In mid-August, Amanda Gorton and Chris Wade sat dumbfounded in their Boynton Beach, Florida, offices. They had just been sent a lawsuit that might yet kill their startup.
Within Gorton’s inbox was an email sent by a reporter containing a complaint filed by tech titan Apple against the married couple’s company, Corellium. The suit’s unceremonious appearance belied the gravity of the allegations they were facing: that they’d illegally copied the world’s most famous tech device, the iPhone.
Dubbed “magic” by some users, Corellium “virtualizes” iPhones, turning Apple phones into something you can play with on a PC. For Corellium customers, it lets them tinker with the iOS operating system to find functional problems or security vulnerabilities, all without risking breaking the iPhone, a famously locked-down device that doesn’t welcome anything not approved Apple. Unlike testing with the real thing, if the phone suddenly dies, you can just load up another one, making it useful for security researchers, developers and hobbyists, known as jailbreakers, who want to wrest back control of their iPhone. For Apple, though, this amounted to a copyright infringement of its product by “replicating” it without permission.
To Wade, a curly-haired, bespectacled Australian with the wide, intense eyes of a wired tech guy, and the more composed Yale-educated partner Gorton, the news that Apple was suing landed like a “gut punch.” Via exclusive interviews with the founders and documents they provided ahead of their legal response to Apple filed late Monday night, Forbes has learned the iPhone maker was considering buying Gorton and Wade’s first startup, a Corellium predecessor called Virtual. And it appears subsequent years-long relations between the parties were ostensibly amicable before the big bust up in August.
When Wade first heard about the suit he thought it was a joke. It’s no joke. Onlookers who spy a Goliath flexing its muscles against a plucky David are hoping, for the sake of iPhone security, an agreement is found. “As I understand it, many security researchers have used Corellium and submitted bugs to Apple,” said Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation.
Apple declined to comment on the claims made in this article. It pointed Forbes to the original complaint against Corellium, in which it said the suit was not trying to “encumber good-faith security research, but to bring an end to Corellium’s unlawful commercialization of Apple’s valuable copyrighted works.” Summing up Apple’s withering opinion of Corellium, the Cupertino company wrote: “Corellium’s true goal is profiting off its blatant infringement. Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”
Cutting to the Apple core
Gorton and Wade’s long relationship with Apple can be dated back to at least the early 2010s. At the time the couple were working at OpenPeak, an enterprise mobile management company that had caught the attention of Mark Templeton, then Citrix CEO, who was considering an acquisition. Not long after Templeton met Wade, saying he was impressed by the Australian’s ability to do things considered “impossible,” Citrix bought Virtual, a startup founded by the married couple in 2014.
But in selling to Templeton, Virtual had to snub another suitor: Apple. A document outlining an agreement between Apple and Virtual, seen by Forbes, prevented the latter from talking to any other company about an acquisition for 45 days as the Cupertino company considered whether it wanted to splurge.
Did that upset the Apple cart? Is this a revenge story? Wade and Gorton aren’t sure. Gorton says she and her husband were excited such a formidable company was interested in their embryonic business.
The pair paints a picture of friendly Apple relations. Wade says he’s consistently handed details of security weaknesses to Apple. In 2016, after Apple announced it was launching a so-called Bug Bounty, where researchers are given monetary reward for disclosing vulnerabilities in iOS (now up to $1.5 million), Wade planned on partly funding Corellium with those bounties. He wanted to do it transparently, he says, and in one email dated September 27 2017, Wade explicitly told Apple’s manager for security and privacy programs, Jason Shirk, that he would start submitting bugs to fund his iPhone virtualizing startup.
The filing also suggests Apple encouraged Corellium’s early business. Emails provided to Forbes indicate Apple was at least impressed. Just as Corellium was getting started, in August 2017, Apple hosted a dinner in China for the Tencent Security Conference. Wade and Shirk dined together on Apple’s dime and later exchanged messages, according to the email threads. In one Wade boasted that he could virtualize the latest iPhone. Shirk’s response? “Wow! You got iOS 10.3 running virtually?” Wade cheekily messaged back: “Actually, we’re running iOS 11 :).”
At some point in the last year, something soured. In its filing on Monday, Corellium said that it hasn’t been paid for any of the vulnerabilities it submitted. In a counterclaim, the startup said that rather than it owing Apple anything, the Cupertino company owed it more than $300,000. And Corellium claimed Apple had launched a rival product in handing out custom iPhones for security researchers, letting them dive deeper into iOS.
Right now, Gorton says the bootstrapped Corellium is profitable, with a handful of customers across government and private industry paying thousands for its products: up to $62,500 for an on-site appliance and $575 a month for a cloud-based, single-user license for a month. But with legal fees mounting and the threat of being forced to kill the killer feature of its product, that profit could dwindle and leave Corellium facing collapse.
Apple, meanwhile, might be facing a backlash from the cybersecurity community. It’s already faced criticism this year. When Google released research in September regarding attacks on iPhone users from the persecuted Uighur community in China, Apple’s response was controversial. In a rare public post, it sought to downplay what happened. To some onlookers, including former Facebook chief security officer Alex Stamos, Apple was suggesting that attacks on Uighurs weren’t “as big a deal as Google makes it out to be.” “Apple’s response to the worst known iOS attack in history should be graded somewhere between ‘disappointing’ and disgusting,’” Stamos tweeted.
There’s the sense that after having opened up in the post-Steve Jobs years—with its industry-leading bug bounty and Tim Cook’s ostensibly aggressive stance on protecting user privacy—Apple is taking a few steps back. And one of those steps might squish one of the more intriguing startups to enter the often mundane cybersecurity market.