On top of everything, the blog makes another pretty bold claim: code that apparently is the intellectual property of Apple appears within Cellebrite’s software—something Marlinspike says “might present a legal risk for Cellebrite and its users.” In other words, Cellebrite might be selling code that belongs to its biggest adversary.

If all of these disclosures are true, it could have pretty massive ramifications for Cellebrite. If we can assume it’s really this easy for someone to break into the company’s software and drastically alter the data that police are collecting, how certain can law enforcement be that the evidence they are collecting is actually correct? What would the legal ramifications be for the cases that have hinged on Cellebrite’s software, if its security is really so paltry? Anyone who’s been involved in a case that used this software should probably be calling their lawyer right now.


The fact that Marlinspike has very publicly outed these security concerns—and done so without prior disclosure to Cellebrite, as is standard industry practice—could definitely be viewed as a swipe, if not an outright backhanded slap to the face. It’s hard not to read all of this as some sort of retort to Cellebrite’s recent claims that it can crack Signal’s encryption—surely a claim that stuck in Marlinspike’s craw. To top everything off, the Signal CEO actually ends the blog by really making it sound like Signal plans to spam Cellebrite with some sort of malware-adjacent files in the future:

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software...We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.


Shots fired, indeed. We have reached out to Cellebrite for comment and will update this story if we hear back from them.

UPDATE, 6:50 p.m., Wednesday, April 21: In response to request for comment, a spokesperson for Cellebrite sent us the following statement:

Cellebrite enables customers to protect and save lives, accelerate justice and preserve privacy in legally sanctioned investigations. We have strict licensing policies that govern how customers are permitted to use our technology and do not sell to countries under sanction by the US, Israel or the broader international community. Cellebrite is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available.