Friday, August 16, 2019

Apple Files Lawsuit Against Corellium for iOS Virtualization

Juli Clover (Hacker News):

Apple today filed a lawsuit against Corellium, a mobile device virtualization company that supports iOS. Corellium describes itself as the “first and only platform” that offers iOS, Android, and Linux virtualization on ARM.

In the lawsuit, filed today in the Southern District of Florida, Apple accuses Corellium of copyright infringement for illegally replicating the operating system and applications that run on the iPhone and the iPad.


Apple says it does not want to encumber “good-faith security research” but instead is aiming to end Corellium’s “unlawful commercialization of Apple’s valuable copyrighted works.”

Thomas Brewster:

The startup is Corellium, first revealed by Forbes in February 2018, when the husband-and-wife founded company came out of stealth. Its product provides “virtualized” versions of iOS. For security researchers, such software-only versions of the Apple operating system are incredibly valuable. For instance, it’s possible to use Corellium to pause the operating system and analyze what’s happening at the code level. Some in the industry have called it “magic,” as it should help security researchers uncover vulnerabilities with greater ease and speed than having to work with a commercial iPhone.

Various sites have called this “iOS emulation,” but it sounds to me more like running iOS on commodity hardware (i.e. iOS Hackintoshes) and then selling online access to the virtual machines. This seems really useful but almost certainly violates Apple’s copyright and/or software license agreements.

See also: Apple v. Psystar.


Update (2019-08-19): Steve Troughton-Smith:

you have to download & install your own IPSW last time I tried, but I don’t know what advanced offerings they have for special customers.

If Corellium is only providing hardware that you install iOS on yourself, I would think they (but not the customer) would legally be in the clear. But that doesn’t seem to be what they’re doing.

Brendan Shanks:

A screenshot from the complaint shows a list of iOS versions, which they apparently download-on-demand. Legally feels shakier than requiring the user provide an IPSW

Lorenzo Franceschi-Bicchierai:

Matt Suiche, a well-known researcher who developed virtualization software in the past, tweeted: “Imagine what today's Cloud Computing landscape would look like if VMware had been sued by IBM or Microsoft back in 1998,” referring to the popular virtualization platform VMware. Daniel Cuthbert, who is on the Black Hat conference review board and a veteran of the infosec community, called it a “poor move” by Apple. Luca Todesco, a well-known iPhone hacker, said this lawsuit is akin to Apple pulling “a Sony,” in reference to the Japanese giant suing security researcher George “Geohot” Hotz, in 2011 for jailbreaking the Playstation 3.


The employee explained that the way Apple licenses its software, you can’t run a virtual version of MacOS on VMware or other virtualization platforms if it’s not running on a Mac computer. Corellium does something similar, but with iOS.

4 Comments RSS · Twitter

Man, Rene Ritchie never ceases to surprise me, which is comforting in a way. Frankly, you know if Apple says "X", then Rene is there to let us know why we are all better off.

I doubt Apple will lose, but I reiterate what @Lorenzo Franceschi-Bicchierai is stating. At some point, Apple has to be a positive change on the computing landscape. Apple really thinks they are successful because they actively fight its users over control of the platform. I think Apple is successful despite there iron rulership.

Ps The HBO simile Rene offers is particularly weak. People trying to find exploits in Apple products actually can only benefit Apple as they can then patch the holes. Does Apple sell virtualized instances for fuzzing? No, in fact, after 12 years, they are promising something "soon enough". Boo!

Sören Nils Kuklau

“Imagine what today’s Cloud Computing landscape would look like if VMware had been sued by IBM or Microsoft back in 1998,” referring to the popular virtualization platform VMware.

Yeah, but that analogy doesn’t really work. VMware didn’t include a pirated copy of Windows. It required you to have a proper Windows license (or, to have pirated it on your own).

That said, as a developer in a mostly non-Apple shop, I sympathize with the other side of the coin as well. If I were Apple, I’d offer special limited (e.g. “development use only”) licenses of macOS and iOS situation. Maybe make them $299, and provide a $100 discount if you own Apple hardware.

It’s a bit unclear to me just what Corellium did here. For example, the lawsuit states:

recreating with fastidious attention to detail not just the way the operating system and applications appear visually to bona fide purchasers, but also the underlying computer code.

That seems to be in stark contrast to what Steve Troughton-Smith, who suggests you can simply provide Apple’s IPSW. Did Corellium really “recreate” anything? Did they perhaps take Apple’s IPSWs and make some necessary adjustments (drivers, whathaveyou) to make them run on their virtualization environment?

You cannot really "properly license" iOS for testing, can you? Microsoft does not care if you use Windows on a Mac or Linux or another Windows box. In fact, Microsoft actually gives you free VMs to do testing.

Sören Nils Kuklau

You cannot really “properly license” iOS for testing, can you?

Exactly, you can’t. I think Apple should remedy that by offering such testing licenses (for cash).

Microsoft does not care if you use Windows on a Mac or Linux or another Windows box. In fact, Microsoft actually gives you free VMs to do testing.

Yes, but Microsoft largely isn’t in the business of selling Windows any more, nor in selling a hardware+software platform (with the exception of the Surface line-up). See also upgrades from Windows 7 to 10 being free for most users — that would never have happened in 1999, but MS isn’t in that era any more.

Apple, meanwhile, largely makes money selling hardware+software platforms (though services revenue is starting to change that). Thus, they’re not just going to give you a free iOS VM, unless they can figure out how to heavily lock it down to make it testing-only.

Leave a Comment