Apple Targets Jailbreaking In Lawsuit Against iOS Virtualization Company

An anonymous reader quotes a report from Ars Technica: Apple has expanded a lawsuit against an iOS virtualization company, claiming that its actions facilitate jailbreaking and violate the Digital Millennium Copyright Act (DMCA) prohibition on circumvention of copyright-protection systems. Apple sued Corellium, a company that sells access to virtual machines that run copies of the operating system used in iPhones and iPads, in August 2019. Apple said that Corellium sells "perfect replicas" of iOS without a license from Apple and markets its software as "a research tool for those trying to discover security vulnerabilities and other flaws in Apple's software." But instead of aiding good-faith security research, Corellium "encourages its users to sell any discovered information on the open market to the highest bidder," Apple alleged.

The first version of Apple's lawsuit accused Corellium of copyright infringement. A new version filed on December 27 alleges both copyright infringement and "unlawful trafficking of a product used to circumvent security measures in violation of 17 U.S.C. 1201," a statute that's part of the DMCA. Apple argued that Corellium gives users the ability to jailbreak iOS for either benign or malicious purposes. In response to the new allegations, Corellium CEO Amanda Gorton said "Apple's latest filing against Corellium should give all security researchers, app developers, and jailbreakers reason to be concerned."

Corellium is "deeply disappointed by Apple's persistent demonization of jailbreaking," with Gorton writing that "developers and researchers rely on jailbreaks to test the security of both their own apps and third-party apps." Apple's filing, according to Corellium, essentially "assert[s] that anyone who provides a tool that allows other people to jailbreak, and anyone who assists in creating such a tool, is violating the DMCA." Apple, Gorton wrote, "is using this case as a trial balloon in a new angle to crack down on jailbreaking" and "is seeking to set a precedent to eliminate public jailbreaks."

Lots of popcorn needed!

[gnasher719]

Apple is the copyright holder of iOS and has the exclusive right of allowing copies and modifications of iOS (with exceptions that wont apply to jailbreaking).

Re:Lots of popcorn needed!

[Darinbob]

Copies are most certainly allowed by anyone who has a legal copy of iOS (ie, they purchased a phone), under most countries' laws. This is called fair use. You are allowed to underline words in books for instance, or white out and put in a different word. Similarly, you are allowed under *copyright* law to modify code as long as you're not making more copies to share with other people. It's only under the DMCA in the US that you're not allowed to modify code for weird and illogical reasons unrelated to copyright, or even "reverse engineer" which is essentially means you can't even look at the code if you're smart enough to understand it.

Re: Lots of popcorn needed!

[tysonedwards]

Under copyright law, the virtualized device is a COPY made without the permission of the RIGHTs holder. That is where the Copyright Infringement piece comes in to play and it in no way is impacted by Jailbreaking. Some could say that is an attempt to muddy the waters surrounding the issue.

Re:

[arnero]

Did you read the parent? When you simplify "Copy Right" to this phrase, you make me think of a simple world, where I am allowd to copy my bought CD onto a mp3 player and am allowed to do a full disk backup of my Win10 PC. And because I cannot use both copies at the same time ther would be no loss for the seller. The simple copyRight law was meant against people who copied books in order to sell them. This is not about muddy waters, this is about you doing over-simplification.

Re: Lots of popcorn needed!

[tysonedwards]

And, this company is copying with intent to sell.

Re:

[Rick Zeman]

Copies are most certainly allowed by anyone who has a legal copy of iOS (ie, they purchased a phone), under most countries' laws. This is called fair use. You are allowed to underline words in books for instance, or white out and put in a different word. Similarly, you are allowed under *copyright* law to modify code as long as you're not making more copies to share with other people. It's only under the DMCA in the US that you're not allowed to modify code for weird and illogical reasons unrelated to copyright, or even "reverse engineer" which is essentially means you can't even look at the code if you're smart enough to understand it.

You're totally leaving out reselling that code, modified and unmodified. That's the crux of the lawsuit.

Re:

[angel'o'sphere]

leaving out reselling that code, modified and unmodified. That's the crux of the lawsuit.
How can it be the crux if there is nothing resold???

You have an EULA with iOS

[saloomy]

You agree to use Apple's software by agreeing to a license, for which they are free to write any terms they please. If you don't like the terms, don't use the software. It is not cool of Apple to put restrictive licensing terms, but that is their right, whether we like it or not, irrespective of how unpopular this opinion may be.

I also don't fully understand why you would need a jail brake to test for vulnerabilities. Apple helps you do that exact thing anyways in the App Review process.

Re:You have an EULA with iOS

[rtb61]

In the majority of uncorrupted countries. Those terms and conditions must be on full display at the point of sale, so in most countries end user licence agreements are utter bullshit, in the Amerikstan and post purchase agreements are of course quite corruptly allowed enmasse. So jailbreak https://en.wikipedia.org/wiki/... [wikipedia.org]. To give the customer full access to the device they bought, paid for and own, it should be illegal to deny customers full access to the device, they bought, paid for and own. Why should the seller be able to retain ownership of what they sold, how criminally corrupt that is, wow, only really corrupt governments would allow that.

I have to go with the, "you sold it to me, it's mine now, go fuck yourself" crowd. What to keep it secret, then don't fucking sell it.

Re:

[Darinbob]

Alternately, Apple could provide a real contract process, rather than a shrink-wrapped license. As in, both sides agree to the contract and sign it, then the product gets sold. In the early days, a lot of software licensing was done this way. It all changed once it became possible to buy software off the shelf.

Re: You have an EULA with iOS

[saloomy]

If you don't agree with the license (which is presented) you are free to return the product for a full refund within 30 days. Not ideal, but if you truly did not agree to it, some opportunity.

Re:

[Darinbob]

Apple can make any license it wants, with any terms. However this does NOT have the full force of law behind it. Anything legal happening here is purely a civil tort issue, a battle between lawyers. It is still up in the air as to whether shrink-wrap licensing is legally enforceable in the US (it's generally enforced by threat of lawsuits, DRM, etc).

Re:

[_merlin]

They're free to write any terms they please, but the terms may or may not be enforceable if they run counter to statutory rights. For example many jurisdictions protect the right to make copies for research purposes.

Re:

[Retired ICS]

They are completely unenforceable. Conditional Sales Contracts are required to (a) be in writing and (b) signed by both parties PRIOR to the sale. As such, anything not written on the Bill of Sale is not binding on the purchaser. Just because some slimy car company writes "this transmission is the property of Ford Motor Company and must be returned on demand" does not make that binding on the purchaser of the car containing that transmission unless the Condition was disclosed BEFORE SALE and was agreed t

Re: You have an EULA with iOS

[saloomy]

You buy the iPhone but you don't have a license to use iOS until you agree to its terms and conditions. Otherwise you hVe the right to a refund and return the product.

Re:

[bsolar]

Nope, when a contract contains unenforceable clauses typically only the unenforceable clauses are declared void and the rest of the contract stands. If I buy an iPhone I have definitely the right to use iOS, but Apple doesn't have the right to enforce many of the limitations written in the EULA according to the laws here.

The last bit is very important since depending on the jurisdiction EULA clauses can easily range from "enforceable" to "ridiculously unenforceable".

Re:

[angel'o'sphere]

For example many jurisdictions protect the right to make copies for research purposes.
Name one please ... and provide a ling to the law, please.

Re:

[taustin]

You agree to use Apple's software by agreeing to a license, for which they are free to write any terms they please.

Indeed, they are. Whether or not the courts will enforce it depends on which circuit you're in. Some have ruled that copyrights are governed by copyright law, not contract law, and that if you buy something for a fixed price, for an indefinite term of use, it's a sale of goods, ergo, the right of first sale applies.

In other words, they can write whatever they want, but if they choose the wrong circuit court to file in, they'll still lose. (And California isn't the best place for them to file that, either.)

It's a facade.

[Gravis Zero]

If you are deadset against jailbraking then you don't really care about security. Instead, you want to the present a facade of having security as a marketing ploy. People that care about security merely incorporate fixes into their software and move on. No need to dwell unless you are trying to hide something.

Define "tool"

[mark-t]

Re: "anyone who provides a tool that allows other people to jailbreak, and anyone who assists in creating such a tool, is violating the DMCA."

If one were to tell someone else about the vulnerabilities of iOS which might be used to jailbreak, but don't actually give them any software nor assist them in developing software which might be used to jailbreak, beyond simply educating them on what they would need to do, without actually telling them exactly how to do it, would the former person be violating the

Re:

[Retired ICS]

Or to a free country like North Korea ...

Not just information (but don't be a smart ass)

[raymorris]

The law says:
--
manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, thatâ"
(A)is primarily designed or produced for the purpose of circumventing
--

It doesn't clearly define "device". We would then look at the ordinary usage of the word "device", and perhaps refer to Merriam Webster. In ordinary usage, "device" doesn't mean "general information about a topic".

However, your phrase "without actually telling them ex

Re:

[mark-t]

Actually, I specifically stated in my scenario that one would *NOT* be giving them any software, instead only describing *what* needed to happen, at a higher abstraction level than specifically describing how it would be accomplished, and allowing them to use legally available tools to develop the jailbreak for themselves.

The verbage is explicit, it is only considered a violation if you distribute the tools that will perform the jailbreak. This is why I was asking for a definition of "tool". While yo

Re:

[raymorris]

> Actually, I specifically stated

Yes, I quoted you because the specifics matter.
I'm not arguing with you, I'm answering your question, and pointing out that the specifics of your question make a difference.

> This is why I was asking for a definition of "tool".

The word used in the law is "device", rather than "tool".
The statute doesn't define "device", that I see, so we end up with common usage and dictionary definitions.

The first definition in Merriam Webster is interesting:

1: something devised or con

Re:

[wierd_w]

According to the EFF [eff.org], it has an explicit exception to security research, which is the argument posited by Apple's opponent in this matter.

Specifically DMCA 1201(j).

(j) Security Testing.â"
(1) Definition.â"
For purposes of this subsection, the term âoesecurity testingâ means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator o

That's a fact Apple alleges

[raymorris]

I'm a career security professional myself, so I *want* to be able to do research. I also want to follow the law, the actual law, as opposed to what I wish the law was.

Requoting part of what you quoted:

--
the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network
--

Apple alleges that Corelium openly "

Re:

[wierd_w]

Assuming for a moment that the claim about producing rootkits (to gain root access) is the thing apple finds objectionable, arguments can still be made.

Specifically, the verbiage about who is allowed, and under what circumstances. Is Apple the owner of the device, or is the person who bout the device its owner? We are not discussing the software, apple owns IOS, straight up, but that is not what the law states here. It is the owner of the device.

Should Corelium buy Apple handsets, then image them to do t

Re:

[raymorris]

I think here you're confusing the copyright fair use issue with the circumvention issue.

On circumvention, it doesn't matter who owns the device, if it's not used *solely* for making the device more secure. Selling a vulnerabilities to brokers or bad guys wipes out that whole section, leaving "circumvention is illegal".

Re:

[angel'o'sphere]

The lawsuit is not against security research, it is against a:
a) a company
b) that is running virtual machines
c) that host iOS
d) as a paid service

To make this remotely legal that company would need to have a unique copy of an iOS image for eery VM, and make sure each VM is only used by one customer at the time.

If they simply bought one iPhone, took the OS out, and made hundreds of VMs it is "not legal".
If they made a smart iPhone emulator and upgrade the OS from the Apple Appstore, it is most certainly compl

Re:

[UnknowingFool]

I suspect it’s because Linux allows you to do that? I also suspect that Apple doesn’t run VM instances of AIX without the permission of IBM for example.

What a waste

[Alexan Kulbashian]

Imagine what Apple could do if it stopped spending so much money preventing people from fixing or actually owning their devices. Also, Imagine what Apple users could do if they invested their money into better hardware....

Re:

[Canberra1]

Professional Testing. Load testing and Stress Testing - they are not the same - demand automated testing and lots of VM's. How would you know a national disaster messaging system worked? Lives are at risk. Now multiple version and setting and model numbers. Apple provides none of these tools, nothing. IOS is also a partial operating system - also undocumented where forced hand can be abused with undocumented interfaces (see Near Field - and refusing Banks access so they could write a competing pay-wave inte

Re:

[AHuxley]

PRISM showed why consumer US OS got kept "undocumented".

Re:

[ACForever]

Litigation is in apple DNA

Ccorellium should move offshore?

[schwit1]

DMCA doesn't apply in Israel or India or Sweden.

Re:

[Retired ICS]

Or in any free country, such as China or North Korea. The DMCA only applies in the United States of Amerika.

Re:

[angel'o'sphere]

The USA forced many countries, e.g. the EU, to introduce DMCA like laws ... hence it is applied here as well.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Retired ICS]

It is not. At least not here. Perhaps you just live in a Fascist Dictatorship. Though as I understand it, such activities are not unlawful in either China or North Korea either.

Tough case

[ACForever]

but given apples history Id say they are in the wrong again. They are just to slimy and shady a company.