Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 1 of 60
`
`
`
`Plaintiff,
`
`APPLE INC.,
`
`
`v.
`
`CORELLIUM, LLC,
`Defendant.
`
`__________________________________/
`
`UNITED STATES DISTRICT COURT
`SOUTHERN DISTRICT OF FLORIDA
`CASE NO: 9:19-cv-81160-RS
`
`
`
`
`
`
`
`CORELLIUM’S ANSWER, AFFIRMATIVE DEFENSES, AND COUNTERCLAIMS TO
`APPLE’S SECOND AMENDED COMPLAINT
`
`Defendant, Corellium, LLC (“Corellium” or “Defendant”), by and through its undersigned
`
`counsel, files its Answer, Affirmative Defenses, and Counterclaims to Plaintiff, Apple Inc.’s
`
`(“Apple” or “Plaintiff”) Second Amended Complaint and Demand for Jury Trial:
`
`RELEVANT BACKGROUND
`
` Long before Apple accused Corellium of copyright infringement and violations of the
`
`Digital Millennium Copyright Act (“DMCA”), Apple not only encouraged Corellium to continue
`
`developing its technology, but went to great lengths to acquire Corellium and its technology.
`
`During this time, Apple approved of Corellium participating in its invitation-only Security Bounty
`
`Program (“bug bounty program”) with an assurance that Apple would pay for software bugs
`
`identified by Corellium. While Apple gladly accepted and utilized bugs submitted by Corellium
`
`as part of this program, it failed to pay for them. Finally, only after the parties could not agree on
`
`an acquisition purchase price, Apple announced its own competing product and soon after sued
`
`Corellium. Tellingly, despite its lengthy discussions with Corellium’s founders and familiarity
`
`
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 2 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`with Corellium’s technology, including unrestricted access to Corellium’s proprietary information,
`
`Apple never hinted that it believed Corellium was infringing its copyrights or violating the DMCA.
`
`Apple’s behavior with respect to security research is widely viewed as harmful to the
`
`public. By way of example, Apple’s behavior toward Corellium exemplifies its desire to
`
`exclusively control the manner in which security researchers identify vulnerabilities in, e.g., a
`
`mobile device’s operating system. This research is extremely important to the public’s interest.
`
`By requiring that security researchers use its physical development (“dev”) devices to the
`
`exclusion of other products, including its attempt to stop Corellium from offering a more efficient
`
`alternative to its dev devices, Apple is trying to exclusively control (1) how security research is
`
`performed, and (2) who is able to perform that research.
`
`The Copyright Act is grounded in the constitutional directive to grant limited protections
`
`to the authors of copyrighted material while preserving – not suffocating – innovation. U.S. Const.
`
`art. I, § 8, cl. 8. The DMCA is no different. Congress enacted the DMCA for the purpose of
`
`preventing digital piracy, not to prevent innovators like Corellium from developing cutting-edge
`
`tools that benefit the public by empowering developers and researchers to more effectively and
`
`efficiently advance the security and stability of iOS devices, applications (“apps”), and services
`
`that play an integral part in end users’ daily lives.
`
`Corellium’s technology is not a trafficking tool; nor does it enable others to pirate
`
`copyrighted works. Rather, Corellium’s technology enables its users to run publicly available,
`
`unencrypted iOS files for the purpose of conducting advanced security research in an environment
`
`highly constrained by that purpose. Apple cannot claim that it effectively controls access to iOS
`
`
`
`2
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 3 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`when it makes iOS freely available to the public to download, open, view its object code, and run.1
`
`With respect to Apple’s breach of DMCA allegations, it makes no sense to say that the DMCA’s
`
`access control provisions apply to otherwise-readily-accessible copyrighted works. Further, use
`
`of Corellium’s technology fits within the DMCA’s exemptions.
`
`In short, this lawsuit is not driven by Apple’s genuine belief that Corellium infringes its
`
`copyrights or traffics a product in violation of the DMCA, but by Apple’s frustration at not being
`
`able to make Corellium’s technology its own and exclusively control iOS-related security research.
`
`Apple’s behavior, which spans the course of several years and has culminated in filing this lawsuit,
`
`amounts to unfair business practices that must be put to an end by the Court and finds no support
`
`in the letter or spirit of federal copyright law.
`
`
`
`
`
`
`Innovative And Transformative Technology Has Transformed
`Corellium’s
`Security Research
`
`Apple wanted to purchase Corellium’s technology because it is innovative and highly
`
`transformative. It virtualizes physical devices, including Apple mobile devices, enabling users to
`
`execute various device operating systems in a simple unified environment. By replacing racks of
`
`physical devices2 with a single virtual platform, Corellium empowers software engineers to test,
`
`teach, research, and develop more efficiently and more effectively.
`
`
`
`
`
`
`
`
`1 Any person can download the iOS files, or “IPSWs,” directly from Apple’s servers. Direct download links can
`be found at https://itunes.com/versions, as well as from various third party sites including, for example,
`https://ipsw.me, https://www.ipswdownloader.com, and https://www.theiphonewiki.com.
`2 See, e.g., Frederic Lardinois, Facebook Lifts The Veil On Its Mobile Device Testing Lab, TECHCRUNCH (July 13,
`2016), https://techcrunch.com/2016/07/13/facebook-lifts-the-veil-on-its-mobile-device-lab/ (noting the way in
`which Facebook tests changes to its smartphone application).
`
`
`
`3
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 4 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`BEFORE CORELLIUM
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`AFTER CORELLIUM
`
`
`
`Corellium’s technology provides a substantially more scalable, convenient, and efficient
`
`solution than the status quo. For example, using Corellium’s technology, security researchers and
`
`
`
`4
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 5 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`developers can quickly search for errors and vulnerabilities (“bugs”) in an app or operating system
`
`across multiple device models and operating system versions and write programs to automate these
`
`tasks. Similarly, if a bug “bricks” a virtual device and renders it unusable, a security researcher
`
`can instantly generate a new virtual machine rather than having to obtain a new physical device.
`
`This is one of several examples where Corellium’s technology is more efficient than the use of
`
`physical devices to perform security research.
`
`
`
`Corellium’s technology is not only more efficient, but also provides new and advanced
`
`functionality that is more effective than a physical device. For example, Corellium’s technology
`
`allows a virtual device to be paused during testing, which gives researchers a detailed look at its
`
`state at any given moment.
`
`
`
`Given the benefits of Corellium’s technology, it is no wonder third-party security experts
`
`have endorsed Corellium’s technology:
`
`“Corellium was founded in Florida in 2017, in the last two years it has
`earned a sterling reputation among mobile jail breakers and cybersecurity
`specialists . . . .” 3
`
`“Its product provides ‘virtualized’ versions of iOS. For security
`researchers, such software-only versions of the Apple operating system are
`incredibly valuable. For instance, it’s possible to use Corellium to pause
`the operating system and analyze what’s happening at the code level. Some
`in the industry have called it ‘magic,’ as it should help security researchers
`uncover vulnerabilities with greater ease and speed than having to work
`with a commercial iPhone.”4
`
`
`
`“You are obviously all from other planets as there is NO WAY in hell this
`was made by humans. Alien tech and I for one welcome our new overlords.
`This is magic and truly will change stuff. The sheer flexibility to virtualise
`
`
`3 Conor Reynolds, Apple Sues Virtualization Firm Corellium for “Perfect Digital Facsimile” of iOS, COMPUTER
`BUSINESS REVIEW (Aug. 16, 2019), https://www.cbronline.com/news/apple-sues-corellium (emphasis added).
`4 Thomas Brewster, Apple Sues Cybersecurity Startup for ‘Illegally Replicating’ iPhone for iOS, FORBES (Aug.
`15, 2019), https://www.forbes.com/sites/thomasbrewster/2019/08/15/apple-is-suing-a-cybersecurity-startup-for-
`illegally-replicating-iphones/#7d0ff994522b (emphasis added).
`
`
`
`5
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 6 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`the downgrading of devices, to test fixes/bugs/features on older versions, is
`amazing. Then, ability to change Device IDs on the fly, with Coretrace, this
`is heaven.”5
`
`At bottom, Corellium’s technology is innovative and transformative, which is why, after not being
`
`able to purchase the technology at the price it wanted, Apple is now attempting to use the court
`
`system to shut it down.
`
`
`
`Further, Corellium has made quintessential fair use of Apple’s technology. Corellium’s
`
`technology is highly transformative because it does not merely replicate Apple’s products for the
`
`same purposes for which the products were developed. Instead, Corellium’s technology utilizes
`
`portions of Apple’s technology for entirely distinct purposes, which provide significant societal
`
`benefits. For example, a user of Corellium’s technology cannot perform most functions that make
`
`a smartphone attractive: a user cannot make phone calls or send text messages. Nor can a user
`
`access iTunes, log into an iCloud account, navigate with GPS, pair Bluetooth headphones, or take
`
`pictures. Instead, a user of Corellium’s technology is constrained to use Apple’s technology for
`
`the purposes of, e.g., research, testing, and development. In other words, Corellium’s highly
`
`transformative use of Apple’s technology is for an entirely distinct purpose – research and
`
`improving the operating system itself – rather than the purposes for which Apple designed its
`
`products. And the purpose of using Corellium’s technology has significant societal value, i.e., the
`
`types of benefits the fair use doctrine is specifically meant to encourage. Apple has credited both
`
`
`5 Daniel Cuthbert (@dcuthbert), TWITTER (Aug. 14, 2019), https://twitter.com/dcuthbert/status/116165076214288
`7936?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1161650762142887936&ref_url=https
`%3A%2F%2Fpublish.twitter.com%2F%3Fquery%3Dhttps%253A%252F%252Ftwitter.com%252Fdcuthbert%25
`2Fstatus%252F1161650762142887936%26widget%3DTweet (emphasis added).
`
`
`
`
`6
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 7 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`Corellium and Corellium users with identifying vulnerabilities in iOS that have led to significant
`
`repairs in Apple’s iOS code.6
`
`
`
`It follows that Corellium does not use iOS in its entirety or merely replicate iOS for the
`
`same purposes as Apple. Instead, Corellium uses its own proprietary software to facilitate
`
`executing iOS on different hardware. When iOS is loaded onto the Corellium platform, it is not
`
`only transformed to enable it to run on different hardware, but it is also integrated with Corellium’s
`
`proprietary research tool, CoreTrace, as well as several third-party tools to improve the utility of
`
`the platform for developers and researchers. Apple cannot dispute that Corellium implements its
`
`own original code, virtual machine, and proprietary research tool in conjunction with third-party
`
`tools. And, while Apple is forced to rely upon physical devices to identify vulnerabilities or test
`
`new apps, Corellium’s technology enables iOS to run on a virtual platform – thereby obviating
`
`several limitations associated with using physical devices to perform such tasks. This, of course,
`
`further illuminates Apple’s motivation behind trying to make Corellium’s technology its own.
`
`
`
`Because Corellium’s technology is highly transformative, it cannot reasonably be said to
`
`harm the market for Apple’s products. Apple cannot be genuinely concerned it will lose
`
`smartphone market share to Corellium, because Corellium’s technology is in no way a market
`
`substitute for Apple’s products. Corellium’s technology simply has no relevant impact on Apple’s
`
`position in the marketplace. Apple does not (and cannot) plead otherwise.
`
`
`6 About the security content of iOS 13.3 and iPadOS 13.3, APPLE.COM (Dec. 10, 2019), https://support.apple.com/en-
`us/HT210785 (acknowledging Corellium for informing Apple of a vulnerability which allowed “[a]n application .
`. . [to] be able to execute arbitrary code with kernel privileges” and noting that the “information disclosure issue
`was addressed by removing the vulnerable code”); About the security content of iOS 12.4.1, APPLE.COM (Sept. 17,
`2019), https://support.apple.com/en-us/HT210549 (acknowledging Corellium user, @PWN20wnd, for their
`assistance in improving the security of iOS’ Kernel).
`
`
`
`7
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 8 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`Perhaps recognizing the futility of its claims for copyright infringement in light of
`
`Corellium’s highly transformative nature, Apple now accuses Corellium of violating the anti-
`
`trafficking provisions of the DMCA. But the DMCA was not intended to and should not curtail
`
`activities like those promoted by Corellium’s technology.7 Consistent with the foregoing, use of
`
`Corellium’s technology fits squarely within the express exemptions of the DMCA. This, of course,
`
`illustrates the fact that use of tools like those provided by Corellium are promoted – not prohibited
`
`– under the DMCA.
`
`This is not a case of digital piracy. Corellium’s technology is not a tool that enables users
`
`to bypass access controls or copy controls in iOS. Rather, Corellium’s technology enables
`
`developers and researchers to run freely available, unencrypted iOS files in a new, virtual
`
`environment. As any developer or security researcher knows, Apple makes its allegedly
`
`copyrighted work – its iOS object code – available for download for free.8 Moreover, Apple has
`
`intentionally left entire portions of its iOS code unencrypted (including the core of its operating
`
`system – the kernel) since at least 2016, well before Corellium was founded.9 Corellium does not
`
`enable use of any iOS encrypted iOS files, nor does it facilitate decryption. By making
`
`unencrypted iOS files readily available for download for free, Apple purposefully holds the door
`
`open for developers and security researchers to help it create a better product, and to create better
`
`
`7 H.R. Rep. 105-551, pt. 2, at 38 (1998) (“The Committee believes it is very important to emphasize that Section
`102(a)(2) [now codified as 17 U.S.C. § 1201(a)(2)] is aimed fundamentally at outlawing so-called ‘black boxes’
`that are expressly intended to facilitate circumvention of technological protection measures for purposes of gaining
`access to a work. This provision is not aimed at products that are capable of commercially significant noninfringing
`uses, such as consumer electronics, telecommunications, and computer products—including videocassette
`recorders, telecommunications switches, personal computers, and servers--used by businesses and consumers for
`perfectly legitimate purposes.”); Id. at 40 (stating the same intent with respect to Section 102(b)(1), now codified
`under 17 U.S.C. § 1201(b)).
`8 See supra, note 1.
`9 Kate Conger, Apple confirms iOS kernel code left unencrypted intentionally, TECHCRUNCH (June 22, 2016),
`https://techcrunch.com/2016/06/22/apple-unencrypted-kernel/.
`
`
`
`8
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 9 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`products of their own. Corellium simply enables developers and security researchers to do this in
`
`a more productive way.
`
`
`
`Apple’s Attempts To Purchase Corellium’s Predecessor Company—Virtual, LLC
`
`Unsurprisingly, Apple’s Complaint omits key information about Apple’s lengthy
`
`relationship with Corellium, its technology, and its founders. Apple has long admired Corellium’s
`
`founders and tried to recruit them and acquire their innovative technology for several years.
`
`In 2011, Corellium co-founder Chris Wade developed and launched iEmu, an open-source
`
`iOS emulator that emulated iOS applications on Android, Mac, and Windows devices.10 When
`
`Mr. Wade discussed his emulator with Apple’s Head of Security Engineering and Architecture,
`
`Ivan Krstić, Mr. Krstić called the emulator “awesome” and requested that Mr. Wade send him a
`
`“paragraph or two about what it supports and how far you’ve gotten” that Mr. Krstić could “pass
`
`around.” At that time, Mr. Krstić also tried to recruit Mr. Wade to join Apple for Mr. Krstić’s
`
`self-proclaimed “totally selfish motive of working with the smartest people in the world.”
`
`However, Mr. Wade did not join Apple. Instead, he, Amanda Gorton, and Stanislaw
`
`Skowronek developed and launched their first virtualization platform for iOS devices in 2014
`
`called Virtual, LLC (“Virtual”). The technology offered by Virtual is nearly identical to the
`
`technology offered by Corellium. Within six months, Mr. Wade, Ms. Gorton, and Mr. Skowronek
`
`were asked by Apple to enter into a letter of intent with the company for the acquisition of Virtual.
`
`The team decided to sell their company to Fort Lauderdale-based Citrix instead.
`
`
`
`
`
`
`
`
`10 iEmu: an open-source iOS device emulator, KICKSTARTER.COM (Aug. 16, 2011), https://www.kickstarter.com/
`
`projects/cmwdotme/iemu-an-open-source-ios-device-emulator.
`
`
`9
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 10 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`Apple’s Subsequent Attempts To Purchase Corellium
`
`Apple’s interest in Corellium’s founders and their innovative technology did not end with
`
`Virtual. In January 2018, Apple entered into negotiations with Mr. Wade and Ms. Gorton to
`
`purchase Corellium. The two companies entered into a Confidentiality Agreement for Possible
`
`Transaction (the “Non-Disclosure Agreement”) on January 25, 2018, after which Corellium
`
`provided Apple access to its platform and technical information concerning its underlying
`
`functionality.
`
`In the six months that followed, Corellium’s founders travelled to Cupertino, California at
`
`least three times to meet with Apple executives, including Apple’s Vice President of Software
`
`Engineering, Jon Andrews, and Apple’s Senior Vice President of Software Engineering, Craig
`
`Federighi, about a potential acquisition. While doing so, Corellium shared detailed technical
`
`information with Apple and demonstrated its technology to Apple’s security and software
`
`engineering teams several times. Corellium also participated in a full-day technical review of its
`
`platform conducted by Apple in March 2018. In June 2018, Corellium provided Mr. Andrews
`
`with a Corellium user account along with access to Corellium’s APIs.
`
`During Apple and Corellium’s negotiations, Apple never indicated to Corellium’s founders
`
`that it believed Corellium was infringing its copyrights or violating the DMCA. Nor did Apple
`
`send Corellium or its founders any cease and desist letter. Instead, Apple encouraged Corellium’s
`
`founders to “come demo” their product in Cupertino and suggested that Apple had a “good idea
`
`of how [Corellium’s] team could have a big impact and build on the core technology.” Then,
`
`nearly a year and a half after Apple began exploring a possible acquisition of Corellium, Apple –
`
`without warning – filed this lawsuit.
`
`
`
`
`
`10
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 11 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`Apple’s Use Of Corellium’s Technology
`
`In the months leading up to Apple’s negotiations with Corellium, it also approved
`
`Corellium to participate in its invitation-only bug bounty program, a program in which Mr. Wade
`
`had already been participating for more than a year. Through this program, Apple pays security
`
`researchers to submit bugs they find in Apple’s operating systems to Apple. While Corellium has
`
`submitted several bugs, Apple has failed to pay Corellium for any of them. Why? The reason is
`
`simple: why pay for bugs when you are going to own the company submitting the bugs?
`
`Due to Apple’s refusal to pay, it is Apple that owes Corellium. Rather than paying
`
`Corellium, Apple is now trying to receive additional bugs from the company for free. Apple’s
`
`First Set of Requests for Production requests Corellium to provide Apple with “any bugs, exploits,
`
`vulnerabilities, or other software flaws in iOS of which Corellium or its employees currently are,
`
`or have ever been, aware” (emphasis added). Through this lawsuit, Apple continues its practice
`
`of obtaining and retaining the benefit of Corellium’s technology without paying for the benefits it
`
`received.
`
`
`
`After Failing To Acquire Corellium, Apple Offered A New Product To Compete With
`Corellium’s Technology
`
`Just days before filing this lawsuit, Mr. Krstić announced at the Black Hat USA conference
`
`that Apple would increase the maximum reward amounts available for bug bounty submissions
`
`from $200,000 to $1,000,000 and also open up the bug bounty program to anyone interested in
`
`participating. Mr. Krstić also announced that Apple would give select independent security
`
`researchers special “pre-hacked” research devices so that they can search for flaws in the iOS.11
`
`
`11 Lorenzo Francecshi-Bicchierai, Apple’s Lawsuit Against a Startup Shows How It Wants to Control the iPhone
`Hacking Market, VICE NEWS (Aug. 16, 2018), https://www.vice.com/en_us/article/d3a8jq/apple-corellium-
`lawsuit.
`
`
`
`11
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 12 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`
`
`While Apple’s announcement was originally seen as a gesture of goodwill by a company
`
`that has been notoriously hostile to security researchers, it is clear from this lawsuit that Apple’s
`
`announcement was just that, a gesture. Corellium’s technology does what Apple clearly wants to
`
`prohibit any entity from doing – open up the security research and application development fields
`
`to third parties. Why else would Apple introduce new exclusive devices for security researchers
`
`and then – within days – file this lawsuit against Corellium? To stifle competition by preventing
`
`Corellium from offering third party researchers a more efficient alternative. Indeed, Apple’s
`
`Complaint acknowledges “that a cloud-based product like Corellium’s will compete directly with
`
`the custom devices that Apple plans to distribute to security researchers.” Doc. 589, ¶ 43. Through
`
`its invitation-only research device program and this lawsuit, Apple is trying to control who is
`
`permitted to identify vulnerabilities, if and how Apple will address identified vulnerabilities, and
`
`if Apple will disclose identified vulnerabilities to the public at all.
`
`Apple’s Real Reason For Suing Corellium
`
`So why did Apple sue Corellium? Because it was not able to purchase Corellium or its
`
`predecessor company, Virtual, for the price it wanted. Consequently, Apple did the only thing it
`
`knew to do when it could not acquire Corellium for less than fair market value – file a lawsuit
`
`accusing Corellium of copyright infringement and DMCA violations – even though Apple was not
`
`only aware of Corellium’s technology for several years, but actually encouraged its development.
`
`Rather than tell the real story, Apple paints Corellium as a bad actor, unscrupulously
`
`peddling its product to anyone for any reason. But Corellium does not license its platform to
`
`anyone. Its end users include well-known and well-respected financial institutions, government
`
`agencies, and security researchers. Financial institutions use Corellium’s technology to test their
`
`mobile banking apps to make them impenetrable to hackers and ensure stability in the event of
`
`
`12
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 13 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`heavy traffic. Government agencies use Corellium’s technology for the purpose of national
`
`defense. Security researchers use Corellium’s technology to more efficiently and effectively
`
`search for and repair security vulnerabilities in, e.g., mobile device apps and services.
`
`Further, the founders of Corellium’s first customer, Azimuth Security (“Azimuth”), wrote
`
`the book on security research: “The Art of Software Security Assessment.” Azimuth is owned by
`
`L3 Harris Technologies, Inc. (“L3”) – a government contractor headquartered in Melbourne,
`
`Florida, known for its space and defense communications systems. Contrary to Apple’s
`
`disparaging implication, Corellium and its founders do business with those working in software
`
`security to protect end users – not use it for an improper purpose.
`
`Corellium’s Technology Advances The Public Interest
`
`Soon after Apple sued Corellium, security researchers at Google’s Project Zero identified
`
`and disclosed a hacking campaign that exploited five distinct iOS exploit chains by embedding
`
`attacks in certain websites. Specifically, the press reported that flaws in Apple’s iOS security
`
`allowed the Chinese government to target Uyghur Muslim minorities by infecting their iPhones
`
`with malicious code that allowed attackers to read text messages, obtain passwords, and track
`
`locations in near-real time.12 It also infected the phones of non-Uyghurs and forced the FBI to ask
`
`Google to de-index the offending websites in order to reduce the number of infections.13
`
`
`
`
`
`
`12 Zach Whittaker, Sources say China used iPhone hacks to target Uygur Muslims, TECHCRUNCH (Aug. 31, 2019),
`https://techcrunch.com/2019/08/31/china-google-iphone-uyghur/.
`13 Ravie Lakshmanan, iPhone Spyware Campaign Reportedly Targeted Uyghur Muslims For 2 Years, THE NEXT
`WEB (Sept. 6, 2019), https://thenextweb.com/security/2019/09/02/iphone-spyware-campaign-reportedly-targeted-
`uyghur-muslims-for-2-years/.
`
`
`
`13
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 14 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`Apple was forced to publicly admit the Uyghurs were attacked as a result of these iPhone
`
`security flaws, but disputed certain other information provided by Google.14 According to a recent
`
`press article, Apple’s security flaws indicate:
`
`Cupertino still has work to do in safeguarding its devices and services and
`it’s time for the company to deeply examine its own software for issues that
`resulted in the flaws that’ve made those iPhone attacks possible.15
`
`Corellium agrees. Corellium’s technology is intended to improve the security research and
`
`development community. Apple’s copyrights and the DMCA were never intended to cover or
`
`apply to Corellium’s technology. The Copyright Act is simply not that broad. See 17 U.S.C.
`
`§ 102(b). Perhaps if Apple focused more on security and less on litigation, it would not suffer the
`
`security flaws identified in recent press reports.
`
`CORELLIUM’S ANSWER TO APPLE’S SECOND AMENDED COMPLAINT
`
`1.
`
`Corellium admits that Apple initated this lawsuit, but denies any liablity or
`
`wrongdoing and denies that Apple is entitled to any relief.
`
`INTRODUCTION
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`7.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Denied.
`
`
`14 Stephen Nellis, Apple Says Uighurs Targeted In iPhone Attack But Disputes Google Findings, REUTERS
`(Sept. 6, 2019), https://www.reuters.com/article/us-apple-cyber/apple-says-uighurs-targeted-in-iphone-attack-
`but-disputes-google-findings-idUSKCN1VR29K.
`15 Lakshmanan, supra note 13.
`
`
`14
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 15 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`THE PARTIES
`
`8.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 8, and therefore denies same.
`
`9.
`
`Corellium admits that it is a limited liability company registered in Delaware.
`
`Corellium denies the remaining allegations in paragraph 9.
`
`JURISDICTION AND VENUE
`
`10.
`
`11.
`
`12.
`
`Admitted.
`
`Admitted.
`
`Admitted.
`
`FACTS COMMON TO ALL CLAIMS FOR RELIEF
`
`A. Apple’s Copyrighted Works
`
`13.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 13, and therefore denies same.
`
`14.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 14, and therefore denies same.
`
`15.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 15, and therefore denies same.
`
`16.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 16, and therefore denies same.
`
`17.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 17, and therefore denies same.
`
`18.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 18, and therefore denies same.
`
`
`
`15
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 16 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`19.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 19, and therefore denies same.
`
`20.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 20, and therefore denies same.
`
`21.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 21, and therefore denies same.
`
`22.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 22, and therefore denies same.
`
`23.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 23, and therefore denies same.
`
`24.
`
`Corellium lacks knowledge or information sufficient to form a belief as to the truth
`
`of the allegations contained in paragraph 24, and therefore denies same.
`
`B. Corellium’s Infringing Product
`
`25.
`
`26.
`
`27.
`
`28.
`
`29.
`
`30.
`
`31.
`
`32.
`
`33.
`
`34.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Denied.
`
`
`
`16
`
`

`

`Case 9:19-cv-81160-RS Document 599 Entered on FLSD Docket 07/17/2020 Page 17 of 60
`CASE NO.: 9:19-CV-81160-RS
`
`35.
`
`36.
`
`Denied.
`
`Corellium admits that the statements referenced in paragraph 36 purport to be
`
`attributable to Mr. Wade. The statements speak for themselves, and Corellium denies the
`
`allegations contained in paragraph 36 to the extent Apple attempts to characterize same.
`
`37.
`
`Corellium admits that Mr. Wade appeared on a podcast called Risky Business.
`
`Corellium admits that the statements referenced in paragraph 37 purport to be attributable to Mr.
`
`Wade. The statements speak for themselves, and Corellium denies the allegations contained in
`
`paragraph 37 to the extent Apple attempts to characterize same.
`
`38.
`
`39.
`
`40.
`
`41.
`
`Denied.
`
`Denied.
`
`Denied.
`
`Corellium denies the allegations contained in paragraph 41, except that Corellium
`
`admits that Corellium and its founders do business with those working in software security to
`
`protect end users.
`
`42.
`
`43.