Corellium Accuses Apple of Using Lawsuit to 'Crack Down on Jailbreaking'

[Jake James]

No, they're not. Period. Never have been.

Are Hackintosh Computers Legal? – The LockerGnome Daily Report

lockergnome.com

They are as long as you download macOS from Apple's website and don't sell them. So is jailbreaking. How do you explain the legality of jailbreaking when it's clearly a breach of the EULA?

 

[TiggrToo]

They are as long as you download macOS from Apple's website and don't sell them. So is jailbreaking. How do you explain the legality of jailbreaking when it's clearly a breach of the EULA?

Well let's look at this for a second. When you jailbreak a device you're still running it on your own device. So, that part of the EULA is satisfied.

Next?

 

[Bgosh]

As I said, an EULA can be enforcable if they're basically restating another law, but if not, they can't. Should I say it again? Jailbreaking is against the EULA but legal. One example proving that companies cannot put whatever they want in the EULA and sue someone for breaking it.

??? All I am saying is this is muddied water, should I say it again? There are far too many variables in how the court could interpret what each party is alleging. I'm not commenting on Corellium's actions being legal or not legal. That's for the court to determine.

 

[Jake James]

You really need to read the court documents to understand the nuance of this case, instead of jumping on board with whatever appeal-to-emotion debate tactic Corellium keeps feeding to the community. Please read the following paragraphs and I'd urge you to read the whole document in its entirety at some point.

"Contrary to its lofty rhetoric, Corellium in fact sells Apple’s technology and the ability to circumvent the security measures embedded in that technology for its own profit, and makes no effort to ensure its customers are engaged solely in good-faith security research. Instead, Corellium is selling a product for profit, using unauthorized copies of Apple’s proprietary software, that it avowedly intends to be used for any purpose, without limitation, including for the sale of software exploits on the open market."

"Corellium has created and is creating and distributing reproductions of, and is creating derivative works based upon, Apple’s iOS, iTunes, and GUI Elements, each of which are separate, independent protected works under the Copyright Act. In fact, Corellium has admitted the Corellium Apple Product makes modifications to iOS that allows it to be installed on, and run from, Corellium-developed or Corellium-operated hardware."
(Case 9:19-cv-81160-RS Document 56)

Yes that is wrong.
- They're not distributing iOS. There's no "download our modified iOS" button anywhere
- they're not creating replicas of iTunes or GUI elements. They're taking the real versions from Apple's website and installing it in their hardware.
- making modifications to iOS isn't illegal. Jailbreaking isn't illegal, just an EULA breach
- installing iOS in non-Apple hardware isn't illegal. Hackintoshing isn't illega, just an EULA breach.
[automerge]1578001549[/automerge]

Well let's look at this for a second. When you jailbreak a device you're still running it on your own device. So, that part of the EULA is satisfied.

Next?

The EULA states that you're prohibited from modifying iOS, your own device or not. There's no arguing if jailbreaking is against the EULA or not, it is.
[automerge]1578001598[/automerge]

??? All I am saying is this is muddied water, should I say it again? There are far too many variables in how the court could interpret what each party is alleging. I'm not commenting on Corellium's actions being legal or not legal. That's for the court to determine.

I'm just giving my opinions. I'm aware none of this will affect the court's opinions.

 

[bytesynthesis]

Yes that is wrong.
- They're not distributing iOS. There's no "download our modified iOS" button anywhere
- they're not creating replicas of iTunes or GUI elements. They're taking the real versions from Apple's website and installing it in their hardware.
- making modifications to iOS isn't illegal. Jailbreaking isn't illegal, just an EULA breach

Well there you have it everyone. "Jake James", self-described jailbreaker, says it's not illegal to misuse Apple's software for profit and the lawyers are all wrong. Case closed! 😂

 

[Jake James]

Well there you have it everyone. "Jake James", self-described jailbreaker, says it's not illegal to misuse Apple's software for profit and the lawyers are all wrong. Case closed! 😂

It depends on what "misuse" means. If it includes redistribution, replication or another broken law, it's illegal. But if "misuse" refers to software that *depends* on Apple software to work but does not *directly* redistribute Apple software or copies Apple's software, then it's not. Apple's arguments are biased.

 

[Bgosh]

I'm just giving my opinions. I'm aware none of this will affect the court's opinions.

Gotcha. I'm very curious to see how far this ends up going. IIRC the last DMCA related case that went to the supreme court was the safe harbor case and was denied a hearing.

 

[sracer]

So here's the deal: do we want our phones to be secure or not? If we want them to be uncrackable, then we should support Apple on this lawsuit. If we really want to jailbreak them (for what?), then we are giving up security. Cant have both.

I'm not following the logic here. Making jailbreaking illegal is not going to make iOS devices uncrackable. It simply means that jailbreakers will go even further underground and the exploits they found and use to be less noticeable. That's great for Apple to be able to perpetuate their security marketing but not so great for consumers who will be less secure than they think.

 

[bytesynthesis]

It depends on what "misuse" means. If it includes redistribution, replication or another broken law, it's illegal. But if "misuse" refers to software that *depends* on Apple software to work but does not *directly* redistribute Apple software or copies Apple's software, then it's not. Apple's arguments are biased.

Seems that you're now relying on debating semantics and you've already had your mind made up before the discussion started. I already asked you to read the court documents, but you've got a personal investment in jailbreaking which prevents you from seeing the case for what it is.

Apple already addressed many of your points in the filing, but looks like you'd rather have an unauthorized third party with ties to offensive security firms to have the upper hand.

 

[Jake James]

Seems that you're now relying on debating semantics and you've already had your mind made up before the discussion started. I already asked you to read the court documents, but you've got a personal investment in jailbreaking which prevents you from seeing the case for what it is.

Apple already addressed many of your points in the filing, but looks like you'd rather have an unauthorized third party with ties to offensive security firms to have the upper hand.

Tell me where did they address my points? Talking about these

"- They're not distributing iOS. There's no "download our modified iOS" button anywhere
- they're not creating replicas of iTunes or GUI elements. They're taking the real versions from Apple's website and installing it in their hardware.
- making modifications to iOS isn't illegal. Jailbreaking isn't illegal, just an EULA breach"

> an unauthorized third party with ties to offensive security firms to have the upper hand

Corellium is only helping Apple. They have no intention on helping malware developers, Apple doesn't want to accept that.
[automerge]1578002810[/automerge]

I'm not following the logic here. Making jailbreaking illegal is not going to make iOS devices uncrackable. It simply means that jailbreakers will go even further underground and the exploits they found and use to be less noticeable. That's great for Apple to be able to perpetuate their security marketing but not so great for consumers who will be less secure than they think.

Exactly. Apple hates jailbreaking and Corellium helps jailbreaking. Solution, get rid of Corellium and in the process also tell the court jailbreaking is illegal, like some ignorant that has no clue what jailbreaking is. Apple doesn't care about people's security, they care about what people think of the security. Thus, security by obscurity! But they can't hide security issues with jailbreaks still being around.

 

[bytesynthesis]

Corellium is only helping Apple. They have no intention on helping malware developers, Apple doesn't want to accept that.

That's hilarious. Given the level of vitriol spewed against Apple, and how they're countersuing, it's dubious to claim they want to "help" them.

[automerge]1578003165[/automerge]

Exactly. Apple hates jailbreaking and Corellium helps jailbreaking. Solution, get rid of Corellium and in the process also tell the court jailbreaking is illegal, like some ignorant that has no clue what jailbreaking is. Apple doesn't care about people's security, they care about what people think of the security. Thus, security by obscurity! But they can't hide security issues with jailbreaks still being around.

Again, wrong. Per the court filing: "Apple strongly supports good-faith security research on its platforms, and has never pursued legal action against a security researcher. Not only does Apple publicly credit researchers for reporting vulnerabilities, it has created several programs to facilitate such research activity so that potential security flaws can be identified and corrected. Apple’s programs include providing as much as $1 million per report through “bug bounty” programs."

 

[Jake James]

That's hilarious. Given the level of vitriol spewed against Apple, and how they're countersuing, it's dubious to claim they want to "help" them.

Sorry, should've said "they're helping Apple's security", Apple clearly doesn't want that when it goes against their "security by obscurity" principle. Corellium helps Apple's security for the better but it kind of does the opposite for their image. If jailbreaks keep happening they can't keep security bugs hidden and there will always be ignorants that say "oh iOS isn't secure because a jailbreak was released". Apple is choosing their image over actual security. If anything, jailbreaks force Apple to make security better. Remember that SockPuppet bug that got unpatched in 12.4? Had it not been for the jailbreak community it would've probably not been discovered until way later and for sure nobody would've made a big deal about it, the media would probably not even know that Apple did such a stupid mistake. But why does it matter if nobody knows about it? If people think is secure then it is, ah...
[automerge]1578003665[/automerge]

Again, wrong. Per the court filing: "Apple strongly supports good-faith security research on its platforms, and has never pursued legal action against a security researcher. Not only does Apple publicly credit researchers for reporting vulnerabilities, it has created several programs to facilitate such research activity so that potential security flaws can be identified and corrected. Apple’s programs include providing as much as $1 million per report through “bug bounty” programs."

Sure, security research is good as long as nobody releases the security issues publicly. Try releasing a 0day or a jailbreak, then we'll see how much Apple appreciates your efforts. They pay big money and credit you but at what cost? "Don't talk about the bug with anyone until it becomes irrelevant in 3 months or so"

 

[bytesynthesis]

Had it not been for the jailbreak community it would've probably not been discovered until way later and for sure nobody would've made a big deal about it, the media would probably not even know that Apple did such a stupid mistake.

We're not talking about the jailbreak community as a whole. Apple already made it clear that it's not going after security researchers and even stated so in the lawsuit.

 

[Jake James]

We're not talking about the jailbreak community as a whole. Apple already made it clear that it's not going after security researchers and even stated so in the lawsuit.

I never said they're going after security researchers. I'm saying they're going after public jailbreaks. They pay researchers only so they don't release their bugs before they become irrelevant. If every researcher gave their bugs to Apple and never released a thing most people would assume iOS has a great security. "Apple patches security issues frequently. Jailbreaks aren't available for recent versions so security must be great." - the truth is different. More issues there are, better the security is! Always assume the amount of issues is huge. So more there are discovered, closer towards "no issues" we are. Jailbreaks pressure Apple into fixing the more bugs and faster. The end result for security is better. The only thing that changes is what people think of security, they think that more issues = bad.

 

[CarlJ]

I'm not related to Corellium, but I am a jailbreak developer (made numerous contributions to the unc0ver jailbreak) and being so Corellium is of concern to me.

Many jailbreak developers have gotten access to Corellium for free (as i said, they're not selling yet afaik). The Electra jailbreak for example is the jailbreak that benefitted the most as all testing was done in Corellium. It also has helped unc0ver.

So these developers are using Corellium to document security vulnerabilities and then turning all these vulnerabilities over to Apple? That would seem to be self-defeating, since jailbreaking relies on security vulnerabilities in order to gain access into iOS.

 

[bytesynthesis]

I never said they're going after security researchers. I'm saying they're going after public jailbreaks.

Huh? They're not going after public jailbreaks! They're going after an unauthorized third party trafficking their software. It has nothing to do with public jailbreaks. I feel like you severely misunderstand the case or you are choosing to purposefully ignore the reality.

 

[Jake James]

So these developers are using Corellium to document security vulnerabilities and then turning all these vulnerabilities over to Apple? That would seem to be self-defeating, since jailbreaking relies on security vulnerabilities in order to gain access into iOS.

Read the comment above yours. More issues are known, better the security is. Many people think the opposite is true and in fact that's the intuitive thinking. Apple wants to hide the issues from people. Jailbreaking does the opposite. It constantly shows people flaws in Apple's code.
[automerge]1578004842[/automerge]

Huh? They're not going after public jailbreaks! They're going after an unauthorized third party trafficking their software. It has nothing to do with public jailbreaks. I feel like you severely misunderstand the case or you are choosing to purposefully ignore the reality.

Yes it does. Their latest file literally says Corellium was used to develop an unlawful tool called unc0ver. They're saying jailbreaking is illegal. That's a blatant lie. And for the nth time, they're not trafficking their software. They're just providing people remote control to their computers that have installed in them virtualization software capable of running iOS.

 

[CarlJ]

iOS is available to download for free from Apple's website, they can't sell iOS even if they want to.

No. iOS is absolutely not available for free (and it's not available for sale at any price). It's available for no additional charge for the express purpose of running on genuine Apple hardware, as laid out in the license terms. That copy you download comes with very specific strings attached, it's not your's to do with as you please.
[automerge]1578005160[/automerge]

Read the comment above yours. More issues are known, better the security is. Many people think the opposite is true and in fact that's the intuitive thinking. Apple wants to hide the issues from people. Jailbreaking does the opposite. It constantly shows people flaws in Apple's code.

Thanks for explaining things I already know about "security through obscurity". None of what you said answers the question I asked - are these jailbreakers documenting security vulnerabilities and then turning all such vulnerabilities over to Apple? If the concern is truly security, that would be the proper course of action.

 

[Jake James]

No. iOS is absolutely not available for free (and it's not available for sale at any price). It's available for no additional charge for the express purpose of running on genuine Apple hardware, as laid out in the license terms. That copy you download comes with very specific strings attached, it's not your's to do with as you please.

But it so happens to be available on Apple's website. The EULA is not a legal contract, breaking it isn't illegal. Just like jailbreaking isn't illegal but also against the EULA.

 

[TiggrToo]

Read the comment above yours. More issues are known, better the security is. Many people think the opposite is true and in fact that's the intuitive thinking. Apple wants to hide the issues from people. Jailbreaking does the opposite. It constantly shows people flaws in Apple's code.
[automerge]1578004842[/automerge]


Yes it does. Their latest file literally says Corellium was used to develop an unlawful tool called unc0ver. They're saying jailbreaking is illegal. That's a blatant lie. And for the nth time, they're not trafficking their software. They're just providing people remote control to their computers that have installed in them virtualization software capable of running iOS.

How so? When was the last time someone managed a jailbreak on a recent device using a current version of the OS?

All the recent jailbreak have been against older OSs and phones.

If it were up to jailbreaking alone, the current iPhone models running 13.3 are rock solid secure.

Your argument is without merit, and biased due to your stated hobby.
[automerge]1578005398[/automerge]

But it so happens to be available on Apple's website. The EULA is not a legal contract, breaking it isn't illegal. Just like jailbreaking isn't illegal but also against the EULA.

You keep saying that, yet the Pystar case AND appeal found that it was very much legally enforceable.

 

[Jake James]

Thanks for explaining things I already know about "security through obscurity". None of what you said answers the question I asked - are these jailbreakers documenting security vulnerabilities and then turning all such vulnerabilities over to Apple? If the concern is truly security, that would be the proper course of action.

What I am saying is that jailbreaking gives people the impression that iOS is not secure, Apple doesn't want that. In reality, jailbreaking is a cause many people have for finding flaws in iOS, without jailbreaking there would be less bugs found which obviously means more bugs present in the current iOS. In response to "documenting security vulnerabilities and then turning all such vulnerabilities over to Apple?" - if a jailbreak is public, Apple can fix the bugs, whether we specifically give them the bugs or not. If you're saying responsible disclosure is the only good way to go in regards to security and full disclosure = bad and period, I don't agree with that and that's a completely different discussion.

 

[TiggrToo]

What I am saying is that jailbreaking gives people the impression that iOS is not secure, Apple doesn't want that. In reality, jailbreaking is a cause many people have for finding flaws in iOS, without jailbreaking there would be less bugs found which obviously means more bugs present in the current iOS. In response to "documenting security vulnerabilities and then turning all such vulnerabilities over to Apple?" - if a jailbreak is public, Apple can fix the bugs, whether we specifically give them the bugs or not. If you're saying responsible disclosure is the only good way to go in regards to security and full disclosure = bad and period, I don't agree with that and that's a completely different discussion.

Got any citations for these claims?

 

[Jake James]

How so? When was the last time someone managed a jailbreak on a recent device using a current version of the OS?

iOS 12.4 was jailbroken publicly for all devices except A12 when it was still the latest firmware. A12 support was added later on. checkra1n supports all devices except A12 and A13 on any iOS version.

Buuuut, not the latest devices! Doesn't matter. A7-A11 is still most of devices and people are concerned about it. When the 12.4 jailbreak was released everyone was going crazy blaming Apple for having bad security. Do you think Apple liked that? Of course not, it's bad reputation. The truth is had it not been for that jailbreak the bug would've probably persisted for a few more versions and nobody would've made a big deal about security because not much people (if any) would even know what stupid mistake Apple did. But what matters to security isn't what people think of it, but what it actually is.
[automerge]1578006462[/automerge]

Got any citations for these claims?

Which claims? That jailbreaking gives people one more reason to find bugs? Hmm where do I start? The first security issue on the first iPhone was released as part of a jailbreak. Pretty much all jailbreaks from the beginning until iOS 9.3.3 were developed by teams that found the bugs for the sole purpose of jailbreaking, evasi0n, Pangu, TaiG etc etc. The bugs would've probably stayed in iOS had it not been for the jailbreaks and their pressure. From iOS 10 jailbreaks started using bugs released by security researchers for intentions other than jailbreaking, but the post-exploitation techniques were still developed by developers in the jailbreak community. Yalu102's KPP and KTRR bypass, "kppless", "rootless", "pacless", CoreTrust bypasses. Had it not been for us constantly exposing flaws and workarounding or bypassing their mitigations, iOS's security would've been way worse, way worse!
[automerge]1578006562[/automerge]

You keep saying that, yet the Pystar case AND appeal found that it was very much legally enforceable.

And I also said that the EULA was enforcable in that specific case because what they did broke copyright laws.

 

[TiggrToo]

iOS 12.4 was jailbroken publicly for all devices except A12 when it was still the latest firmware. A12 support was added later on. checkra1n supports all devices except A12 and A13 on any iOS version.

Buuuut, not the latest devices! Doesn't matter. A7-A11 is still most of devices and people are concerned about it. When the 12.4 jailbreak was released everyone was going crazy blaming Apple for having bad security. Do you think Apple liked that? Of course not, it's bad reputation. The truth is had it not been for that jailbreak the bug would've probably persisted for a few more versions and nobody would've made a big deal about security because not much people (if any) would even know what stupid mistake Apple did. But what matters to security isn't what people think of it, but what it actually is.
[automerge]1578006462[/automerge]


Which claims? That jailbreaking gives people one more reason to find bugs? Hmm where do I start? The first security issue on the first iPhone was released as part of a jailbreak. Pretty much all jailbreaks from the beginning until iOS 9.3.3 were developed by teams that found the bugs for the sole purpose of jailbreaking, evasi0n, Pangu, TaiG etc etc. The bugs would've probably stayed in iOS had it not been for the jailbreaks and their pressure. From iOS 10 jailbreaks started using bugs released by security researchers for intentions other than jailbreaking, but the post-exploitation techniques were still developed by developers in the jailbreak community. Yalu102's KPP and KTRR bypass, "kppless", "rootless", "pacless", CoreTrust bypasses. Had it not been for us constantly exposing flaws and workarounding or bypassing their mitigations, iOS's security would've been way worse, way worse!

The claim for example that "jailbreaking gives people the impression that iOS is not secure".

What proof have you of this statement? Id warrent that you have no proof and that you just think this is the case.
[automerge]1578006811[/automerge]

iOS 12.4 was jailbroken publicly for all devices except A12 when it was still the latest firmware. A12 support was added later on. checkra1n supports all devices except A12 and A13 on any iOS version.

Buuuut, not the latest devices! Doesn't matter. A7-A11 is still most of devices and people are concerned about it. When the 12.4 jailbreak was released everyone was going crazy blaming Apple for having bad security. Do you think Apple liked that? Of course not, it's bad reputation. The truth is had it not been for that jailbreak the bug would've probably persisted for a few more versions and nobody would've made a big deal about security because not much people (if any) would even know what stupid mistake Apple did. But what matters to security isn't what people think of it, but what it actually is.
[automerge]1578006462[/automerge]


Which claims? That jailbreaking gives people one more reason to find bugs? Hmm where do I start? The first security issue on the first iPhone was released as part of a jailbreak. Pretty much all jailbreaks from the beginning until iOS 9.3.3 were developed by teams that found the bugs for the sole purpose of jailbreaking, evasi0n, Pangu, TaiG etc etc. The bugs would've probably stayed in iOS had it not been for the jailbreaks and their pressure. From iOS 10 jailbreaks started using bugs released by security researchers for intentions other than jailbreaking, but the post-exploitation techniques were still developed by developers in the jailbreak community. Yalu102's KPP and KTRR bypass, "kppless", "rootless", "pacless", CoreTrust bypasses. Had it not been for us constantly exposing flaws and workarounding or bypassing their mitigations, iOS's security would've been way worse, way worse!
[automerge]1578006562[/automerge]


And I also said that the EULA was enforcable in that specific case because what they did broke copyright laws.

What's the difference between taking licensed code and placing on a physical machine, and one that does the same virtually?

 

[Jake James]

The claim for example that "jailbreaking gives people the impression that iOS is not secure".

What proof have you of this statement? Id warrent that you have no proof and that you just think this is the case.

Look up the comments people made when the 12.4 jailbreak was released. Everyone going crazy and shouting at Apple. Look at the comments people made when checkm8 was released. Although its only use is jailbreaking and it's completely useless for malware, people assumed all A7-A11 devices were now doomed. Is it misinformation? Yes. Does Apple care? No. It's easier for them to make people happy rather than convince everyone they're misinformed.