Monday, December 30, 2019

Apple’s Filing Against Corellium and Jailbreaking

Amanda Gorton (MacRumors):

Apple’s latest filing against Corellium should give all security researchers, app developers, and jailbreakers reason to be concerned. The filing asserts that because Corellium “allows users to jailbreak” and “gave one or more Persons access… to develop software that can be used to jailbreak,” Corellium is “engaging in trafficking” in violation of the DMCA. In other words, Apple is asserting that anyone who provides a tool that allows other people to jailbreak, and anyone who assists in creating such a tool, is violating the DMCA.

[…]

Across the industry, developers and researchers rely on jailbreaks to test the security of both their own apps and third-party apps – testing which cannot be done without a jailbroken device. For example, a recent analysis of the ToTok app revealed that an Apple-approved chat app was being used as a spying tool by the government of the United Arab Emirates, and according to the researchers behind this analysis, this work would not have been possible without a jailbreak.

The filing is available here (tweet).

Will Strafach:

in their most recent court filing, Apple has declared an all out war on jailbreaking.

they’ve actively decided that they will destroy the livelihoods of those who dare to help folks escape the walled garden.

Jamie Bishop:

Apple’s latest filing in the Corellium case is HORRIFYING.

It effectively will set a precedent which makes unsanctioned research of Apple products ILLEGAL.

[…]

I am SO unbelievably disappointed that Apple has declared war on the security scene.

They lost all those years ago with the DMCA exemption, but now they’ve decided to go after the researchers, the people keeping US safe.

Pwn All The Things:

If Apple won this case, not just Apple, but any platform company could sue any security researcher for publishing a tool to help with security research on their platform. The DMCA claim is a really extreme claim.

Miguel de Icaza:

“We are profiting from Apple’s IP for security” is not any different than “we are selling bootlegged DVDs of Star Wars for the sake of the children”

Of course, under capitalism rules, the next step is to offer more scenarios beyond security for the product - assorted virtualization workloads are the obvious next step. Then followed by tools to install iOS on non-Apple hardware. This is why Apple will fight this.

It seems like Corellium is probably legally in the wrong, at least with respect to the virtualization product. Apple also acted dishonorably towards them and is now trying to use the case to overreach and assert even more control.

Previously:

Update (2020-01-03): Kyle Wiens (Hacker News):

Despite a lack of apparent interest in enforcing their copyright to iOS software, in this specific case Apple has decided to exert control over iOS. And they’ve crossed a red line by invoking the most notorious statute in the US copyright act, section 1201. This is the very law that made it illegal for farmers to work on their tractors and for you to fix your refrigerator. It’s the same law that we’ve been whacking away at for years, getting exemptions from the US Copyright Office for fixing, jailbreaking, and performing security research on everything from smartwatches to automobiles.

[…]

In other words: Corellium sells a way to use iOS that works around the way Apple intended it to work. Apple knows that you can’t use Corellium’s software to create your own knock-off iPhone. But they can claim that Corellium’s software is illegal, and they might technically be right.

Update (2020-02-14): Pwn All The Things:

Notice how Apple defines “good-faith” research here. That for Corellium to be a “good-faith” org, it would have to require its users to turn over any security research directly to Apple. Otherwise it’s not “good faith”.

But, wait, it gets worse. Apple defines “good faith” as not only turning over all your research on their platform and also requiring that your customers turn over theirs, but they also reserve the right to just not ever pay for it if you do.

That’s the point. The lawsuit is about strategic control of the security market on iOS.

“Good faith” researchers are the ones who go cap in hand and beg Apple for permission to test and give Apple all their research at prices Apple decides (which might be $0, yolo)

J. A. Guerrero-Saade:

For iOS, Apple is betting the house on the walled garden / code signing / dev verification approach. Meaning exploits are that much more important in the attack chain. Once past initial checks, Apple’s unwillingness to actively check device integrity means attackers are king.

[…]

Claiming Corellium enables attackers undermines the fact that most defenders are being barred from researching this space while attackers have been doing just fine. Need is huge. Research enablers must be embraced and emboldened precisely to entice defenders to look.

Update (2020-02-24): Pwn All The Things:

Me: oh looks like this lawsuit is about Apple cornering the infosec research community on their platform

Lots of people: wow sounds like you’re overreacting

Apple: uses lawsuit as vehicle to subpoena random other security researchers

6 Comments RSS · Twitter

Apple just looks irrational and flat-footed against real threats. Apple needs more eyes on security, not less and this tweet thread I found just illustrates how badly they’ve screwed up.

https://twitter.com/juanandres_gs/status/1211864214903627778

202o is probably the year I totally turn off SIP and “roll my own” defenses against threats I actually encounter.

>“We are profiting from Apple’s IP for security” is not any different
>than “we are selling bootlegged DVDs of Star Wars for the sake of
>the children”

Of course it's different. IP laws exist because we think that they increase overall consumer welfare, not because there is some kind of natural law that makes intellectual property a fundamental human right. So it stands to reason that IP laws are misused when they cause net harm to consumer welfare. Which is very plainly the case when Apple prevents security research.

Niall O’Mara

I guess now that the long-running legal cases against Samsung and Qualcomm have ended there may be a large number of lawyers twiddling their thumbs.*

* This sentence is offered for amusement and in no way purports to be an accurate reflection of the legal department at Apple.

@Luka
Again with Miguel de Icaza! Sheesh! I cannot remember the last time I have read anything by him that I would agree with, nor have I found his arguments particularly well reasoned. No one is trying to sell bootleg iPhones here, this seems to be truly about providing solutions for testing vulnerabilities in iOS. Apple should have already been on the market with a solution for testers, but they were not and their current alternative does not seem particularly useful either.

Also, is breaking the EULA the same as infringing copyright? I also saw the DMCA being bandied about and citing a particularly draconian law is not going to win many favors, but congratulations on Apple for once again pushing an anti consumer narrative. At least they are consistent. Remember when Apple argued consumers jailbreaking their devices would bring down the cellular networks? That was good stuff! I suppose my main point is:
If Apple is solely arguing DMCA infringement, I will remain underwhelmed by their legal strategy. My opinion is the DMCA should be repealed. Traditional copyright would still apply to software infringement, some company could not simply steal your software code in its entirety, nor even appreciably significant chunks, so what is the downside here? Is Corellium shipping prebuilt iOS images? Even Mr de Icaza says no, so...this is purely a DMCA argument?

I bought an emulator on Android just last month or so. That's right, paid money for an emulator, whose sole purpose is to grant me a mechanism for playing commercial software in an unsupported manner. No ROMS are provided of course, it is up to me to either rip all my games (maybe legal, maybe not), download said personally owned games from a source that has already ripped them (possibly not legal but within the spirit of format shifting), or just go all in and download any game that happens to be available online (usually illegal). How can that emulator exist, for sale, in the USA? How can any emulator exist given Apple's complaints? Legal standing is emulators are legal, even if they can be used for illegal purposes.

Guess I am trying to figure out where the infringement occurs if the defendant is not providing the "illegally attained" code?

Sören Nils Kuklau

Of course it’s different. IP laws exist because we think that they increase overall consumer welfare, not because there is some kind of natural law that makes intellectual property a fundamental human right. So it stands to reason that IP laws are misused when they cause net harm to consumer welfare. Which is very plainly the case when Apple prevents security research.

How does that not apply to the Star Wars DVD as well? A case can be made that most companies and individuals involved have already profited handsomely from that movie, and that there’s more value provided to mankind by offering it to the public domain.

(Which, yeah. Disney’s recent string of acquisitions should never have passed antitrust, and having 40+ year-old movies under copyright is arguably a net loss for society.)

No one is trying to sell bootleg iPhones here, this seems to be truly about providing solutions for testing vulnerabilities in iOS.

Probably not bootleg iPhones, no. However, even though Corellium’s lawyers keep making the security testing argument, their marketing doesn’t. Their website doesn’t say a lot, but what little it does say is:

That’s no simulator.
MOBILE DEVICE VIRTUALIZATION:
THE FUTURE OF MOBILE DEVELOPMENT

They seem to be positioning it as an alternative to something like Xamarin Test Cloud / Visual Studio App Center. Except unlike Xamarin/Microsoft, they probably don’t want to buy a whole lot of Mac minis.

My guess is their lawyers saw a stronger case in re-positioning it as a security fight, but they never got around to updating their website.

Leave a Comment