Apple reopens legal fight against security firm Corellium, raising concerns for ethical hackers

Written by

Apple has reignited a legal battle with Corelluim days after settling with the security firm over an ongoing lawsuit against the company for providing a virtual environment for security researchers that recreates its operating system.

Apple on Tuesday filed an appeal of a December ruling in which a judge dismissed an argument that Corellium had infringed Apple’s copyright by offering researchers a simulated environment that emulates Apple’s iOS software. The environment allows researchers to hunt for bugs via a controllable browser that can be rebooted, instead of jailbreaking an actual iPhone.

It’s the latest update in a case that could have enormous implications for the ability of private researchers and academics to probe major technologies for dangerous flaws without the risk of legal retaliation.

The move follows reassurances by Apple that it would rely on security researchers to help vet its controversial new system for scanning child sexual abuse imagery. On Monday, just a day before the appeal, Corellium announced an initiative that would provide $5,000 grants to security researchers who probe the security and privacy of iOS applications including Apple’s new child sexual assault material scanning.

Privacy and security experts have expressed early concerns that governments could compel Apple to expand the program’s surveillance capabilities or that it could even be manipulated to create false matches to target individuals.

Apple did not respond to a request for comment on this story.

If a judge sides with Apple in the latest appeal, the decision could undermine independent research meant to examine potentially dangerous flaws in technologies ranging from iPhone to voting machines, experts say.

“It raises the specter that all sorts of security research activity could be vulnerable to copyright infringement claims,” said Blake Reid, a professor at University of Colorado’s law school. “It’s incredibly chilling that Apple is pursuing this.”

A Florida federal judge in December dismissed Apple’s claims that Corellium went beyond the standard fair use copyright exception giving to researchers. The judge determined Corellium’s iOS emulator, which provides researchers additional tools such as allowing them to take live snapshots and halt running processors, benefitted iPhone users’ security and was not just a ripoff product that could vie for Apple’s consumers.

The judge called Apple’s claims that Corellium failed to vet users of its research product, henceforth potentially giving malicious hackers access to the code, “Puzzling, if not disingenuous.”

Apple’s latest maneuver has sparked skepticism from researchers about the company’s claims that it welcomes security researchers to probe its new systems for detecting child abuse imagery.

“This is not a sign of goodwill towards the security research community,” said Reid. “I cannot imagine it is going to help them rebuild any credibility.”

It’s not clear if Apple will provide additional evidence to prove its once rejected claims that Corellium violated its copyright.

Corellium did not return a request for comment before press time.