Apple Sues Corellium Over iOS ‘Replica’ Security Testing Software

apple corellium lawsuit

The phone company has sued the startup for copyright infringement.

Apple has sued startup Corellium for copyright infringement, alleging that the company has developed “exact digital replicas” of its iPhone operating system without authorization – from the code down to the graphical user interface.

While details about Florida-based Corellium on its website are slim, a Forbes report from 2018 said that the company has created virtual software (available via a Corellium web-based platform) simulating iOS and iTunes. Essentially, the company sells access to virtual machines that run the operating system replicas, which can be used as a test bed for hackers and software developers to do anything from testing their apps on various hardware to sniffing out vulnerabilities.

However, Apple’s lawsuit claims that Corellium’s true goal is “profiting off its blatant infringement,” rather than finding security vulnerabilities in its software: “The purpose of this lawsuit is not to encumber good-faith security research, but to bring an end to Corellium’s unlawful commercialization of Apple’s valuable copyrighted works,” according to Apple’s lawsuit, filed last week in the U.S. District Court for the Southern District of Florida. “Accordingly, Apple respectfully seeks an injunction, along with the other remedies described below, to stop Corellium’s acts of naked copyright infringement.”

Corellium’s website does not offer further descriptions of its products or services other than to describe them as “mobile device virtualization: The future of mobile development.” The website does tout an intellectual property policy, which says Corellium “respects the intellectual property rights of others and expects its users to do the same” – but does not touch directly on Apple software.

According to Apple’s lawsuit, Corellium offers licensing for private installations to entities – installing a full version of its cloud-based product on a customer’s premises – for $1 million a year. “Such private installations of the Corellium Apple Product copy, modify and display Apple’s copyrighted works,” Apple said.

Apple also expressed concerns over the security testing functionalities of Corellium’s products; the company makes no effort to confine use of its product to good-faith research and testing of iOS, and does not require users to disclose any software bugs discovered to Apple, the lawsuit says.

The lawsuit comes after Apple has made important strides around vulnerability disclosure. At Black Hat USA 2019 in August, Apple bumped up its bug bounty rewards to include a hefty $1 million payout for finding a network attack with no user interaction that could lead to zero-click kernel code execution with persistence. Apple also confirmed reports that it will give security researchers special iPhones that will make it easier for them to find weaknesses in its smartphone, in a new program called “iOS Security Research Device Program.” The phone will have special features – such as advanced debug capabilities –  and will be available to researchers next year.

apple corellium lawsuit

“Apple strongly supports good-faith security research on its platforms, and has never pursued legal action against a security researcher,” Apple said in its lawsuit. “Not only does Apple publicly credit researchers for reporting vulnerabilities, it has created several programs to facilitate such research activity so that potential security flaws can be identified and corrected.”

Thomas Reed, director of Mac and Mobile for Malwarebytes, told Threatpost that Apple has long defended requirements to run products like macOS only on Apple hardware; For instance, companies like MacStadium that run banks of Mac virtual machines are allowed to do so only if those virtual machines are running on Mac hardware.

“Based on this, it’s quite obvious that Apple would sue Corellium based on its service that offers remotely hosted iOS virtual machines, which are not running on Apple hardware,” he said. “I would guess that it is a certainty that Apple will be able to prevent Corellium from continuing to provide this service.

However, “on the other hand, I really wish there were some way Corellium could work out a deal with Apple to continue providing this service. It would be quite useful, not just for security researchers and jailbreakers, but also for iOS developers,” said Reed. “From what I hear, Corellium’s service is far superior to Apple’s Simulator app for iOS developers.”

Corellium did not immediately respond to a request for comment from Threatpost.

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.

Suggested articles