And we now go live to Apple v Corellium, where the iTitan is still lobbing copyright fireballs at the virtual iPhone upstart
Corellium and Apple are once again trading allegations in a legal brouhaha over the former’s virtual-iPhones-as-a-service operation.
Over the Christmas break, the Cupertino phone flinger filed an amended complaint [PDF] against Corellium in the US state of Florida regarding the virtualized Arm-based instances Corellium offers to developers and security researchers. These instances can, according to Corellium, run any version of Apple’s iOS, allowing folks to test and debug code and exploits in the cloud-host environments, and can be jailbroken as required.
The case – essentially a US copyright infringement claim – centers on Apple’s allegations that Corellium illegally copied the mobile operating system, and unlawfully made derivative versions by modifying the software to run on Corellium’s iPhone hypervisor. As such, the iTitan wants the service shut down. Corellium countered that Apple is trying to extinguish the iOS bug-hunting and jailbreaking communities: the virtual platform is used by gurus to, among other things, craft exploits for iOS vulnerabilities.
The ability to debug crashes, and probe inside the OS while running in a virtual machine, all from a web browser, is a boon, and saves folks having to fork out for physical handsets and jailbreak or otherwise compromise them to dig into the inner workings and troubleshoot or find low-level faults and bugs. iThings are locked down to the point that it frustrates research, and thus, Corellium’s hosted, unlocked devices are popular with researchers and jailbreak devs.
For what it’s worth, Apple is also unhappy that Corellium’s service seemingly helps people find bugs in iOS and sell exploits for the holes, and that it apparently competes against Apple’s own iOS bug-bounty program. This program was once rather secretive and cliquey, being an invite-only affair, though it has been opened up to the wider world.
Apple’s latest complaint is a heavily rewritten version of its mid-August initial filing, and comes in response to Corellium’s counter-argument in October that its cloud offering is legit, “innovative and transformative.”
While Corellium argued that Apple is trying to crack down on who can rifle through iOS for bugs and exploitable flaws, and snuff out jailbreaking efforts, the iGiant’s latest paperwork homes in on its central allegations that Corellium is trying to make a fast buck by ripping off iOS and its bundled apps and user interface – technology that Apple has not licensed to Corellium.
Additionally, Apple is super upset that Corellium’s technology can be used to develop iOS jailbreaks, which the Silicon Valley behemoth reckons ought to be illegal.
“Contrary to its lofty rhetoric, Corellium in fact sells Apple’s technology and the ability to circumvent the security measures embedded in that technology for its own profit, and makes no effort to ensure its customers are engaged solely in good-faith security research,” the filing reads.
“Instead, Corellium is selling a product for profit, using unauthorized copies of Apple’s proprietary software, that it avowedly intends to be used for any purpose, without limitation, including for the sale of software exploits on the open market.”
Apple fires legal salvo at Corellium claiming the virtual iPhone flinger is infringing copyright
Apple also detailed some of the alleged modifications. Essentially, it is claimed, Corellium strips away the protections in iOS that would otherwise prevent it running on unofficial hardware and prevent it from being modified by miscreants and jailbreakers. These are the same protections researchers would want removed in order to fiddle with and inspect the low-level guts of the operating system.
“The Corellium Apple Product makes modifications to iOS that allows it to be installed on, and run from, Corellium-developed or Corellium-operated hardware,” Apple said in its amended complaint.
“Such modifications include disabling loadable firmware validation, disabling self-verification of the FIPS module, adding Corellium software to the ‘trust cache,’ and instructing the restore tool not to contact Apple servers for kernel / device tree / firmware signing.”
The proceedings are being watched closely by the infosec and jailbreaking communities, where there is fear that a win would give Apple legal precedent to go after other researchers and hobbyists. This is something Corellium hit on heavily in a statement from CEO Amanda Gorton promising to challenge Apple’s attempt to use America’s Digital Millennium Copyright Act against it in court.
“Apple is using this case as a trial balloon in a new angle to crack down on jailbreaking. Apple has made it clear that it does not intend to limit this attack to Corellium: it is seeking to set a precedent to eliminate public jailbreaks,” Gorton said on December 29.
“We are deeply disappointed by Apple’s persistent demonization of jailbreaking. Across the industry, developers and researchers rely on jailbreaks to test the security of both their own apps and third-party apps – testing which cannot be done without a jailbroken device.”
Apple declined to comment on Gorton’s statement. ®
READ MORE HERE