171 comments

[ 2.6 ms ] story [ 217 ms ] thread
>So useful, in fact, that Apple tried to buy the company

It's not like Apple can't virtualize iOS.

Beyond that, I feel like this article could've done a much better job representing Apples claims. The author attempts to paint Corellium as the good guys while completely ignoring that they primarily sell to the likes of Azimuth.

Maybe DMCA is bad and Apple is evil, but that doesn't make Corellium the good guys.

It's called aquihire: you buy the company to redirect the talent and bury the product.
>> Maybe DMCA is bad and Apple is evil, but that doesn't make Corellium the good guys.

Not only is this my favourite point in all the comments I’ve read - but I feel like this one sentence says, in one sentence - what it took me like a page and a half to convey. :P

Author here. I don't see how providing a platform to speed up security research is a bad thing.

That said, I don't have a huge problem with Apple's 'they copied our bits' complaint. That's true.

The problem is that Apple is weaponizing 1201 in a way that would be very damaging if applied in other contexts.

But Corellium isn’t copying their bits; users provide their own iOS files.
I didn't really read it as them saying Corellium is the good guys. Certainly they want people to ignore any bad things Corellium does, but the point here is that this is just another bit of DMCA overreach, and regardless who the defendant is, we don't want further precedent set that legally locks up our devices and software from ourselves.
Why exactly is this overreach? Corellium cracks iOS licensing, it’s no different from pirating Windows.
Perhaps, but what's the harm? Apple doesn't sell iOS itself, while Microsoft does indeed sell Windows (even though most end-users don't see that cost directly).

Proving actual damages is a part of any copyright infringement case.

Honestly if I was a security vendor who found a major vulnerability in IOS this type of behavior by Apple would make me far more likely to simply release it rather than work with them to get it resolved.
I don't think anyone at Apple would be all that upset over that. A publicly released exploit is better than one privately sold to intelligence agencies. It's specifically the latter market that Corellium seeks to serve.
> It's specifically the latter market that Corellium seeks to serve.

Hence why Corellium often provides members of the security and jailbreak community with access to their services.

That's just a free cover to make their sales to IC exploit developers seem more palatable.
I believe Corellium also has customers that find it useful that they can test their apps on previous versions of iOS, an entirely legitimate service that is quite difficult to find elsewhere.
I don't believe anyone doubts that.
Lots of companies give lots of things to "the community" for goodwill, but that doesn't mean they don't also sell to governments. Amazon gives AWS away to anyone, but ALSO tried to get the JEDI contract. One doesn't negate the other.
This is starting to veer off track, but I am not overly sympathetic to “but your tool is used by bad people” arguments in cases where there are reasonable, general uses for the tool. Nobody goes after McDonalds because murderers eat there, too.
Ah yeah, McDonalds is totally a reasonable comparison!

Corellium doesn’t charge a few “nice” researchers, but builds their business around the evil researchers willing to pay $1M/yr for a license. Clearly they’re exactly like McDonalds!

I’m not going to argue with you about how comparable it is; I consider Corellium to be usable enough as a general purpose tool that I exempt it from criticism along the lines of “this is a bad product that can only really be used by bad people”. I have no insight into how many of their contracts go to “evil” researchers and how much this is skewed by them providing their services for free to those who are not “evil researchers”; if you can show me that their service is overwhelmingly used only by the people you’re talking about I might be a little bit more willing to entertain your point.
That's not the real licensing cost at all. The cloud and on-premise options are both available for substantially less.
The licensing costs seem to depend on who’s asking. I have no doubt that they might have offered you substantially better rates than that.

People keep making very confident but incorrect statements regarding prices offered by Corellium because they assume everyone gets quoted the same, see this twitter thread for another example https://twitter.com/therealdaneel/status/1193122030687797248

Well, no, shit - Corellium, from what I can tell from other articles I’ve had to read, (their website is a virtual drought of information about the product) seems to have literally built its own virtualization platform to emulate specific iOS devices - and is likely literally just throwing IPSW files (the actual iOS releases from Apple themselves) onto this emulator and selling it as a service.

As much as I believe in the open and free exchange of ideas I can’t actually agree with iFixit here.

The excuse of it being sold as a ‘security product’ contradicts the only statement on their website - that its a tool for development.

John Deere locking farmers out of repairing their own hardware? Awful, shitty behaviour.

But this is literally stealing Apple’s OS, shoving it in an emulator and charging people for it.

This article also makes the fallacious argument that Apple ‘gives away’ iOS with the purchase of an iPhone or iPad. That’s silly - the cost of the OS is built into the purchase price.

The R&D and development time and money that goes into iOS or MacOS is part of what we are paying for when we purchase a device from Apple.

When we purchase a computer from Dell with Windows 10, the cost of the OS is bundled with the purchase - but Microsoft still gets paid from that - unless, of course we might order the specific subset of Dell computers with Linux on them.

I expect better from iFixit. This article reads like a sob story from the CEO of the company. You stole their software. What did you expect?

How is this any different from a company that would sell you a preconfigured hackintosh? Or selling a DVD player with an unlicensed movie on it? :/

We can bitch about iOS and MacOS being closed platforms all we want - but for myself and many others the hardware/software package-as-a-unit is actually a huge part of the point.

> and is likely literally just throwing IPSW files

Actually they go a bit beyond that. From the apple filing:

>The Corellium Apple Product makes modifications to iOS that allows it to be installed on, and run from, Corellium-developed or Corellium-operated hardware. Such modifications include disabling loadable firmware validation, disabling self-verification of the FIPS module, adding Corellium software to the “trust cache,” and instructing the restore tool not to contact Apple servers for kernel / device tree / firmware signing.

This doesn't seem too different from a cloud hosting provider selling VMs running cracked copies of Windows.

>> This doesn't seem too different from a cloud hosting provider selling VMs running cracked copies of Windows.

Alright, so I’m not going crazy, then. I added an edit to my first post making the comparison to a company selling preconfigured hackintoshes. It’s literal theft and resale in a different package.

That they had the balls to even do this, especially to the extent you are talking about, is shocking.

> It’s literal theft

No, it's copyright infringement.

Apple has not "lost" a copy of iOS every time someone spins up a Corellium VM.

Corellium could, hypothetically, mandate that every user has a number of legitimate iOS licenses equal to their number of VM instances. (e.g. by making the user mail in a functional iOS device for each VM instance they want)

They'd still be running afoul of the licensing terms and DMCA, but it would feel less egregiously like "stealing".

MacOS (and presumably iOS ?) avoid "legal hackintosh" by adding to the EULA that you can only receive a license to run macOS on mac hardware, not just by owning a mac hardware separately.
The filing makes it sound like this is for piracy, but these actually make it easier for Corellium’s users to do what they’re using it for: security research and device testing. Those features make it difficult to modify and introspect the OS.
> How is this any different from a company that would sell you a preconfigured hackintosh?

The difference is that Corellium is very explicitly doing this to promote interoperability. Adversarial interoperability is a good thing for the market, and copyright laws generally recognize this. If DMCA 1201 does not, that's a problem with the law - not with what this firm did.

Promoting interoperability with theft doesn't make interoperability very appealing to me. :/

If it was an FOSS project, instead of being sold to intelligence agencies, I would call them gods instead of thieves and agree with what you’re saying.

"Theft"? You think people are going to run Corellium VM's on their phones instead of buying iOS devices? The markets are entirely separate, Apple does not lose any appreciable revenue to Corellium VM's.
Just because you wouldn't buy an iphone instead, doesn't make it not theft.
The only argument for copyright abuse bring theft that is even remotely reasonable is that it possibly causes lost revenue/sales. If it doesn't, and in this case it can't, then there is absolutely no argument for it being theft that holds any more water than a sieve.
Eh, this is pretty myopic if not outrightly idealistic.

Corellium likely adds value to Apple because they help to harden the ecosystem, something Apple clearly can't do 100%. Rather than open sourcing their OS, this really is a next best option security-wise. Therefore, Corellium's niche expands the Apple brand.

Really just sounds like they're getting knocked for dealing with intelligence agencies.

Just because you keep calling it theft, doesn't change that we are discussing copyright infringement. Completely different law.
I think that most people would agree that copyright infringement is a subset of theft.
I don't agree with that, and I hope "most people" would not agree with that either. With copyright infringement, the original copy still exists. With theft, the original copy changed ownership. The harm and impact are very different and less obvious.
You don't think that if I made copies of Disney movies and sold the copies on the roadside, that would be a form of theft?
Copyright infringement is what it would be.

Additionally, possibly counterfeiting if they are sold as the real thing.

If you'd have stolen the copies, it would be theft and copyright infringement.

I don't understand why we still have this discussion...

People do buy iPhones for exactly the purpose they use Corellium for, Corellium has advertised themselves as an alternative to buying tens of iPhones.

See the image in this tweet (can’t direct link from mobile) https://twitter.com/josephfcox/status/1189218066028216324

I don’t think you can reasonably make this argument.

Corellium frequently provides security researchers with free access to their tools.
no such thing as theft in this area. not even a copyright infringement looks like. maybe a license violation and the judge will decide about circumvention of digital locks, which is, at best, a well-intentioned legislation.
The article seems a bit shrill.

I can understand advocacy, but as lostgame says, Corellium is basically riding Apple's coattails.

If they were helping Apple, then I doubt Apple would be suing them.

I understand the way that Apple thinks on this. It isn't "bullying." It's brand protection. I worked for years for a corporation with a legendary brand, and they went to great lengths to protect the integrity of that brand.

Part of protecting the integrity is to prevent others from diluting it; even if what they do is net positive, monetarily, it may damage the brand. A company that values its brand can't let that happen.

Branding is a very different world from what most tecchies do. The priorities are drastically different, and a lot harder to "pin down."

A well-curated brand can be unbelievably valuable, though. Apple's brand is one of the top five brands in the world.

> If they were helping Apple, then I doubt Apple would be suing them.

There are a number of security researchers who use Corellium to find bugs in iOS. Corellium themselves have submitted vulnerabilities using Apple’s bug bounty program.

Corellium may have developed an excellent product technically, and they might be selling a useful service, but they still infringed Apple's intellectual property.

It's up to Apple to decide if they want to make a virtualized iOS available for security researchers on the web.

How exactly did they infringe on Apple’s property? Does VirtualBox get in trouble if you run pirated Windows on it?
They run virtualised iOS for you without having licensed it from Apple.
From what I can tell, Corellium heavily modifies iOS. Parallels and whatnot run unmodified Mac (not i)OS.

That’s pretty hairy stuff. Technically cool, but definitely sketchy.

> Corellium heavily modifies iOS. Parallels and whatnot run unmodified Mac (not i)OS.

Not quite. The optional "modifications" are pretty much the small byte patches in the kernel and bootloader which are normally done in a jailbreak. It is similar to how "Parallels Tools" is automatically loaded; Not entirely required, but makes the experience better.

If that’s the only way you can pirate Windows, then I think Microsoft would definitely go after them.
Corellium isn’t really a piracy product. Think of it like an emulator that you can load ROMs into.
Since when does VirtualBox crack Windows for you?
This isn’t really “cracking” iOS, getting it to boot is more providing it with the hardware and services it needs to start up. Some people have gotten quite far just by patching qemu.
Did you read the Apple filing? They specifically claim that corellium patches their licensing mechanisms.

Perhaps they’re wrong, but I doubt that they’d lie.

If you can get a working ISO, virtualbox will run it. Hardware doesn't tend to care what's running on it, virtualized hardware is no different.
Are they selling an iOS virtualization software or a virtual IOS instance ? If the later then the analogy isn’t accurate if the former then I suppose you are correct (if the compatibility laws override the iOS license)

Edit people in the rest of the thread are saying that a modified iOS is provided by them

As far as I know, Corellium has hardware to boot an iOS image you provide and will provide you access to it. Some commenters have mentioned that Corellium downloads the image for you but I’m currently weighing it against hearsay from people who used it previously.
I’ve used it and at the time it would download the IPSW for you. I’m not sure if there was an option to use your own IPSWs. Also, it is important to note that they would charge you for different features so being able to use your own IPSWs could circumvent this pricing model. Of course their boot loader could enforce Apple signing policy but then it would only be able to run Apple code.
I haven't read Apple's complaint, but from TFA, it doesn't appear that Corellium is being sued for distributing an unauthorized derivative work of iOS, but for violating the DMCA's prohibition against breaking digital locks.

So whether or not they're unlawfully redistributing iOS is irrelevant to the case. The DMCA crap is the interesting bit. And if Apple decides to sue for simple copyright infringement, Corellium could turn their product into bring-your-own-IPSW, with instructions/patches/whatever to modify the image so it'll run on their emulator.

Well jailbreaking is also breaking digital locks.

As for the copyright thing, yes, they could ask the user to upload the ipsw (but still i don't see the difference between user doing it and them doing it, it'll end up in the same place), but there would be no need for modification instructions. Modifications are done dynamically, they're not pre-applied into a custom ipsw.

It's the user that chooses if they want Android or iOS and which versions of them. Corellium downloads the firmwares from the official sources, in this case apple.com. Modifications are applied dynamically. Jailbreaks modify iOS, they don't distribute a modified iOS. Same thing with Corellium. It modifies iOS after downloading it from apple.com.
It still baffles me how so many technical people in the US use Apple products despite all of this.
False beliefs about privacy, security, and speed combined with outdated beliefs about usability.
Then there's a lot of stuff that isn't obvious, on the surface. Maybe some back-channel negotiations fell through, or they did the whole "Ask forgiveness; not permission" thing about something. Just because Guy Kawasaki used to say it, doesn't mean that Apple still rolls that way.

I'll bet this isn't just about IP. I strongly suspect that it's about the brand.

If the rumors that Corellium is working with governments and shady people looking for bugs, apple is likely trying to squash and damage that market for security sake. They probably tried to just buy them as the easier path, and then they get all the companies financial records to review for damage control. Suits at least stop the company.
Cool, but an alternative will probably be made in the following months or wreks from the ashes of Corellium if you're correct, except that it won't be public this time, and they might not ever know about it. Security wise, that's the worst move they could do.
If it's about the brand and not the IP, then Apple would be abusing copyright, no?
Would you be opposed to companies like MongoDB or ElasticCo suing Amazon for reselling their products as a service when they explicitly said it was against their license?
Nope, if it’s upheld the license is legit.

Same reason I don’t fault Apple for suing companies who make products to run iOS / MacOS on non-Apple hardware.

(comment deleted)
> If they were helping Apple, then I doubt Apple would be suing them.

A company or person doesn't have to be helping some other corporation increase profits to be morally or legally in the clear. iFixit also isn't helping Apple, that doesn't mean 3rd party repairs should be illegal. In fact, whether they're hurting or helping Apple should be entirely immaterial.

> If they were helping Apple, then I doubt Apple would be suing them.

I think it's pretty telling that Apple tried to acquire them, but only decided to sue them after their offer was rejected. Seems like Apple really does like their product, and thinks people would find it useful, and is just sore they can't have full control over it.

Get the suit underway, then make a new buyout offer, this time for a lot less $$$...
I think that would definitely make a case for an anti-slapp case against apple if they did that. Trying to buy, then suing already seems to make it look like a slapp suit.
Making an offer to buy the company can actually help apple if their suit continues.
Why should “public interest” and a judge in the case take someone’s BRAND issues into account? If that’s the case, doesn’t that prove that it has nothing to do with dmca and copyright issues?
> If they were helping Apple, then I doubt Apple would be suing them.

They're helping their security but damaging their reputation. (Corellium makes finding bugs and developing jailbreaks easier. People exposing bugs will make other clueless people think iOS's security is bad, therefore damaging Apple's reputation). Apple chose to keep their reputation because who cares about security when everyone thinks security is good?

This is very clearly development/security software: Apple isn’t losing any sales to it, because Apple literally does (did) not make anything comparable available to the public. Corellium simply provides emulation services; I don’t think they distribute the IPSW themselves.
> I don’t think they distribute the IPSW themselves.

Does anyone know more about exactly how Corellium works in this regard? To me, it makes all the difference.

Where does the IPSW come from? Do they pull a new copy off of Apple's servers each time a customer spins up an instance? Does the customer download the IPSW and upload it to their account?

Speaking more broadly, I feel Corellium would have a much stronger case if their product was running on end-user machines. As long as it's running on Corellium's servers, they're "retransmitting" Apple's software, for lack of a better word.

This is a dead thread, but:

According to their docs, they do provide the IPSW.

If they provide the ipsw, modify the ipsw, and don’t have permission from Apple to do that, then it’s all over for them.

Didn’t work for Psystar and it won’t work for them.

Isn’t there an exception in US law for security and compatibility purpose, with even the ability to decompile software?

Especially if Apple doesn’t provide any way to do it legally, then they can have a chance at trying to convince a jury. I agree hosting and reselling the service is pushing the question a bit far, but it may be deemed legit depending on the jury. IANAL, obviously, just asking the question.

The ipsw is downloaded from Apple and later modified. Modification is not illegal just like jailbreaking isn't. Jailbreaking is essentially modifying iOS.

Psystar sold computers with macOS installed, that's redistribution and a copyright violation. Corellium isn't selling devices with iOS.

I’ve heard that you provide your own IPSW, do you have a link to these docs?
You have to open it in the app.
They download ipsws from apple then modify them.
>I don’t think they distribute the IPSW themselves.

What about the screenshots linked in the article?

They're downloading it from apple's servers, the same way a user would
Nah, a real user would use apple updater software to download the IPSW. That'd involve accepting Apples licenses and whatnot.

You can't find the IPSW download links on Apples websites, they're all sourced by reverse engineering.

Doesn't matter. The ipsws are openly downloadable. There's no redirect going to an EULA page when downloading them, like saurik said.
Where do you get those IPSW links without accepting an EULA? Apple does not publicly link to them. Sure, you can pirate from ipsw.me and the likes.
You can download the ipsws with iTunes. You can get the links by monitoring the network and seeing what iTunes does. You can reverse engineer iTunes. You can use ipsw.me, which does not pirate anything since it only gives you official links, it doesn't rehost anything on their own servers.

My point is that Apple doesn't redirect you to an EULA page when using those links. Apple can block all direct links and force you to go through an EULA, but they don't. And how you get the links is irrelevant. So is the fact that a user isn't supposed to have them.

Presumably you have to accept an EULA to run iTunes in the first place, right? Perhaps there's even another license agreement that pops up before you can download firmware.

>You can use ipsw.me, which does not pirate anything since it only gives you official links, it doesn't rehost anything on their own servers

I'm not saying that ipsw.me pirates anything, but that you may be pirating by using ipsw.me

> Apple can block all direct links and force you to go through an EULA, but they don't

But they do require you to go through an EULA. You're using a weird technological argument that firmly places you into weev-CFAA-violation territory.

I'm not saying this is how things should be, but this is how things almost certainly are in the eyes of the law.

> So is the fact that a user isn't supposed to have them

Yeah, so how is this not unauthorized access to a protected computer? A crime under the CFAA, as previously demonstrated in United States v. Auernheimer

> Presumably you have to accept an EULA to run iTunes in the first place, right? Perhaps there's even another license agreement that pops up before you can download firmware.

Well, each EULA only applies to the tool you click accept on right? If you click accept inside iTunes, it only applies to iTunes on that computer. If you click accept on your device, it only applies to that specific device.

> but that you may be pirating by using ipsw.me

Same thing. You're not pirating if you're downloading something from the official sources.

> But they do require you to go through an EULA

Apple can't just force one to accept the EULA. If downloading an ipsw requires an EULA and I don't agree with it, it's not my fault if Apple still allows me to get the ipsw.

>Apple can't just force one to accept the EULA. If downloading an ipsw requires an EULA and I don't agree with it, it's not my fault if Apple still allows me to get the ipsw.

If I'm not supposed to download AT&T customer information, it's not my fault if AT&T still allows me to get the information? There have already been criminal convictions over this exact issue in the past.

> If a server is publicly accessible, you don't need authorization to access it.

This theory did not hold up in the Auernheimer case.

E: Sorry HN won't let me answer below, "posting too fast"

>It's not your fault if you get access to the information, but it is your fault if you intentionally use that information for malicious purposes. Consider an analogy: you find someone's wallet in the streets. That doesn't make you a criminal. However if you decide to use that money and not turn it in, then you have broken a law. The same thing here. Accessing content that was made accessible by mistake doesn't make you a criminal, using that information further on does.

This is not the theory Auernheimer was convicted under, you should read up on that case. He was separately convicted of both accessing and using that information, had he not used the information he'd still have been convicted for the access if caught.

> If I'm not supposed to download AT&T customer information, it's not my fault if AT&T still allows me to get the information?

It's not your fault if you get access to the information, but it is your fault if you intentionally use that information for malicious purposes. Consider an analogy: you find someone's wallet in the streets. That doesn't make you a criminal. However if you decide to use that money and not turn it in, then you have broken a law. The same thing here. Accessing content that was made accessible by mistake doesn't make you a criminal, using that information further on does.

> Yeah, so how is this not unauthorized access to a computer? A crime under the CFAA, as previously demonstrated in United States v. Auernheimer

Unauthorized access to a computer implies bypassing authorization mechanisms to get content that you couldn't get otherwise. If a server is publicly accessible, you don't need authorization to access it. The law doesn't account for how someone can access something (i.e. using iTunes or by reverse engineering and finding the links), it only accounts for who is authorized to access, and a server by being public is automatically authorizing everyone to access its contents. Note however that an EULA can account for how you access content (i.e. "you must use iTunes"), but that is the matter we're discussing right now: whether an EULA is enforceable and whether you can get around it.

I don't really understand your argument here, and I definitely don't understand your ire. Apple releases an OS, which anyone can download, without any authorization, from their website, seemingly for free... these downloads aren't even encrypted. Corellium developed an emulator for Apple's hardware that, if you load an Apple OS onto it, can run that OS. As Apple allows anyone, without any kind of authorization to just download the OS from their website, it would seem like Corellium should be able to make this emulator, no? This emulator product doesn't actually compete with any service or technology that Apple provides except maybe the small handful of research devices that Apple is willing to hand to a very very very small number of blessed bug bounty program members, and that's (frankly) a stretch.
You have to accept EULAs to download it, surely.
Actually, no. You have to accept an EULA to "activate" the software (something Corellium's emulator can't even do, which means you don't have access to iCloud, iTunes, the App store, etc.), but you don't have to accept an EULA to download the software. Oracle, to contrast, allows anyone to download their Java SDK, but you first have to accept an EULA (something they changed from how Sun previously had it set up, where anyone could download the software without first accepting the EULA); Apple has no such restriction on their downloads.

https://updates.cdn-apple.com/2019FallFCS/fullrestores/061-0...

So how did you get that link without accepting any EULAs? Apple does not make IPSW download links publicly available.
> Apple releases an OS, which anyone can download, without any authorization, from their website, seemingly for free

Microsoft does the same with Windows. Can I rent out VMs running cracked copies of Windows now?

> Microsoft does the same with Windows.

I am pretty sure Microsoft doesn't do the same thing with Windows; they allow you to download, for example, an ISO file for Windows 10, but only if you go through their website portal that explains you must accept their "Microsoft Terms of Use" which then generates a personalized URL for your specific usage that expires in 24 hours, etc. Apple just lets anyone download the IPSW file for their firmware, no questions asked.

> Can I rent out VMs running cracked copies of Windows now?

You absolutely can provide a VM service that emulates an Intel computer, and if a user downloads Windows for free and is allowed to run it on that computer and they decide to violate the EULA, I'm pretty sure that's on them? If I provide software that helps you download and install iOS on any ARM device, and also happen to rent access to ARM devices, is that somehow more illegal than doing either of those two things separately?

It only works on iOS compatible hardware so it is implied you have paid for a device to use it. Is part of the cost of a device. Apple hired 1000s and paid billions to develop and maintain that “free” OS
That sounds like a moral argument, not a legal argument? If Apple wants it to be that way, maybe they should just put the iOS firmware download behind some kind of EULA, like every other company that attempts to do the same thing (and which I have some good reason to suspect has been explained to Apple multiple times with respect to the situation with Corellium)?
If I can download an iOS image from Apple's servers without having to agree to a license that says I only get to run it on an authorized Apple device, then I can do whatever I want with it (short of distributing it).

> It only works on iOS compatible hardware

Put another way, Apple does not have a monopoly on creating iOS-compatible hardware. A third party would have a decent amount of trouble reverse-engineering their hardware to build a workalike, but, absent a license agreement or some sort of access control, they cannot legally prevent me from running an unmodified iOS image on a piece of hardware or software of my choosing.

(Corellium appears to be using modified iOS images, so they're almost certainly in the wrong here with regard to this point, of course.)

It's amazing how people on HN can support companies like AirBNB, Uber, Lyft who flagrantly break laws to bring a new product to market that is arguable better than the old way of doing things, and then at the same time not support a company like Corellium for doing the same thing because it's Apple.

This is clearly a sorely needed product, Apple even agrees because they tried to BUY the company and when they said no they want to take their ball and go home.

>because it's Apple.

I think you're being assuming here.

You might be right, but I believe the main sentiment still holds about hypocritical support of one vs the other.
I don't think so. In my experience, people here are just as critical to Apple as other companies.
From some very crude statistical sentiment analysis, they're somewhat more critical of Apple.
Link to said analysis?
I wrote a script for this a while back to analyze them with nltk:

  #!/usr/bin/env python3
  
  import nltk
  import nltk.sentiment.vader
  import json
  import urllib.request
  
  companies = [
      "apple",
      "google",
      "microsoft",
      "amazon",
      "facebook",
  ]
  sample_size = 10
  
  
  def get_json(url):
      request = urllib.request.Request(url)
      request.add_header("User-Agent", "Python")
      return json.load(urllib.request.urlopen(request))
  
  
  def allcomments(json):
      comment = json["text"]
      comments = comment if comment else ""
      for child in json["children"]:
          comments += allcomments(child)
      return comments
  
  
  if __name__ == "__main__":
      for company in companies:
          sentiments = []
          print(company)
          for item in get_json("https://hn.algolia.com/api/v1/search?query=" + company + "&tags=story")["hits"][:sample_size]:
              tokens = nltk.tokenize.sent_tokenize(allcomments(get_json("https://hn.algolia.com/api/v1/items/" + item["objectID"])))
              sia = nltk.sentiment.vader.SentimentIntensityAnalyzer()
              scores = sum([sia.polarity_scores(token)["compound"] for token in tokens])
              sentiment = scores / len(tokens)
              print("\t" + item["title"] + ": " + str(sentiment))
              sentiments.append(sentiment)
          print("Average: " + str(sum(sentiments) / len(sentiments)))
Apple gets low scores because of China, mainly. Plus they lack the many open source projects that buoy up companies like Microsoft.
The pattern is evident, and it becomes more clear if you look at individuals' comment histories.
If you’re going to do this please make specific allegations instead of posting this pathetic nonsense.

Or email hn@ycombinator.com like the guidelines tell you to.

Often people who support breaking Law A will nonetheless oppose breaking Law B, not because they're hypocrites but because they consider A unjust and B just.

If one could either choose between supporting all laws or opposing all laws with nothing in between, the history of civil disobedience would be different indeed!

> Apple even agrees because they tried to BUY the company and when they said no they want to take their ball and go home.

I think this was gonna be a case of buy and shut down. there's nothing stopping Apple from releasing something like this themselves and undercutting Corellium. instead they're doing the opposite and have removed emulation from XCode.

Clearly someone at Apple has decided an emulated iOS is too much of a threat.

> instead they're doing the opposite and have removed emulation from XCode.

what?

> Apple even agrees because they tried to BUY the company and when they said no they want to take their ball and go home.

I don't see that as apple agreeing the product is needed necessarily. Mostly based on their tendency to keep an iron grip on the ecosystem.

Apple's behavior would suggest more that they tried to buy the company first because it would hopefully be both safer from a PR standpoint and also cheaper/safer from an outcome standpoint than a protracted legal battle (depending on the specifics, it's possible EFF will have a horse in this game).

Exactly. Corellium wouldn't be what it is right now if their product didn't fill a need, and Apple is mad because they're not getting a slice of the pie.
(comment deleted)
I don't know the specifics but it sounds to me like making a VirtualBox product that is fine-tuned for macOS, including guest drivers for smooth integration (like VirtualBox Guest Additions).

If the user provides the IPSW files, I don't see what's the problem.

If I were Corellium I would open-source the product and see about licensing to corporate customers. What will Apple do then? Send a DMCA to GitHub?

You cannot legally run MacOS on non-Apple hardware.
What? This is patently false. Can you point me to a single case where a judge ruled it's illegal to run MacOS on non-Apple hardware
Pystar comes to mind, but that's a bit different, they were selling fully set up Hackintosh machines.

I think GP is referring to the fact that Apple's EULA forbids running macOS on non-Apple hardware. But whether that's legally enforceable (if you're doing it on a personal machine rather than selling it) is not at all clear to me.

Completely disagree here. All Corellium has done is virtualize hardware that can run iOS. How is that possibly copyright infringement (outside of the DMCA's brain-dead bullshit, anyway)?

If Corellium is distributing the IPSWs that can run on their emulator, then sure, that would be out of bounds (presumably Apple has not licensed other entities to distribute iOS)[0]. But if the user provides the IPSW to run, this is analogous to a version of VirtualBox that can boot iOS. It's absurd to think that should be illegal.

If this suit doesn't go well for Corellium, I really hope they open-source their tech. Good luck to Apple trying to ban that from existence.

[0] Regardless, this is not what Apple appears to be suing them about.

Apple forbids in its EULAs to run their software on non-Apple hardware, including any virtualization platform if it’s not running on Apple hardware, and I doubt Corellium is running their saas on repurposed MacPros.
So? EULAs are not exactly legally binding in most countries, and even in the US it's complicated whether they are or not:

https://superuser.com/questions/30940/is-an-eula-enforceable

The enforceability of an EULA depends on several factors, one of them being the court in which the case is heard. Some courts that have addressed the validity of the shrinkwrap license agreements have found some EULAs to be invalid, characterizing them as contracts of adhesion, unconscionable, and/or unacceptable pursuant to the U.C.C.—see, for instance, Step-Saver Data Systems, Inc. v. Wyse Technology,[6] Vault Corp. v. Quaid Software Ltd..[7] Other courts have determined that the shrinkwrap license agreement is valid and enforceable: see ProCD, Inc. v. Zeidenberg,[8] Microsoft v. Harmony Computers,[9] Novell v. Network Trade Center,[10] and Ariz. Cartridge Remanufacturers Ass'n v. Lexmark Int'l, Inc.[11] may have some bearing as well. No court has ruled on the validity of EULAs generally; decisions are limited to particular provisions and terms. (Wikipedia)

If we're lucky we'll get better precedent from this suit.
IANAL, but seeing as Corellium is not an end user, I don't see how the end user license agreement matters.
So what? EULAs are mostly bullshit documents that aren't enforceable in most countries.
I can download iOS from Apple's servers without seeing or agreeing to any EULA whatsoever, so that's not really relevant.
> All Corellium has done is virtualize hardware that can run iOS

This is a downright lie.

>The Corellium Apple Product makes modifications to iOS that allows it to be installed on, and run from, Corellium-developed or Corellium-operated hardware. Such modifications include disabling loadable firmware validation, disabling self-verification of the FIPS module, adding Corellium software to the “trust cache,” and instructing the restore tool not to contact Apple servers for kernel / device tree / firmware signing.

-

> But if the user provides the IPSW to run

Ok, but that's not how Corellium works as is evident from the links in TFA https://i.imgur.com/RXe2aE2.png

There is nothing wrong with doing modifications. Jailbreaks do modifications to iOS but they are legal.

And Corellium might not ask the user for the software but they still are downloading it from Apple servers, so I don't see how that makes a difference (but if it does, Corellium can very well apply the upload-your-own-ipsw idea)

I don't think jailbreaking is necessarily legal. There is a lot of conflicting case law. I don't know if there have been any iOS jailbreak related cases but the Sony, geohot thing comes to mind. And cracking drm, even for backup purposes seems to be against the dmca.
Jailbreaking is against DMCA laws (which by the way are pretty stupid; they should only account for cases when the locks are circumvented for piracy/malware purposes; but at least we got exemptions...), but there is an exemption that specifically allows jailbreaking.

Important to note however, that is a DMCA exemption, not an "EULA exemption" (used quotes because that term probably doesn't exist), the exemption ignores the DMCA law, not the EULA, which proves that the EULA isn't really legally enforceable, it's more of a threat from Apple "if you do that we won't give you support/service".

> Jailbreaks do modifications to iOS but they are legal

As your subsequent comment points out, jailbreaks are specifically exempt.

Corellium performs modifications to crack iOS's licensing, which is clearly distinct from jailbreaking. It's the nature of the modifications they're distributing that's the problem.

Jailbreaking is exempt from the DMCA law, not from any terms Apple might give using an EULA.

> which is clearly distinct from jailbreaking

It really isn't. The modifications Corellium does are the same modifications a jailbreak would do and done for the exact same purposes. A jailbroken device can be used for security research purposes and so can Corellium, unsigned apps or tweaks can be installed on a jailbroken device and so they can on Corellium.

> and instructing the restore tool not to contact Apple servers for kernel / device tree / firmware signing.
That is not a modification of iOS, that's a custom restore tool. Restore tools are not part of iOS. You can make your own restore tool and instruct it to do whatever you want. Such tools include idevicerestore, futurerestore etc.
There are many game emulators that cheats by altering the game at runtime to optimize performance or improve graphics quality at the loss of some accuracy. Doesn't make it illegal per-se.
it's not as simple though and the security arguments are real. Some counterpoints [1]:

> Corellium submitted 8 vulnerabilities under Apple’s bug bounty program, many of them were fixed in iOS releases. But Apple never paid out.

It’s hard to see how Apple can spin:

  Apple: “we will pay you bug bounty money to fund your company.”
  Corellium: loadsa bugs 
  Apple: Thanks for the bugs, about that bounty? lol j/k
p.s. now we’re suing you, and we want all your bugs.

[1] https://twitter.com/thegrugq/status/1189063534790922240

How times have changed. The world applauded Compaq for reverse engineering IBM’s OS and selling it for profit.
> But this is literally stealing Apple’s OS, shoving it in an emulator and charging people for it.

That's a long shot. When I buy an iphone, I get a license to use the OS the iphone comes with. If the license is for one device, I can't use it on many devices simultaneously, that much is clear.

However, for what Corellium is doing to be debatable, the license must say that one can only use the OS copy bundled with the device on the device itself, which sounds against "fair-use", and maybe even "anti-trust" worthy.

> How is this any different from a company that would sell you a preconfigured hackintosh?

Selling a pre-configured hackintosh isn't illegal on any jurisdiction as long as you have a valid license for the OS that you ship, in the same way that selling any laptop on ebay isn't illegal either, as long as the copy of the OS is legal.

If Corellium has one iPhone with iOS for every VM that's running at all times in a warehouse somewhere, then what they are doing is against Apple's EULA, which at most means that Apple doesn't need to give them support, but definitely not illegal.

Also, the real sad thing is that Apple is not providing this service themselves, and instead have killed emulation on XCode.

> Also, the real sad thing is that Apple is not providing this service themselves, and instead have killed emulation on XCode.

Is this new? I swear I was emulating and iPhone SE a couple of months ago for a react-native project. Or are you referring to something else? Something i’m missing here?

Yes, this functionality is deprecated in the latest Xcode, the next Xcode version won't support it AFAIK.
...well thats lame...and dramatically nerfs my ability to effectively debug layout issues
It isn't. Simulators are still a thing, but they're not like Corellium. They may look like iOS but they can't run iOS apps or iOS binaries (apps have to be compiled specifically for the simulator). That's because the simulator is just an app that looks like iOS, but works completely differently on the inside.
You were using the simulator, which is not an emulator
Xcode provides simulators, software that looks like iOS but works completely differently on the inside.
Bootlegging as an industry led to a lot of other crimes. I also think most of us here are glad it happened. It was a natural social response to an unnatural restriction in freedom.
First off it's a VM, not an emulator. Second, they're charging for the VM, not for iOS. The VM is purely their work.
Corellium would have a much better argument if they weren't for profit and closed source. I'm honestly surprised it's taken this long.
It's closed source and paid for some very obvious reasons:

- Corellium is the result of years of research, throwing it away for free would be stupid - If Corellium released their tools, Apple would so something to break it, starting a cat and mouse war like they already do with jailbreaking - Not much people can use the thing anyways. It requires arm64 computers. Most of computers use x86(-64)

I don't have sympathy for a company experiencing hardship because their entire existence is predicated on doing things to the software of another company (Apple) that (Apple) does not like. They brought this upon themselves. I think it is a necessary service, however their for profit nature creates perverse incentives. Corelliums refusal to be bought by Apple likely shows their continued attempts to profit off of exploiting the work of another company.

Corellium could take the mongodb approach, or I don't know, actually work with Apple on Apple's terms, since their financially dependent on their ability to provide re tools for Apple's proprietary software.

Apple actually creates economic value. Corellium are greedy pirates leeching off of sketchy markets for exploits sometimes used by authoritarian regimes to abuse the human rights of minorities and citizens alike.

> Corelliums refusal to be bought by Apple likely shows their continued attempts to profit off of exploiting the work of another company.

The only reason Apple wanted to buy Corellium was to shut them down. Apple doesn't need Corellium's technologies, they can do the same things and better.

> actually work with Apple on Apple's terms

Apple's terms are stupid. "Give us every vulnerability you and your clients find with the service", and it's not like Apple's paying them back anyway. Corellium already submitted many bugs to Apple and Apple didn't keep their promise of paying the bounty but instead decided to sue them.

What else you gonna do with those vulns if not report them to apple?
You can keep them for yourself (can make further research easier), release them as 0days (not every vulnerability can be used by attackers so sometimes full disclosure isn't a bad idea. an example would be bootchain bugs, they can't be used remotely), release them as jailbreaks, sell them to someone (you can verify they won't be used for malicious purposes; you could sell them to another researcher for example which can use them to make their research easier)
> I don't have sympathy for a company experiencing hardship because their entire existence is predicated on doing things to the software of another company (Apple) that (Apple) does not like.

Why does Apple have to like it? Corellium saw a critical need and did the work to fill it.

Does security research not have economic value? Should no one do that research?

That argument is disingenuous. Corellium is doing some security research. But what else are they doing? They're definitely profiting from the use of their software to find vulns that get used against vulnerable populations. There are a lot of rumors about less savory things they might be up to. So arguing that apple is just picking on security researchers is rubbish. Apple isn't innocent, but corellium seems to be worse at the moment.
Do we have evidence of those "less savory" things? All security research could be used for ill, but I firmly believe the ability to do such research makes us better off overall.
Articles that spend more time telling you how to feel about things instead of reporting on them should not be categorized as news.
It sounds like Apple are going to release their own iOS device cloud virtualization product at WWDC in exactly six months, so their lawyers are turning up the heat now on their lawsuit from last August that they assumed would be settled—in their favor—by now.
Be interesting if Apple released their own cloud product, since many people buy Mac's just because you have to use it for XCode to build and release iOS apps. However there is companies that will rent a remote Mac desktop. So seems like it would hurt Mac sales.
Mac is legacy, iOS is what matters. Sad.