Apple this week filed a lawsuit against Corellium, a company that offers users a virtual replica of the iOS user experience from within a web browser. While Corellium touts its service as something of a security tool to better enable researchers to unearth serious vulnerabilities, Apple claims that Corellium’s underlying motive is to illegally profit off of Apple’s intellectual property.
To this point, Apple in its complaint argues that Corellium “encourages its users to sell any discovered information on the open market to the highest bidder.”
Apple’s complaint, which was published in its entirety by MacRumors, reads in part:
Apple strongly supports good-faith security research on its platforms, and has never pursued legal action against a security researcher. Not only does Apple publicly credit researchers for reporting vulnerabilities, it has created severeal programs to facilitate such research activity so that potential security flaws can be identified and corrected. Apple’s programs include providing as much as $1 million per report through “bug bounty” programs.
Apple also makes a point of highlighting its recent decision to give security researchers customized iPhones with fewer security barriers as to make it easier for serious exploits and bugs to be discovered. Ivan Krstic, Apple’s head of security and engineering, announced the new program at the Black Hat security conference earlier this month.
The complaint goes on to point out that Corellium allows users to virtually replicate the iOS user experience across a range of iPhone models. Once a user selects an iPhone model and a version of iOS, Corellium downloads it from Apple’s servers “and makes it available through Corellium’s virtual environment.” Consequently, Apple claims that Corellium’s servers currently host “numerous copies of iOS.”
As to the allegation that Corellium’s motives are far from pure, the complaint points to remarks made by company co-founder Chris Wade who, earlier in the year, said that Corellium customers who stumble across an iOS 12 exploit “might want to keep it to themselves because it will be worth a lot of money to a lot of people.” Further, the terms of Corellium’s user agreement do not require that unearthed exploits be reported to Apple.
“Corellium is indiscriminately marketing the Corellium Apple Product to any customer, including foreign governments and commercial enterprises,” the complaint notes. “Corellium is not selectively limiting its customers to only those with some socially beneficial purpose.”
In short, Apple argues that Corellium’s business is strictly a for-profit enterprise with no real concern regarding the discovery and patching of serious security flaws.
Apple’s complaint relays that the company is seeking a permanent injunction along with damages and attorney’s fees.