In a Major Victory for Security Researchers, Federal Court Rules That Virtual iOS Devices Are Not a Copyright Violation
When Amanda Gorton and Chris Wade founded Corellium in 2017, they brought to market the first emulation of virtual iPhones on desktop computers. This was a massive boon for security researchers hunting for vulnerabilities and bugs in Apple’s “walled garden” of software. Apple was very much not in favor of the idea, however, first attempting to buy the company out before eventually taking it to court in August 2019. Apple argued that Corellium’s use of its software constituted a copyright violation; a federal judge has disagreed, throwing the case out on the basis of the company’s software being a research tool that provides a net public safety benefit rather than an attempt at a competing product.
The ruling not only sets a major precedent for how Apple products can be used but also for general copyright law and the scope of fair use. It provides a building block for claims that tools meant to provide public benefit and improve an existing operating system cannot be considered copyright violations, so long as the creator is not attempting to directly compete with that product in the market. This benefit is likely limited to security researchers, however, as the judge’s ruling also noted the fact that only a small amount of people are positioned to make use of Corellium’s software. The software presents a stripped-down version of the iOS operating system meant specifically for security testing and that requires some specialized knowledge to operate.
Apple has yet to comment on the ruling. The hardware giant, which provides what is essentially one of the two viable mobile operating systems on the market, spent much of 2018 attempting to acquire Corellium for an undisclosed sum before resorting to the copyright violation lawsuit after talks broke down. Apple has claimed that Corellium’s software could be dangerous to the public if it fell into the wrong hands and that the company is not discriminating enough in the entities it partners with. Judge Rodney Smith referred to these claims as “disingenuous,” noting that Corellium is run by security researchers and has an established vetting process in place for customers.
Though Corellium is now in the clear in terms of fair use of iOS, Apple still has a pending claim that circumvention of its security measures constitutes a copyright violation under the Digital Millennium Copyright Act (DMCA). This charge will be examined separately in the coming months. Corellium is arguing that the DMCA should not apply as these measures are implemented at the hardware level, with prior DMCA rulings supporting the idea that the law cannot create new property rights.
Apple’s reputation for superior security is largely owed to its locked-down ecosystem, with tight restrictions on both what publishers can put on its app stores and what end users can do with their own devices — both under the threat of the sorts of copyright violations invoked in this case. While this “walled garden” system has proven to create fewer incidents than are seen with rival Android, it is far from infallible. Each year at least a handful of security issues seem to pop up on iOS. Two of the biggest in 2020 were the discovery of an exploit allowing apps to freely access the clipboard without notification (which became a significant component of the controversy surrounding TikTok), and a massive remote control exploit created by a bug in the Apple Wireless Direct Link (AWDL) protocol used to transfer all types of files (fortunately discovered by security researchers before it could be exploited).
Security researchers argue that Apple’s refusal to allow only select “bug hunters” inside the walls for testing purposes tilts the playing field, making it so that only outsiders with very deep pockets can afford to circumvent Apple’s security restrictions to do their own testing and probing. Those outsiders tend to be criminal groups, who care nothing of “copyright violations” and lead the pack in having the resources and motivation to do this sort of work. Zero-day vulnerabilities are thus more likely to be found by someone who will exploit them for profit than legitimate security researchers who will notify the company before the public gets wind of the issue. Apple may have fewer vulnerabilities overall, but a much greater likelihood that the serious ones will be hit upon by a threat actor before anyone else notices them.
Apple may want to frame it as nothing more than a copyright violation, but Corellium has some significant support from the broader community beyond security researchers. Forbes recently named it the “Cybersecurity Product of the Year” for 2020, citing its importance to app developers in ensuring that their products work properly and that they are able to find security issues before shipping. The fledgling company is also backed by Santander Bank and major intelligence contractor L3Harris Technologies, each of which was subpoenaed by Apple in the case.