Apple's lawsuit against Corellium has been partly thrown out

Greg Kumparak
·3 min read

Back in August of last year Apple filed a lawsuit against the virtualization software company Corellium, arguing that the product infringed its copyright and later adding claims that Corellium's product violates the DMCA.

While the DMCA claims will still need to be settled in court, a judge in Florida has tossed out Apple's copyright claims.

So what is Corellium? To over simplify it, Corellium allows security researchers to spin up a virtualized ARM device (including iOS devices) in a browser and take a deep look under the hood to discover potential security bugs. As I wrote last year:

Corellium could allow, for example, a security researcher to quickly fire up a simulated iPhone and hunt for potential bugs. If one is discovered, they can quickly load up prior versions of iOS to see how long this bug has been around. If a bug “bricks” the virtual iOS device and renders it unusable, it’s a matter of just booting up a new one rather than obtaining a whole new phone. Virtualized devices can be paused, giving researchers a detailed look at its precise state at any given moment.

Writes Judge Rodney Smith in a docket filed this morning as first spotted by the Washington Post:

Having reviewed the evidence, the Court does not find a lack of good faith and fair dealing. Further, weighing all the necessary factors, the Court finds that Corellium has met its burden of establishing fair use. Thus, its use of iOS in connection with the Corellium Product is permissible. On these grounds, Corellium’s Motion for Summary Judgment is granted on Apple’s copyright claim.

Smith cites Corellium's ability to do things like "(1) see and halt running processes; (2) modify the kernel; (3) use CoreTrace, a tool to view system calls; (4) use an app browser and a file browser; and (5) take live snapshots" as proof that the product is "not merely a repackaged version of iOS" and should be considered fair use.

Smith also notes repeatedly that this legal action comes after Apple considered acquiring Corellium.

Between January 2018 and the summer of 2018, the parties engaged in discussions regarding Apple’s potential acquisition of Corellium. During this time, the parties met in-person and telephonically. Corellium explained to Apple the technology behind the Corellium Product and how it works, and discussed Corellium’s business and intention to commercialize the Corellium Product.

And:

If Apple had acquired the Corellium Product, the product would have been used internally for testing and validation (that is, for verifying any system weaknesses and functioning of devices).

While this decision swipes away the copyright claims (potential appeals aside), there was no such swift judgement on the DMCA claims. Apple argues that Corellium is working around built-in authentications and security checks, whereas Corellium argues that such things are implemented at a hardware level and the firmware they're dealing with (the iOS IPSW files) are “left unencrypted, unprotected, unlocked, and out in the open for the public to access, copy, edit, distribute, perform, and display.”