iPhone Research Tool Sued by Apple Says It’s Just Like a PlayStation Emulator

A cybersecurity startup embroiled in a copyright lawsuit with Apple over a product that lets customers analyze the iPhone's operating system has fired back, saying its system is just like a video game emulator. It has called the suit a "blatant power grab."

On Monday, Corellium, a Florida-based startup that sells a system that allows customers to tinker with and analyze virtual versions of Apple’s mobile operating system iOS (but not devices themselves), as well as Google’s Android, filed a motion for summary judgment. In the filing, Corellium argues that its software does not infringe on Apple’s copyright as it does not contain any copyrighted code, nor was it made using any copyrighted material. Moreover, its lawyers argued, Corellium’s products are protected by fair use.

Corellium also accused Apple of inappropriately using copyright law to control what independent security researchers can do with their research on iPhones. When Apple sued Corellium in August of last year, Motherboard reported that the real reason behind the lawsuit was precisely that: an attempt to control the flourishing market for iOS vulnerabilities and exploits.

Besides security professionals, Motherboard viewed leaked marketing materials that show Corellium was courting customers with government security clearances, and the company’s filing says its customers work to protect U.S. citizens.

“Apple would love to be the fox guarding the hen house," Corellium wrote in its filing. "But, by operation of law, we are entitled to dig into and learn from the devices in our stores and the software programs that are made available online. By this lawsuit, Apple has asserted that within its bundle of rights is the right to keep security researchers out of its publicly available code."

“This is a blatant power grab and a purposeful attempt to secure a monopoly to prevent independent researchers from being able to hold Apple accountable and injure its reputation," the filing continues.

Corellium made the argument that its product is just like the infamous PlayStation emulator Virtual Game Station, made by Connectix, which allowed people to run PlayStation games on their PCs. Sony sued the company and lost the suit. Corellium also said the case of Google Books winning a lawsuit against authors that claimed the product was infringing their copyrights should be considered a favorable precedent. In both cases, according to Corellium, judges found that these products were a transformative use of the original works, and thus did not infringe on copyright.

“Like Connectix, Corellium has created an entirely new product through which iOS can be studied and tested in an entirely new environment,” the company argued. “Corellium has not created a clone of an Apple device; it has transformed the field of security research for mobile operating systems entirely.”

A Corellium lawyer declined to comment. The company’s founder, Chris Wade, did not respond to a request for comment.

Apple did not immediately respond to a request for comment.

Two copyright lawyers who reviewed the filing agreed that it makes strong arguments in favor of Corellium, but that it may not be enough to convince the judge at this stage of the lawsuit.

“Corellium does raise good points—its iOS emulator is highly transformative if the usage for security purposes is considered, and its product is unlikely to supplant the market for Apple’s own products,” Tom Dietrich, a senior attorney at the McArthur law firm in Los Angeles who specializes in intellectual property, told Motherboard.

According to Stan Adams, the deputy general counsel at the Center for Democracy and Technology, the relevant question in this case is whether Corellium used copyrighted material to develop its product, but the company “seems to deflect this question and instead focuses on the use of its product by researchers.”

Leaked marketing materials obtained by Motherboard show that the company was also courting customers with security clearance, and the lawsuit hints at government customers.

According to a partially redacted passage in the suit, some of its customers “use Corellium for highly socially-beneficial research that protects not only end users of mobile operating systems and applications but also the citizens of the United States.”

“Premium support is encouraged for any customers requiring security clearance,” the brochure explains, likely referring to security researchers, like Corellium’s customer Azimuth Security, who sell zero-day vulnerabilities and hacking tools to governments.

Corellium’s version of its product where the company ships special servers to customers (it also has a cloud offering) has two tiers: for a 24-core server the cost is $50,000, and $100,000 for a 60-core server, according to the brochure.

Any additional server costs $25,000 and $50,000 respectively. If customers want the module to analyze the Security Enclave Processor, or SEP, which is a key iPhone component that handles data encryption, that costs another $50,000 or $100,000 depending on the type of server they chose. For the iBoot module, the part of iOS responsible for ensuring a trusted boot of the operating system, there’s another extra $50,000 or $100,000. Premium support cost $50,000 in both cases.

In perhaps the most unexpected passage in the filing, Corellium cites a classic line from Spider-Man’s Uncle Ben:

“‘[W]ith great power there must also come—great responsibility!’ Apple has hundreds of millions of portable supercomputers in the pockets and homes of Americans,” the company wrote. “Many households have several of these devices, which, in addition to storing and sharing our personal data, have sensitive microphones and high definition cameras. We must ensure that our devices are secure.”

Corellium’s motion for summary judgement came on the same day as Apple’s own motion. In it, Apple argues that Corellium infringed the Digital Millennium Copyright Act’s anti-trafficking provisions by building and distributing a virtual replica of iOS.

“Corellium has responded to the operative Complaint in part by mounting a public relations campaign that mischaracterizes Apple’s claims, implying that through this action Apple seeks to outlaw security research, or impose liability on the development and sale of security exploits, or control all security research on its platform such that the fruits of that work can be provided or sold only to Apple,” the company wrote in its filing. “None of that is true.”

This story was updated to include information about Apple's own motion for summary judgment.

Subscribe to our new cybersecurity podcast, CYBER.