Apple Appeals Corellium Copyright Lawsuit Loss After Settling Other Claims

[MacRumors]

Back in December, Apple lost a copyright lawsuit against security research company Corellium, and today, Apple filed an appeal in that case, reports Reuters.

The judge in the copyright case determined that Corellium was operating under fair use terms and that its use of iOS was permissible, throwing out several of Apple's claims. For those unfamiliar with Corellium, the software is designed to replicate iOS exactly to allow security researchers to find bugs and vulnerabilities.

Apple claimed that Corellium illegally copied the iOS operating system and applications that run on the iPhone and iPad, and that it had violated the Digital Millennium Copyright Act by circumventing Apple's security measures.

Corellium argued that its software helps Apple by making it easier for security researchers to find flaws. Corellium also said that Apple was using its lawsuit to "crack down on jailbreaking" and that Apple's code in the product was fair use, which the judge agreed with.

Apple is appealing the verdict in this specific copyright lawsuit, which is separate from the settlement that Apple and Corellium reached earlier this month.

Apple and Corellium on August 10 settled a federal lawsuit that would have gone to trial on August 16, and this settlement was related to the DCMA claims. The terms of the settlement were confidential, and so far, Corellium is still selling its virtual iOS platform.

According to Reuters, security researchers are surprised that Apple has opted to revive its legal battle with Corellium after the settlement terms, and after Apple's Craig Federighi said that security researchers would serve as a check on its plans to scan iPhones and iPads for CSAM to make sure the scanning is limited to CSAM. Security researchers will be able to confirm that the database of images used to match CSAM content on user devices only consists of content from agencies like the National Center for Missing & Exploited Children.

Earlier today, Corellium said that it was launching an "Open Security Initiative" aimed at rewarding independent public research into mobile devices. Corellium's first focus is Apple's CSAM system and the company has called on security researchers to submit projects designed to validate "any security and privacy claims" from any mobile software vendor. Qualifying submissions will receive up to $5,000.

We applaud Apple's commitment to holding itself accountable by third-party researchers. We believe our platform is uniquely capable of supporting researchers in that effort. Our "jailbroken" virtual devices do not make use of any exploits, and instead rely on our unique hypervisor technology. This allows us to provide rooted virtual devices for dynamic security analysis almost as soon as a new version of iOS is released. In addition, our platform provides tools and capabilities not readily available with physical devices.

It's possible that Apple's decision to revive the Corellium lawsuit is related to Corellium's announcement earlier today. In a statement, Corellium Chief Executive Amanda Gordon told Reuters that "enough is enough." "Apple can't pretend to hold itself accountable to the security research community while simultaneously trying to make that research illegal," she said.

Article Link: Apple Appeals Corellium Copyright Lawsuit Loss After Settling Other Claims

 

[TheYayAreaLiving 🎗️]

How is Apple staying committed?

Clearly shows Apple hates it when their platform gets the extra attention and when their security is being looked at.

 

[iModFrenzy]

I was really happy when they won last time, here’s hoping the judge chooses wisely. I side with apple on many things but this is one thing I disagree with. Corellium allows security researchers to find vulnerabilities which Apple definitely can benefit from. Even if the exploit gets in the wrong hands, apple can patch it. So either way they’ll win in the end.

 

[Shirasaki]

Apple really hates people peeking into their iOS dirty little secrets and ugly inside heh. ? Guess this is also part of the reason they don’t like jailbreak. Given general iOS software quality downgrade YOY, even if this seems only for copyright on the surface, those Apple execs prolly still reeling from other defeats.

 

[thadoggfather]

Check Apple CSAM claims, says Corellium, offering to pay - 9to5Mac

Corellium is offering to pay security researchers to check Apple CSAM claims, after concerns were raised about both privacy...

9to5mac.com

would this have anything to do with it, per chance?

 

[ratspg]

Apple, was, is, and will always be the king of secrecy.

 

[Da_Hood]

Do they at least pay royalties for this “fair use”. Whilst I appreciate their efforts, I don’t see a grounds for fair use. Like can you just steal a brand new car under the guise of testing vulnerabilities?

 

[Schismz]

How is Apple staying committed?

Clearly shows Apple hates it when their platform gets the extra attention and when their security is being looked at.

Hahahahaha. This should be entertaining. Plz pass popcorn.

 

[ian87w]

Okay Apple, your actions are becoming a joke now. You just talked high and mighyt about allowing security researchers to audit you, but then went lawsuit happy when they are trying to.

iOS15 is definitely a no go then for me. I have disabled auto download of ios update on my iPhone. My old Mac mini will be staying on Catalina.

This is really sad news for me, as I was actually someone who was starting to warm up to the Apple ecosystem.

 

[ian87w]

Apple, was, is, and will always be the king of secrecy.

And the king of secrecy is trying to be the moral police as well.

 

[LeadingHeat]

While Apple did say they are wanting security researchers to look into their software, I think I’d tend to agree with Apple here. This is a blatant copy-paste of their entire iOS operating system, which is the culmination of decades of work. Why can’t Corellium use the approved methods of the special iPhones given to other security researchers? This does seem like a flagrant foul to me on Corellium’s part.

 

[GMShadow]

While Apple did say they are wanting security researchers to look into their software, I think I’d tend to agree with Apple here. This is a blatant copy-paste of their entire iOS operating system, which is the culmination of decades of work. Why can’t Corellium use the approved methods of the special iPhones given to other security researchers? This does seem like a flagrant foul to me on Corellium’s part.

Most researchers say that Apple’s special phones aren’t enough for a true examination.

 

[turbineseaplane]

So do you want security researchers auditing your efforts or not Apple?

Pick a side

 

[pankajdoharey]

Apple really hates people peeking into their iOS dirty little secrets and ugly inside heh. ? Guess this is also part of the reason they don’t like jailbreak. Given general iOS software quality downgrade YOY, even if this seems only for copyright on the surface, those Apple execs prolly still reeling from other defeats.

A bIg reason why Apple doesnt like Jail Breaking is because of Piracy of Apps of third party stores like cydia. Apple App store is a big cash cow, just by selling others games on app store, Apple is the biggest game developer in the world. No Wonder Epic is fighting them.

 

[rodriguise]

Do they at least pay royalties for this “fair use”. Whilst I appreciate their efforts, I don’t see a grounds for fair use. Like can you just steal a brand new car under the guise of testing vulnerabilities?

That would be false equivalence. What Corellium is doing is literally the de facto example from the Ninth Circuit.

 

[ratspg]

And the king of secrecy is trying to be the moral police as well.

Exactly right! SMH.

 

[altaic]

On one hand, I like that Corellium is pressuring Apple to make good on its privacy promises. OTOH, how long until Corellium’s top clients are govt agencies and black hats? Security research is a double edged sword and can create a dangerous arms race.

Furthermore, WRT the CSAM scanning, since these devices are totally rooted, the neuralhash algorithm and parameters can be reverse engineered. Corellium or not, it’ll only be a matter of time before black hats create tools to cause undetectable (i.e. deep faked) perceptual hash collisions, weaponizing the system. SMH.

 

[Wildkraut]

They fears that Corellium finds more (yet undiscovered) in their CSAM mass surveillance scanning.

 

[MuppetGate]

On one hand, I like that Corellium is pressuring Apple to make good on its privacy promises. OTOH, how long until Corellium’s top clients are govt agencies and black hats? Security research is a double edged sword and can create a dangerous arms race.

Furthermore, WRT the CSAM scanning, since these devices are totally rooted, the neuralhash algorithm and parameters can be reverse engineered. Corellium or not, it’ll only be a matter of time before black hats create tools to cause undetectable (i.e. deep faked) perceptual hash collisions, weaponizing the system. SMH.

So perhaps it might’ve been a better idea to not build a backdoor into the OS in the first place?

if you’re right, then this would mean that Apple is relying on obscurity to keep their CSAM scanner secure. That’s a bad move.

Now, look at Facebook, who open-sourced their CSAM scanner to get as many experts involved as possible.

Yes, I did say Facebook.

Facebook open-sources algorithms for detecting child exploitation and terrorism imagery

Crowdsourcing a better solution to disturbing photos and videos

www.theverge.com

 

[Shirasaki]

A bIg reason why Apple doesnt like Jail Breaking is because of Piracy of Apps of third party stores like cydia. Apple App store is a big cash cow, just by selling others games on app store, Apple is the biggest game developer in the world. No Wonder Epic is fighting them.

There’s other ways to address piracy issue thanks to tight integration. This can be the reason, but not really the biggest contributor.

 

[Marshall73]

Apple have to appeal. The judge just opened the door to any company or individual taking iOS and running it in a virtual environment or anywhere else, without any agreement or control from Apple, as long as that company says, “it’s for security reasons”.

 

[mannyvel]

Corellium's CEO has been drinking her own cool aid.

I mean, Corellium are parasites; they exist by living off the caracass created by others. They have created nothing of value, really. She's trying to make them sound like the gatekeepers of security. They are no such thing. If they want to be that, they should go harden Android.

 

[Realityck]

A comment of interest from Appleinsider article has this explained

per Ericthehalf

The most reasonable explanation is there’s a time limit on the appeal or some other procedural
matter that happened to coincide with this announcement. Or, more likely, Corelliums lawyers knew there was a deadline and made their announcement to coincide with it to try and make Apple look petty.

But hey, you do you.

Updated: Knew it. The final judgement was only just published today (December was a summary judgment) so the timing has nothing to do with Corellium and everything to do with the final judgement.

 

[AndiG]

CSAM is only Apples first step into a complete surveillance OS. This can be proofed by the fact that the current local scanning introduced with iOS15 is completely useless and could easily be done cloud only.

The only valid question is about what Apple plans to do with its local scanning software in the future. So there is more to come. Local scanning software also implemented in macOS? Usage of Apple scanning software mandatory for all Apps?
Apple started as an underdog, fighting big and evil IBM long time ago. Now it looks like Apple became evil, too. Is this was Steve had in mind? Guess not.

Tim Cook should step back - btw all those old „evangelists“ should retire. Apple needs fresh people and fresh ideas. A rotten Apple doesn‘t taste well.

 

[altaic]

So perhaps it might’ve been a better idea to not build a backdoor into the OS in the first place?

if you’re right, then this would mean that Apple is relying on obscurity to keep their CSAM scanner secure. That’s a bad move.

Now, look at Facebook, who open-sourced their CSAM scanner to get as many experts involved as possible.

Yes, I did say Facebook.

Facebook open-sources algorithms for detecting child exploitation and terrorism imagery

Crowdsourcing a better solution to disturbing photos and videos

www.theverge.com

I’m not sure why you’re attacking me. I made it pretty clear that I think that Apple is opening an enormous can of worms. Some people stand on the shoulders of giants, and some people slip on worms.

That said, I’m very concerned that in lashing out at me you have ulterior motives. I generally agreed with your other comments, but your diatribe indicates that there may be something else going on.

Edit: I will add that every system widely used “relies” to some extent on security by obscurity. There is an alternative, where the entire system is proven correct (with the caveat that you have read Gödel Escher Bach). Writing provable software (and hardware; check out Clash, a Haskell domain specific language) is something that is gaining traction, but it will be many years before that is a general expectation (and therefore widely funded). Apple furthered this by perhaps a decade by funding the LLVM project and hiring Chris Latimer (not because LLVM directly made compilation provable, but because it made compilation more easily analyzable [and therefore more easily provable]).

TLDR, we’re making progress, but most “coders” are not computer scientists or even engineers (even at Apple and Google), and provably correct software or hardware is still mostly, and unfortunately, academic.