Security Researchers Afraid to Use iPhone Virtualization Corellium After Apple Lawsuit

[MacRumors]

Security researchers are scared to use, buy, or even talk about iPhone emulation software Corellium after Apple levied a lawsuit against the company, reports Motherboard.

Apple in August 2019 filed a copyright infringement lawsuit against Corellium, a mobile device virtualization company that works with iOS. In the lawsuit, Apple claimed that Corellium had illegally replicated the operating system and apps that run on the iPhone and the iPad.

"Corellium has simply copied everything: the code, the graphical user interface, the icons - all of it, in exacting detail," reads Apple's lawsuit.

Corellium initially responded by suggesting that its software helps Apple by making it easier for security researchers to track down iOS bugs, but later said that Apple was waging war on jailbreaking and that the lawsuit should concern security researchers, jailbreakers, and app developers.

Though the legal battle between Apple and Corellium is ongoing, it has successfully scared people away from Corellium's software because Apple has sought information from companies that have used Corellium's software and those companies are afraid of retribution.

"Apple has created a chilling effect," a security researcher familiar with Corellium's product, who asked to remain anonymous because he wasn't allowed to talk to the press, told Motherboard.

"I don't know if they intended it but when they name individuals at companies that have spoken in favor [of Corellium], I definitely believe retribution is possible," the researcher added, referring to Apple's subpoena to the Spanish finance giant Santander Bank, which named an employee who had Tweeted about Corellium.

Some security researchers told Motherboard that they're afraid to use Corellium because of the possibility of retribution from Apple, while others refused to comment at all. One security researcher said he'd have a legal look into it if he needed Corellium's software, while another said he'd get legal advice before using it in the future.

Not all security researchers, however, are worried. One researcher, Elias Naur, told Motherboard that he uses Corellium to test code written in the Go language for iOS devices. With Corellium, he no longer needs to test on two old and broken iPhones.

Security researchers have complained that Apple's lawsuit against Corellium is about Apple wanting control over research done on iOS and the bugs that are found.

Apple is continuing to pursue the lawsuit, and on April 20, asked Chris Wade, Corellium's founder, for all documents and communications related to him obtaining valuable dev-fused or prototype iPhones, which are designed for internal testing but sometimes escape Apple's clutches. Wade has denied using dev-fused iPhones for the development of Corellium.

It remains unclear how the lawsuit will ultimately turn out, but Apple is successfully making researchers think twice about using Corellium's tools amid the legal dispute.

Article Link: Security Researchers Afraid to Use iPhone Virtualization Corellium After Apple Lawsuit

 

[now i see it]

They should be afraid. Very afraid.
Who in their right mind would want to get on the wrong side of the most powerful and tenacious law firm on earth?

 

[ingambe]

That's sad, security through obscurity is broken by design

 

[rp2011]

Something so amazingly fishy about Correlium. Especially with the DOD on their side.
And how is a company able to copy everything thousands of engineers and years of work conjure out of thin air like that?

 

[lkrupp]

That's sad, security through obscurity is broken by design

What on God’s green earth are you babbling about?

 

[tkukoc]

Not all security researchers, however, are worried. One researcher, Elias Naur, told Motherboard that he uses Corellium to test code written in the Go language for iOS devices. With Corellium, he no longer needs to test on two old and broken iPhones.

What a great comment! That alone just proves Apple's case. Lets emulate the OS so no one needs to purchase devices. I can test code.. sell my services..all thanks to someone else ripping off Apple.. oh but I didn't do anything wrong here. You have got to be kidding me.

 

[69Mustang]

They should be afraid. Very afraid.
Who in their right mind would want to get on the wrong side of the most powerful and tenacious law firm on earth?

"Powerful and tenacious? Meh"
-VirnetX.

On topic: This is going to be interesting to follow. With the US Gov't entering the fray I think popcorn needs to be added to my grocery list.

 

[luvbug]

So, a company copies all the code out of another company's product, which is covered by copyright and any number of software patents, for its own purposes (to make money), but claims to be doing no wrong/harm?

 

[m4mario]

Sue their pants off Apple, along with their boxers. Not only for the service, but the means with which they were able to replicate such a sophisticated OS is clearly criminal. Someone deserves to go to jail for this. Do not let them off the hook.

 

[jonblatho]

What a great comment! That alone just proves Apple's case. Lets emulate the OS so no one needs to purchase devices. I can test code.. sell my services..all thanks to someone else ripping off Apple.. oh but I didn't do anything wrong here. You have got to be kidding me.

Corellium doesn’t publicly list pricing; they have a “contact sales” button. There’s your first hint at how much it costs.

While I support Apple’s side of the lawsuit, this is probably one of the sillier arguments one can make in favor of it.

 

[Attirex]

I don't even play a lawyer on TV, but I'm pretty sure you can't copy someone's IP w/o their permission and then make money from it.....? Right? Bueller?

 

[Doctor Q]

It remains unclear how the lawsuit will ultimately turn out, but Apple is successfully making researchers think twice about using Corellium's tools amid the legal dispute.

In other words, Apple has already won. They've suppressed demand for the tools and thrown down the gauntlet about this type of (mis)use. The legal and financial outcomes may be less important to Apple than what they've already accomplished.

 

[Eorlas]

all of these comment should start with:

"IANAL, buuuut here's my uneducated opinion anyway"

 

[Kabeyun]

Forgive me but this doesn’t particularly seem to be news. Who’d want to invest resources into a product that probably won’t be around much longer?

 

[ingambe]

What on God’s green earth are you babbling about?

I'm talking about this: https://en.wikipedia.org/wiki/Security_through_obscurity

 

[goobot]

What a great comment! That alone just proves Apple's case. Lets emulate the OS so no one needs to purchase devices. I can test code.. sell my services..all thanks to someone else ripping off Apple.. oh but I didn't do anything wrong here. You have got to be kidding me.

The problem is you can’t copy and paste someone else’s code. In reality this does help apple tho allowing apps to work better as a whole on a platform they take a 30% cut of.

 

[Appleman3546]

If Apple loses this lawsuit however, the chilling effect could back fire on Apple and result in severe damages (plus a precedent permitting this behavior). This is a high risk v reward lawsuit. It reminds me of the lawsuit years ago that held jailbreaking your phone legal, which forced Apple to tighten security

 

[V_Man]

In other words, Apple has already won. They've suppressed demand for the tools and thrown down the gauntlet about this type of (mis)use. The legal and financial outcomes may be less important to Apple than what they've already accomplished.

The financial outcome is all that matters to Apple. As it should.

 

[1146331]

What on God’s green earth are you babbling about?

I see somebody that knows nothing about cyber security.

Time for some education: Security through obscurity: Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.

In short: Apple wants to sue people who research their OS to keep their secrets proprietary, which means only black hat hackers would be the ones trying to break Apple products for nefarious purposes, compared to white-hat security people who actually want to make software more secure.

Apple doesn't care about security or privacy.
[automerge]1588725933[/automerge]

The financial outcome is all that matters to Apple. As it should.

When they get their asses sued off by the consumers [again], it will become their financial perogative.

 

[Tech198]

I don't blame them

 

[mannyvel]

This is a pretty obvious violation of Apple's iOS license. And it's pretty obvious that people are using this instead of devices for normal work, which is exactly why iOS has a license that prohibits you from using it in this way.

Really, the security angle is irrelevant. People could use, say, AWS Device Farm, to test their stuff. This is no different than dropping MacOS onto ESXi and selling access to it.

 

[b0fh]

Is amazon allowed to sell access to virtual machines running macOS without Apple's authorization?

If not, why is Cerillium claiming they can do so for iOS?

 

[DeepIn2U]

Sue their pants off Apple, along with their boxers. Not only for the service, but the means with which they were able to replicate such a sophisticated OS is clearly criminal. Someone deserves to go to jail for this. Do not let them off the hook.

Apple ... while you're at it .. please create an environment without Xcode for security researchers to test and continue to provide feedback of security holes.

 

[b0fh]

I see somebody that knows nothing about cyber security.

Time for some education: Security through obscurity: Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.

In short: Apple wants to sue people who research their OS to keep their secrets proprietary, which means only black hat hackers would be the ones trying to break Apple products for nefarious purposes, compared to white-hat security people who actually want to make software more secure.

Apple doesn't care about security or privacy.
[automerge]1588725933[/automerge]

When they get their asses sued off by the consumers [again], it will become their financial perogative.

This is such a ******** argument. You can't scream *security security security* and then go pirate software.

 

[Aeiou321]

This is such a ******** argument. You can't scream *security security security* and then go pirate software.

Exactly! This case has nothing to do with the security researchers and everything to do with people stealing apple’s OS. You can argue that open source software has the potential of being more secure than closed source (note: potential, its not automatic) and I will be with you all the way there, but the fact is that iOS is closed source, and as such it is illegal for correlium to use it outside of an iPhone, let alone sell a product with it. Kinda a cut and dry case, imho. If memory serves me, too, Apple was impressed enough by correlium’s work that they offered to buy the company, which was declined. Only then did the lawsuits come. Seems like they should have taken the money when they could have.