A federal judge has ruled against Apple in its copyright battle with Corellium, a Florida startup that offers virtualized iOS instances for security researchers.
In a surprise ruling in the US District Court for Southern Florida last week [PDF], Judge Rodney Smith rejected Apple’s claim that the core Corellium product infringed upon Apple’s intellectual property, finding it to be legally permissible under fair use exemptions.
This was, in part, because Corellium isn’t a direct competitor to iOS aimed at the same consumer and business users, but rather a specialist research tool aimed at a vastly smaller audience – a virtual iPhone on a desktop. It doesn’t, for example, offer access to the App Store, allow the user to make calls, or take pictures. The variant of iOS virtualized is stripped back and surrounded by a suite of tools that wouldn’t be of interest to the average bod – such as the ability to modify the kernel, see and halt processes, and capture live snapshots of an instance.
“The evidence establishes that the Corellium Product is not merely a repackaged version of iOS – this time in a virtual environment as opposed to an iPhone,” wrote Smith. “Rather, Corellium makes several changes to iOS and incorporates its own code to create a product that serves a transformative purpose.”
Apple, which had attempted to acquire Corellium in 2018, argued the firm had exhibited “lack of good faith and fair dealing”. This, it said, is because it deals with unspecified “bad actors” and does not require users to report bugs to Apple. Smith described this position as “puzzling, if not disingenuous”, noting Corellium’s stated vetting process for new accounts, and the same standard not applied to its own bug bounty programme.
“As for Apple’s contention that Corellium sells its product indiscriminately, that statement is belied by the evidence in the record that the company has a vetting process in place (even if not perfect) and, in the past, has exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes,” he said.
Judge Smith deferred ruling on Apple’s second claim, which alleges Corellium violated the Digital Millennium Copyright Act by circumventing Apple’s security protections. Cupertino’s motion focuses on a handful of protections, including a secure boot chain that checks whether a device is running approved software, Pointer Authentication Codes (PAC) designed to prevent iOS running on third-party devices, and an authorisation server which determines whether iOS can be installed on a device.
Corellium countered that many of these protections exist on a hardware level within specific iOS devices, and therefore wouldn’t apply to a virtualized environment. Furthermore, it said its instances are based on IPSW files that are “left unencrypted, unprotected, unlocked, and out in the open for the public to access, copy, edit, distribute, perform, and display.”
This ruling will likely have dramatic ramifications for the future of research on the iOS platform, and was welcomed by those in the security community. On Twitter, Will Strafach, CEO of the iOS firewall app Guardian, described it as “simply amazing” and “a very important precedent”.
Corellium was founded in 2017 by husband and wife team Amanda Gorton and Chris Wade.
David L Hecht, founder of Hecht Partners LLP and co-counsel for Corelleum, told The Reg: “We are very pleased with the Court’s ruling on fair use and are proud of the strength and resolve that our clients at Corellium have displayed in this important battle. The Court affirmed the strong balance that fair use provides against the reach of copyright protection into other markets, which is a huge win for the security research industry in particular. ®