A programming error that could expose thousands of iPhones to attacks has been found in over 15,000 iOS apps, some that have been downloaded over 100 million times.
Dubbed ZipperDown, the flaw was discovered by China-based iPhone jailbreaking experts Pangu Team which noticed the programming error while auditing various iOS apps.
“According to our search, 15,978 out of 168,951 iOS apps are potentially vulnerable. ZipperDown is a very typical programming error, and we did not expect so many iOS apps to have this issue,” stated Pangu on its ZipperDown website.
Pangu states that the error could possibly lead to severe consequences, though it depends on the affected app and its privileges. However, the attacker also needs to be in control of the WiFi network in order to exploit the flaw to run malicious codes.
To prove its claim, Pangu posted a video showing a user downloading and using the Chinese microblogging service Weibo in an unsafe WiFi environment. A hacker then exploits the ZipperDown issue in Weibo to gain remote code execution within the app.
However, Pangu also notes that the sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.
Although Pangu has not released specific details about ZipperDown to avoid exploitation of the vulnerability, PC Mag states that some researchers in China have shared how the flaw works.
The reports claim that the error involves a third-party utility called ZipArchive that allows iOS apps to read and write Zip files.
Pangu created a ‘signature’ for the issue and performed a large scale search on its app analysis platform Janus. It found that around 10% of iOS Apps to be affected by the same or similar issues, including Instagram, Amazon, Twitterific and Dropbox. Pangu also warns that although it has created a signature for ZipperDown, it may suffer from high false negatives, and recommends manual inspection to confirm the affected apps. Pangu claims that it has manually verified that Weibo, MOMO, NetEase Music, QQ Music and Kwai are definitely vulnerable.
Pangu has also confirmed that many popular Android apps also have similar issues and that it will release more information on the affected apps soon.
In an article in Forbes, founder of app security firm Verify.ly Will Strafach who has been granted access to detailed information about ZipperDown says that the flaw is more of “an unexpected way in, rather than a complete exploit” for iPhones.
He also stated that the flaw can be fixed easily with an app update, and iPhone users are encouraged to keep their applications up to date to avoid any untoward incidents.