Apple in August filed a lawsuit against Corellium, a mobile device virtualization company that supports iOS, with Apple accusing Corellium of copyright infringement for replicating the operating system that runs on the iPhone and iPad.
As noted by Motherboard, Corellium today filed its response to Apple’s lawsuit, accusing the Cupertino company of owing $300,000 and claiming that its software helps Apple by making it easier for security researchers to track down iOS bugs.
According to Apple, Corellium’s product infringes on its copyrights by creating digital replicas of iOS, iTunes, and other apps and software. “Corellium has simply copied everything: the code, the graphical user interface, the icons – all of it, in exacting detail,” reads Apple’s lawsuit.
Corellium designed its software to create virtual iOS devices able to run iOS, and has encouraged researchers and hackers to use it to find and test vulnerabilities.
According to Corellium, Apple’s code in its product is “fair use” and the software makes the world better by allowing security researchers to look into iOS, find flaws, and inform Apple so the bugs can be fixed.
Corellium argues it’s easier for researchers to find and test bugs in iOS using virtual instances of iOS rather than physical devices. With this lawsuit, says Corellium, Apple is aiming to control who is allowed to find vulnerabilities in its software. This is a position that is also supported within the security community, according to Motherboard, and many security researchers were surprised by Apple’s initial lawsuit.
Through its invitation-only research device program and this lawsuit, Apple is trying to control who is permitted to identify vulnerabilities, if and how Apple will address identified vulnerabilities, and if Apple will disclose identified vulnerabilities to the public at all.
One of Corellium’s key arguments is that its customers are seeking bugs with the intention of alerting Apple of their existence, which Motherboard points out is just an assumption and, based on evidence, not true. One customer highlighted in Corellium’s legal response, for example, is Azimuth, a company that does not report bugs to Apple.
Instead, Azimuth sells hacking tools based on those bugs to law enforcement and intelligence agencies in countries like the United States and Canada.
Corellium also argues that Apple has known about the company for years and has been friendly to Chris Wade, one of Corellium’s founders. Corellium says that Wade was invited to join Apple’s bug bounty program. Wade has since reported seven bugs to Apple without receiving payment, which is why Corellium argues that Apple owes $300,000.
Apple declined to provide Motherboard with a comment on Corellium’s legal response. Apple is continuing to seek a permanent injunction to prevent Corellium from offering a product that replicates iOS. Apple also wants Corellium to destroy all infringing materials that it’s collected, and pay Apple damages, lost profits, and attorney fees.