Apple sues virtualization firm Corellium for selling iOS and iTunes knockoffs

Posted:
in General Discussion edited August 15
Apple on Thursday filed a lawsuit claiming software virtualization firm Corellium, which markets its wares to security researchers, infringes on copyrights covering iOS, iTunes and other Apple assets.




Filed with the U.S. District Court for the Southern District of Florida, Apple's complaint takes issue with Corellium's mobile device virtualization solution, a product the tech giant claims infringes on various software copyrights. Apple says the suit is a "straightforward case of infringement of highly valuable copyrighted works."

"[ ... ] Corellium has simply copied everything: the code, the graphical user interface, the icons-- all of it, in exacting detail," the filing reads.

Corellium in its marketing materials advertises its virtualization product as a tool for developers ferreting out bugs, flaws and other vulnerabilities in software and hardware. Available on the web or as a $1 million-per-year "private" local installation, certain solutions present virtual versions of iOS devices running what Apple calls unauthorized copies of iOS.

Corellium itself touts the exacting detail of its product line. As noted in the filing, the firm recently presented its CORSEC product at the Black Hat conference in August, saying the software runs "real iOS -- with real bugs that have real exploits."

Apple does not license iOS, iTunes or its user interface technologies for use by Corellium.

The firm's tools enable users to create a virtual iOS device in the cloud. Customers first select a device to copy -- support includes iPads and current iPhone XR, XS and XS Max models -- then are asked to download a particular iOS build directly from Apple's servers. Corellium's platform subsequently displays a "fully functioning" replica device.

As users are able to make multiple copies of a virtual device and its underlying software, Apple believes Corellium's servers are illegally hosting numerous copies of iOS. Alleged infringement also includes iTunes.

The company does not appear to make efforts to limit its products to research and testing, nor does it require users to disclose discovered vulnerabilities to Apple, the filing notes.

Apple asserts two claims of direct federal copyright infringement for computer software and graphical user interface elements, and one claim for contributory federal copyright infringement targeting users of Corellium's products.

Apple seeks an injunction that prohibits sale and access to Corellium products, an order to return owned intellectual property, destruction or impounding of infringing materials, damages and court fees.

Comments

  • Reply 1 of 12
    This doesn’t look good for Corellium. Looks like Apple has drawn a line in the sand on what third party tools it will allow to “crack” iOS devices.
    watto_cobra
  • Reply 2 of 12
    AppleExposedAppleExposed Posts: 1,503unconfirmed, member
    Android and GooglePlay next.

    Then Huaweis knockoff Apple Stores and knockoff Airpods.

    (I wish)
    watto_cobra
  • Reply 3 of 12
    coolfactorcoolfactor Posts: 1,531member

    I'm confused by this part:

    Customers first select a device to copy — support includes iPads and current iPhone XR, XS and XS Max models — then are asked to download a particular iOS build directly from Apple's servers. Corellium's platform subsequently displays a "fully functioning" replica device. 

    How are these iOS builds available directly from Apple's servers without authorization? Are they using developer credentials of some form?



    watto_cobra
  • Reply 4 of 12
    macxpressmacxpress Posts: 4,968member

    I'm confused by this part:

    Customers first select a device to copy — support includes iPads and current iPhone XR, XS and XS Max models — then are asked to download a particular iOS build directly from Apple's servers. Corellium's platform subsequently displays a "fully functioning" replica device. 

    How are these iOS builds available directly from Apple's servers without authorization? Are they using developer credentials of some form?



    You can directly download iOS from Apple servers if you know the direct URL. Here are the ones for iOS 12.4 for example: http://osxdaily.com/2019/07/22/ios-12-4-update-for-iphone-ipad-available-to-download-ipsw-links/
    edited August 15 CloudTalkinFileMakerFellerwatto_cobra
  • Reply 5 of 12

    I'm confused by this part:

    Customers first select a device to copy — support includes iPads and current iPhone XR, XS and XS Max models — then are asked to download a particular iOS build directly from Apple's servers. Corellium's platform subsequently displays a "fully functioning" replica device. 

    How are these iOS builds available directly from Apple's servers without authorization? Are they using developer credentials of some form?



    Just a guess on my part mind you... But I suspect that by emulating a real iOS device, they set it up to make Apple's servers think it was a legitimate device looking for a software update, or even being factory reset.
    StrangeDayswatto_cobra
  • Reply 6 of 12
    macxpress said:

    I'm confused by this part:

    Customers first select a device to copy — support includes iPads and current iPhone XR, XS and XS Max models — then are asked to download a particular iOS build directly from Apple's servers. Corellium's platform subsequently displays a "fully functioning" replica device. 

    How are these iOS builds available directly from Apple's servers without authorization? Are they using developer credentials of some form?



    You can directly download iOS from Apple servers if you know the direct URL. Here are the ones for iOS 12.4 for example: http://osxdaily.com/2019/07/22/ios-12-4-update-for-iphone-ipad-available-to-download-ipsw-links/
    Yes, that would be even easier.
    watto_cobra
  • Reply 7 of 12
    I have a feeling Corellium doesn’t sell to developers as they claim.  Apple has their own tools for developers, obviously debugging apps would be included.

    I doubt the vast majority of security researchers could afford 1 million/year.  But, criminal organizations could...

    Alternatively, it 
    sounds like the perfect tool for governments to find iOS bugs for cyber warfare purposes.

    Apple has the right, and is right, to stamp this practice/company out.

    .... I want to see 
    Corellium‘s customer list.  Red flags are @#$& everywhere...

    To make this legitimate:
    #1 Corellium needs Apple’s permission/licensing 
    #2 Apple needs to approve potential customers 
    #3 All bugs found need to be reported to Apple, to be stamped out

    Google’s Project Zero would be a legitimate customer, but I’m sure Apple has their own relationship with them.  I can’t really see a reason why Apple would allow third parties (like Corellium) to be involved.


    FileMakerFellerwatto_cobra
  • Reply 8 of 12
    dysamoriadysamoria Posts: 2,283member
    I read the article, not the filing. What’s being copied? What’s being stolen? It sounds like they’re using iOS on... emulated hardware??
  • Reply 9 of 12
    dysamoria said:
    I read the article, not the filing. What’s being copied? What’s being stolen? It sounds like they’re using iOS on... emulated hardware??

    Exactly. And Apple hasn't licensed them to do so.
    watto_cobra
  • Reply 10 of 12
    I have a feeling Corellium doesn’t sell to developers as they claim.  Apple has their own tools for developers, obviously debugging apps would be included.

    While Apple includes some very basic tools in XCode, testing needs go way beyond this. Xcode is just a development tool, the market. Testing is far more than debugging.

    Developers want to be able to integrate automated regression testing of both web sites and web applications  (as accessed from various IOS-devices and IOS-versions), as well as cross platform applications, in their CI-systems.

    While most development tools contains some basic testing functionality (at least if you include unit tests here), there is a huge market for testing software, experts and solutions. Xcode does not cover all needs.
    svanstromwatto_cobra
  • Reply 11 of 12
    xyzzy01 said:
    I have a feeling Corellium doesn’t sell to developers as they claim.  Apple has their own tools for developers, obviously debugging apps would be included.

    While Apple includes some very basic tools in XCode, testing needs go way beyond this. Xcode is just a development tool, the market. Testing is far more than debugging.

    Developers want to be able to integrate automated regression testing of both web sites and web applications  (as accessed from various IOS-devices and IOS-versions), as well as cross platform applications, in their CI-systems.

    While most development tools contains some basic testing functionality (at least if you include unit tests here), there is a huge market for testing software, experts and solutions. Xcode does not cover all needs.
    If this was Android you’d have a stronger argument.  The vast majority of iOS users are using the current version or one version previous.  It’s easy enough to put a disclaimer saying which versions are supported.  Most people would look at that and just upgrade their iOS...

    I also haven’t seen many broken apps (after the 32/64 bit switchover) when Apple pushes out a new iOS version.

    Having a handful of iOS devices with different versions seem much cheaper than 1 million/year...

    Visual Studio has an iOS Simulator... not the same thing, but there are options.

    Most companies like to brag about their customers and partners... I found nothing like that on Corellium website.  Apple is right to go after them to protect their interests.


    watto_cobra
  • Reply 12 of 12
    dysamoriadysamoria Posts: 2,283member
    xyzzy01 said:
    dysamoria said:
    I read the article, not the filing. What’s being copied? What’s being stolen? It sounds like they’re using iOS on... emulated hardware??

    Exactly. And Apple hasn't licensed them to do so.
    But what is claimed as stolen or as being copied??
Sign In or Register to comment.