work, because it’s valuable to both security researchers and developers, but I think their chances are still very fuzzy.”
IP lawyer Andrew Schrafel of AJ Schrafel Paper Corporation and the US Patent Law blog believes the case is likely to be settled.
“Normally, copying someone else’s software without permission would constitute copyright infringement, but when the copyright owner knows about and turns a blind eye to copyright infringement, that complicates things. Copyright law isn’t well equipped to deal with grey areas like this,” he says.
“Apple’s software is the core of Corellium’s business; Corellium makes it easier to develop apps on Apple’s software – both parties benefit from the other.
“The outcome of this case depends more on what the parties can agree to rather than the letter of the law.”
Apple did not respond to our request for comment.