Corellium says it makes iPhones ‘safer’ with its iOS virtualization software

Back in August of this year, it was reported that Apple had filed a suit against a mobile device virtualization company called Corellium, citing copyright infringement. And now that company has responded.

Motherboard has the report on Tuesday. This is the device virtualization company’s first response to Apple following the initial lawsuit. Corellium says that it’s iOS virtualization software actually makes iPhones “safer” because it makes it easier for security researchers to find iOS bugs. The response also notes that Corellium claims Apple owes it $300,000.

The response was actually filed on Monday.

On Monday, Corellium, the startup that was sued by Apple for alleged copyright infringement in August, filed its response to the lawsuit. Apple alleged that Corellium’s product is illegal, and helps researchers sell hacking tools based on software bugs found in iOS to government agencies that then use them to hack targets. The cybersecurity world was shocked by Apple’s lawsuit, which was seen as an attempt to use copyright as an excuse to control the thriving, and largely legal, market for software vulnerabilities. The lawsuit was filed just a few days after Apple announced it would give researchers special “pre-hacked” devices to allow them to find and report more bugs to the company.

Corellium states that Apple’s code is “fair use”, and, as a result, its virtualization software should not be pinged for any copyright infringement. The device virtualization company developed its software in an attempt to run iOS, easily accessible for security researchers, in a virtualized environment.

The virtualization company argues that Apple is trying to work as a gatekeeper to make sure that only a select number of researchers are able to identify vulnerabilities in its operating systems:

Through its invitation-only research device program and this lawsuit, Apple is trying to control who is permitted to identify vulnerabilities, if and how Apple will address identified vulnerabilities, and if Apple will disclose identified vulnerabilities to the public at all,” Corellium argues in its response, echoing arguments made by the security research community.

The trouble here is that open access, it appears. Corellium argues that more security researchers looking for iOS vulnerabilities is a good thing, and that it should give even more information to Apple. However, as noted in the original report, not everyone is reporting bugs to Apple that uses the service.

For example, Azimuth uses Corellium, but it does not report bugs to Apple. Instead, the company sells hacking tools to intelligence and law enforcement agencies.

As for that $300,000 owed? Corellium gets that number from Chris Wade, one of the company’s co-founders who has apparently reported seven different bugs to Apple over the years. Up to this point, Corellium’s response claims, Apple has not issued any payments for those discoveries, which is why the company is seeking that particular amount.

Apple is still seeking a permanent injunction against Corellium and its virtualization tool, aiming to stop the company from using a tool that so closely resembles iOS. Apple is also seeking damages and other monetary payouts as a result of the lawsuit.