Corellium’s co-founders were early pioneers in the jailbreaking scene. At a Black Hat conference last year, Corellium reps praised the software’s ability to offer iOS replicas to anyone, including “foreign governments and commercial enterprises.” Apple filed suit in August 2019, asking for the destruction of all infringing code and cash compensation.
On Tuesday, a US District Court in Fort Lauderdale shot down Apple’s copyright claim against security software startup Corellium. The Cupertino tech giant took on the smaller company last year, filing a lawsuit alleging that it violated copyright law in creating an iOS virtualization system used to find security bugs in Apple’s mobile operating system.
Apple’s core argument was that Corellium had created a “virtual” iOS with the “sole function” being to run unlicensed copies of the operating system on non-Apple hardware. However, Judge Rodney Smith agreed with Corellium’s defense, saying that the software it created was “transformative” enough to fall under fair use since its purpose was to help researchers find security flaws.
“While a transformative use is ‘not absolutely necessary for a finding of fair use,’. . . transformative uses tend to favor a fair use finding because a transformative use is one that communicates something new and different from the original or expands its utility, thus serving copyright’s overall objective of contributing to public knowledge.”
Apple had countered that the fair use doctrine did not apply because Corellium sold the product for profit. However, since the software allows users to do things that iOS does not—namely, view and halt processes among other diagnostic functions—it is of little threat to Apple’s IP and of greater benefit to the public, specifically Apple users.
“Corellium’s profit motivation does not undermine its fair use defense, particularly considering the public benefit of the product,” Judge Smith wrote in his opinion (above).
Cupertino lawyers had also claimed that Corellium had acted in “bad faith” since it did not require users purchasing the software to report bugs to Apple and indiscriminate distribution opened the utility up to misuse by hackers. The judge called that claim “puzzling, if not disingenuous,” citing Apple’s own Bug Bounty Program as a case in point.
“Apple’s position is puzzling, if not disingenuous. While Apple spends significant time in its papers faulting Corellium for not requiring users of the Corellium Product to report bugs found in iOS to Apple, Apple does not impose that requirement under its own Bug Bounty Program,” Judge Smith wrote, adding, “As for Apple’s contention that Corellium sells its product indiscriminately, that statement is belied by the evidence in the record that the company has a vetting process in place (even if not perfect) and, in the past, has exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes.”
Despite the loss, the fight is not over. Judge Smith said that Apple is within its rights to pursue Corellium over unauthorized access when creating the software and selling a product that could be used to circumvent security measures, both of which fell outside the scope of this case.