Corellium responds to Apple lawsuit with security research control claims
Software virtualization firm Corellium has answered a lawsuit from Apple complaining it infringed on copyrights covering iOS, iTunes, and other Apple assets by claiming Apple had previously supported the company in its security-minded efforts, and that the lawsuit itself is an attempt by Apple to control how security research is performed on its products.
In August, Apple filed a lawsuit with the U.S. District Court for the Southern District of Florida over Corellium's mobile device virtualization solution, claiming it infringes on a number of the iPhone maker's software copyrights. Apple claimed it did not license the use of iOS, iTunes, or other user interface technologies for use by Corellium in its tools, which are used by security companies to search for issues with iOS.
In a filing to the same court on Monday, Corellium responded to the lawsuit with a number of defenses and counterclaims. The filing is partially redacted, most likely in an attempt to protect company secrets for the parties involved.
Corellium's "relevant background" starts by claiming Apple "encouraged Corellium to continue developing its technology" before making its copyright infringement claim. During this time, Corellium was also approved to take part in the invitation-only Security Bounty Program, which has since been opened up to a larger pool of researchers.
"While Apple gladly accepted and utilized bugs submitted by Corellium as part of this program, it broke its promise to pay them," the firm insists. Later, "Apple announced its own competing product and soon after sued Corellium," with the virtualization company claiming "Apple never hinted that it believed Corellium was infringing its copyrights."
Corellium goes on to suggest Apple's behavior in relation to security research is "widely viewed as harmful to the public," with Apple's complaint used as an example of "its desire to exclusively control the manner in which security researchers identify vulnerabilities" in its operating systems.
"By requiring that security researchers use its physical development ("dev") devices to the exclusion of other products, including its attempt to stop Corellium from offering a more efficient alternative to its dev devices, Apple is trying to exclusively control (1) how security research is performed, and (2) who is able to perform that research," the rebuttal states.
The answer goes on to insist Corellium's virtualization innovated in security research by allowing testing of multiple devices within a single unified environment, instead of relying on "racks of physical devices." The firm's technology is deemed to be an efficient way of research, such as the instant replacement of a virtual device if a bug "bricks" an instance, rather than requiring a physical device to go through a full refresh.
It also claims to have made "quintessential fair use of Apple's technology," with it being "highly transformative" due to not replicating Apple's products "for the same purposes for which the products were developed." As a virtual device cannot make calls, send text messages, access iTunes, use iCloud, take photographs, or pair with Bluetooth headphones, the technology is instead aimed at security research instead of average users.
There is the further argument Corellium "does not use iOS in its entirely or merely replicate iOS for the same purposes as Apple," as it uses its own software to execute iOS on different hardware. "Apple cannot dispute that Corellium implements its own original code and virtual machine in conjunction with third party tools," notes the filing.
The filing takes one moment to add an item Apple "unsurprisingly" omits from its lengthy relationship with Corellium, its technology, and its founders in the complaint, alleging Apple attempted to recruit its founders for several years. It goes on to note the discussions of co-founder Chris Wade with Apple's head of Security, Engineering, and Architecture Ivan Krstic, and another attempt to recruit the developer.
Wade went on to develop Virtual in 2014, a virtualization platform for iOS that is similar to what was offered by Corellium. That company was then sold to Citrix.
"Rather than tell the real story, Apple paints Corellium as a bad actor, unscrupulously peddling its product to anyone for any reason," the filing continues. "But Corellium does not license its platform to anyone. Its end users include well-known and well-respected financial institutions, government agencies, and security researchers."
"Contrary to Apple's disparaging implication, Corellium and its founders do business with those working in software security to protect end users - not use it for an improper purpose. "
The filing goes on to raise the iOS bugs found by Google's Project Zero shortly after Apple filed its lawsuit, using it as an example of how Corellium's technology is "intended to improve the security research and development community."