Apple Is Trying to Control Phone Security Research, Corellium Says
Apple Is Trying to Control Phone Security Research, Corellium Says
(Bloomberg) -- A Florida company that makes “virtual iPhones” to test for flaws claims Apple Inc. is trying to control how security research is conducted so it can limit what the public learns about vulnerabilities to its system.
Responding to a copyright-infringement lawsuit Apple filed in August, Corellium LLC accused Apple of “unfair business practices that must be put to an end by the court.”
Apple contends the software company has copied the operating system, graphical user interface and other aspects of the devices without permission. It accused Corellium of acting under the guise of helping discover bugs in the iPhone’s operating system but then selling the information “on the open market to the highest bidder.”
Corellium denied the allegations, saying its customers are government agencies, financial institutions and security researchers. It said Apple tried to hire the company’s founders and buy a predecessor of the firm. It also says Apple owes it more than $300,000 for flaws it found under the iPhone maker’s “bug bounty” program.
“Corellium’s technology is innovative and transformative,” the company said in a heavily redacted court filing Monday. “Apple is now attempting to use the court system to shut it down.”
Its virtual product can’t make phone calls, send text messages, access iTunes or do any of the other things an iPhone can. It’s sole purpose, Corellium said, is for “research and improving the operating system itself,” so is exempt from copyright-infringement claims.
Apple knew of, and encouraged, Corellium’s business until it decided to come up with its own competing product, the company says. During a Black Hat USA conference days before the suit was filed, Apple increased the bounty it would pay for the discovery of security flaws and would give a special “pre-hacked” research devices.
“Through its invitation-only research device program and this lawsuit, Apple is trying to control who is permitted to identify vulnerabilities, if and how Apple will address identified vulnerabilities, and if Apple will disclose identified vulnerabilities to the public at all,” Corellium said.
Bill Evans, a spokesman for Apple, said the company had no comment beyond its original lawsuit filing.
The case is Apple Inc. v. Corellium LLC, 19-81160, U.S. District Court for the Southern District of Florida (West Palm Beach).
To contact the reporter on this story: Susan Decker in Washington at sdecker1@bloomberg.net
To contact the editors responsible for this story: Jon Morgan at jmorgan97@bloomberg.net, Elizabeth Wasserman
©2019 Bloomberg L.P.