Security experts discovered a dangerous bug that affects applications built for Apple’s mobile software infrastructure. According to the published information the ZipperDown vulnerability affects around 10% of all iOS apps released publicly. It is possible that this bug can function on Android devices as well.
ZipperDown Vulnerability Strikes iOS Apps
The discovery of ZipperDown was announced by Pangu Lab which have since created a specialist site giving details about the issue. A code analysis of their clients has revealed a very common programming error which has led to dangerous consequences when reviewed further. To give out further details about it’s spread the team has devised a special signature that can detect the problem in iOS apps. A scan was conducted using it on a specialist application analysis platform and the results show that around 10% of all iOS apps might be affected .
The platform cannot give out a 100% certainty however these figures are taken as credible enough to issue a warning across the whole security community. Some of the affected programs include even those that have more than 100 million active users: Weibo, MOMO< NetEas Music, QQ Muiic and Kwai. Exact details about the way ZipperDown operates are not disclosed at this moment in order to protect end-users. The security experts will work with all vendors that may have concerns about vulnerabilities in their products and services.
Details About The ZipperDown Vulnerability
As the detected Zipperdown vulnerability is described as a common programming language error the developers have also prepared a detector tool that is compatible with Android apps. At this moment there is no information available on specific vulnerable apps. The team has confirmed that some software may be impacted however details on this are due to be released.
Vulnerable iOS and Android apps can lead to several dangerous outcomes including data modification and even overwrite, as well as arbitrary code execution. In such cases the ZipperDown vulnerability has been observed to be limited by the sandbox environments used in both operating systems — Android and iOS.
Some issues that hinder the proper security assessment is the fact that the produced signatures might showcase many false negatives. This is the reason why a thorough manual code investigation is advised. The ZipperDown vulnerability can be exploited via different methods however the most common are traffic hijacking and spoofing.
To this date there are no reported incidents as the bug has just been discovered. Given this it is very possible that actual attacks are to be caused using complex scenarios. ZipperDown exploits will probably be performed using other malicious components as well in a several-tier behavior pattern.
We expect that vendors will mitigate the ZipperDown vulnerability in due time to prevent any security incidents.