Apple loses copyright battle against iOS virtualization startup Corellium

Cal Jeffrey

Posts: 2,739   +664
Staff member
In context: Corellium's co-founders were early pioneers in the jailbreaking scene. At a Black Hat conference last year, Corellium reps praised the software's ability to offer iOS replicas to anyone, including "foreign governments and commercial enterprises." Apple filed suit in August 2019, asking for the destruction of all infringing code and cash compensation.

On Tuesday, a US District Court in Fort Lauderdale shot down Apple's copyright claim against security software startup Corellium. The Cupertino tech giant took on the smaller company last year, filing a lawsuit alleging that it violated copyright law in creating an iOS virtualization system used to find security bugs in Apple's mobile operating system.

Apple's core argument was that Corellium had created a "virtual" iOS with the "sole function" being to run unlicensed copies of the operating system on non-Apple hardware. However, Judge Rodney Smith agreed with Corellium's defense, saying that the software it created was "transformative" enough to fall under fair use since its purpose was to help researchers find security flaws.

"While a transformative use is 'not absolutely necessary for a finding of fair use,'. . . transformative uses tend to favor a fair use finding because a transformative use is one that communicates something new and different from the original or expands its utility, thus serving copyright's overall objective of contributing to public knowledge."

Apple had countered that the fair use doctrine did not apply because Corellium sold the product for profit. However, since the software allows users to do things that iOS does not—namely, view and halt processes among other diagnostic functions—it is of little threat to Apple's IP and of greater benefit to the public, specifically Apple users.

Apple v. Corellium by GMG Editorial

"Corellium's profit motivation does not undermine its fair use defense, particularly considering the public benefit of the product," Judge Smith wrote in his opinion (above).

Cupertino lawyers had also claimed that Corellium had acted in "bad faith" since it did not require users purchasing the software to report bugs to Apple and indiscriminate distribution opened the utility up to misuse by hackers. The judge called that claim "puzzling, if not disingenuous," citing Apple's own Bug Bounty Program as a case in point.

"Apple's position is puzzling, if not disingenuous. While Apple spends significant time in its papers faulting Corellium for not requiring users of the Corellium Product to report bugs found in iOS to Apple, Apple does not impose that requirement under its own Bug Bounty Program," Judge Smith wrote, adding, "As for Apple's contention that Corellium sells its product indiscriminately, that statement is belied by the evidence in the record that the company has a vetting process in place (even if not perfect) and, in the past, has exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes."

Despite the loss, the fight is not over. Judge Smith said that Apple is within its rights to pursue Corellium over unauthorized access when creating the software and selling a product that could be used to circumvent security measures, both of which fell outside the scope of this case.

Image credit: Alejandro Escamilla (modified)

Permalink to story.

 

Endymio

Posts: 1,340   +1,214
The judge's position here is rather illogical, and likely to be overturned on appeal. Software copyright can be overridden by a third party's addition of a new feature? By that logic, I can copy Windows freely and resell it ... as long as I first add a widget or two to the interface.

I also found the judge's logic here suspect:

"Apple's position is puzzling, if not disingenuous. While Apple spends significant time in its papers faulting Corellium for not requiring users of the Corellium Product to report bugs found in iOS to Apple, Apple does not impose that requirement under its own [program]"

Apple's iOS is intended for a huge variety of uses having nothing to do with finding security bugs within itself. On the other hand, Corellium is claiming that finding security bugs in iOS is its product's entire raison d'être. They sell the software under the guise that it exists only for one purpose -- but don't require people to use it for that purpose?
 
  • Like
Reactions: Shadowboxer

lipe123

Posts: 962   +547
The judge's position here is rather illogical, and likely to be overturned on appeal. Software copyright can be overridden by a third party's addition of a new feature? By that logic, I can copy Windows freely and resell it ... as long as I first add a widget or two to the interface.

I also found the judge's logic here suspect:

"Apple's position is puzzling, if not disingenuous. While Apple spends significant time in its papers faulting Corellium for not requiring users of the Corellium Product to report bugs found in iOS to Apple, Apple does not impose that requirement under its own [program]"

Apple's iOS is intended for a huge variety of uses having nothing to do with finding security bugs within itself. On the other hand, Corellium is claiming that finding security bugs in iOS is its product's entire raison d'être. They sell the software under the guise that it exists only for one purpose -- but don't require people to use it for that purpose?
You missed your calling as a judge, clearly you know the law better apparently.

They are not selling iOS, its a free download from Apple as you can read in the linked court transcript. They sell a virtual environment that runs the stock unmodified iOS.
 

tellmewhy

Posts: 57   +23
If they don't want their os to be virtualized they can try to lock it with the hardware which they also control and not to try to render the virtualization technology illegal in general.

Anyway their phones are mostly the women which they buy them just because they like the logo of the "bitten" apple...
 

brucek

Posts: 651   +833
TechSpot Elite
Amen to a judge who remembers that copyright is a tradeoff made in pursuit of bettering the arts and sciences, not a property right.

Copyright holders should be able to sell their work. They should not necessarily be able to leverage that into controlling the entire world around their work, which it seems like too many are trying.

re: the Windows example above, no you could not copy Windows freely by adding a widget, nor does it sound like Correllium copies iOS. The iOS copy must come from the user. But you could and should be able to sell say keyboards that connects to a PC that might run windows, and should not be extorted into having to pay Microsoft over a "copyright violation" to do so.
 
  • Like
Reactions: 0dium and yRaz

MaestroIT

Posts: 32   +30
They are not selling iOS, its a free download from Apple as you can read in the linked court transcript. They sell a virtual environment that runs the stock unmodified iOS.
How did they do it with iOS very strict hardware and software control? If they can patch iOS to run on virtual environments then somebody will come with a version that runs on an Android device hardware
 

Adorerai

Posts: 82   +48
Can you virtualize Windows activation and sell that too now? As long as your virtualization software isn’t distributing Windows, right?
 

Endymio

Posts: 1,340   +1,214
You missed your calling as a judge, clearly you know the law better apparently.
In this case, it's a definite possibility, as federal judges don't specialize in any particular branch of law, Judge Rodney Smith's prior experience to becoming a district judge last year was primarily criminal law, and the one branch of law with which I do have a certain degree of experience is IP.

However, your ad hominem attack aside, the judge and I aren't disagreeing on any point of law. His legal theory is sound; the disagreement lies on technical matters: the analysis that the transformative factor of Corellium's product is sufficient to override the commercial copyright infringement claim. The judge bases his decision largely on Corellium's restricting their product to "valid" uses:

"For [sales] Corellium has a vetting process...the process begins with an initial evaluation. This analysis takes several factors into consideration, including whether the inquiry came from an enterprise account or from an individual account (e.g., a Gmail account). Corellium also considers the nature of the content of the inquiry and whether it comports with Corellium’s intended use for its product. For example, if the inquiry requests the ability to run iOS on an Android mobile device, Corellium discards it. Similarly, if there are red flags based on the identity of a putative customer (e.g., someone involved with unlawful activity) or based on the geographic origins of the request, Corellium does not engage..."


In other words, the judge relies upon Corellium to restrict uses of its product that would clearly invalidate it receiving a fair use copyright exemption. Corellium can certainly make this claim for its cloud service. However, the ruling asserts:

" Corellium does not have the same control over the on-premises version of the [product]; there is no way to even know where the product is after it has been shipped from Corellium, and customers are not required to keep the product in a particular location upon sale. Instead, Corellium asserts that it relies on the legal enforcement of licensing or end user agreements to ensure that its customers comply..."

In other words, once the product leaves Corelliums' hands, they have no ability whatsover to control the product's usage. Some of those customers undoubtedly will use the product to create software to exploit security holes to the detriment of both Apple and Apple customers, as well as to create hacks allowing iOS to be used in ways which clearly violate the fair use exemption.

They are not selling iOS, its a free download from Apple
I never stated they did. They sell their own product, which uses Apple's copyrighted materials.
 
  • Like
Reactions: Shadowboxer