Remote Code Execution Attack on iOS Apps
ZipperDown: Remote Code Execution Attack on iOS Apps
On May 15, 2018, Pangu Lab announced the ZipperDown vulnerability, which allows a remote code execution attack on iOS apps. Although Pangu Lab did not disclose the details of the ZipperDown vulnerability, we can infer from its researcher’s public comments and Weibo’s incident response, that the vulnerability exists in the “SSZipArchive” and “ZipArchive” libraries, which are commonly used to decompress .zip files inside iOS apps.
One of the pre-conditions for a ZipperDown attack is that the user has to be in an unsafe Wi-Fi environment. Only then can an attacker launch a Man-in-the-Middle (MiTM) attack and replace the benign .zip file with malicious .zip file over the unencrypted network.
The attack works as follows:
- An iOS application downloads a malicious zip file over an unencrypted connection.
- The app uses the ZipArchive or SSZipArchive library to decompress it. Since the ZipArchive and SSZipArchive libraries allow unzipping files in parent directories, malicious .zip file can be unzipped to overwrite app data or codes. Apps that dynamically load the codes, such as via JavaScript bridges, make it easier for an attacker to overwrite the codes and launch remote code execution attacks.
- In this way, a ZipperDown attacker can gain access to user information and/or perform other malicious functions, such as sending premium SMSes on users’ devices.
Extent of Potential Damage
The remote code execution occurs inside the affected app allowing a remote attacker to possess the same privileges or permissions as the vulnerable app. For instance, if a vulnerable app has permission to access the user’s address book, the ZipperDown attacker will also have access to the affected user’s address book. Fortunately, the attacker cannot escalate his/her privilege to system-level processes and take over the device. Nonetheless, it is wise for enterprises to pay more attention to ZipperDown-Vulnerable apps with excessive or high risk permissions or entitlements.
How Common are ZipperDown Vulnerable Apps?
Searching our database of apps in enterprise environments, Appthority found 190,420 apps that contain the “SSZipArchive” and “ZipArchive” libraries and 31,820 apps that succeeded in downloading .zip files unencrypted. 37% of Appthority customer enterprises contain apps downloading .zip files unencrypted. Although Pangu Lab indicates that it’s working on Android detection, Appthority already detects both Android and iOS apps that download unencrypted .zip files.
The following table represents the top 10 enterprise iOS apps that download .zip files unencrypted based on the highest number of affected enterprise devices. An interesting observation is that among the top 10 apps, 3 of them are travel-related apps created by airlines. This is particularly bad news since airports are one of the most common places where users use unsafe Wi-Fi networks. With airline apps being vulnerable to the ZipperDown vulnerability, this increases both the risk and likelihood of an attack against mobile users.
| Application Name | Package Name | Version | Category | File Hash |
| Calculator Pro+ for iPad | com.apalonapps.calcfree | 5.3 | Utilities | 6f15cbc9b39ec88df706d1384e924fea |
| BBC News | uk.co.bbc.news | 4.9 | News | 31b1f916ec8fcd062b25abe83baa9cf7 |
| LATAM Entertainment | com.lan.entertainment | 2.0.35 | Travel | 87d5225e28def4f693f2e827ca23e902 |
| Taobao – Shopping | com.taobao.taobao4iphone | 7.8.2 | Shopping | 9e8f2f0ecb282adc5552951b75be5f5c |
| Meitu | com.meitu.mtxx | 8.0.02 | Photo & Video | 5940544642a23625d87691519ae077bf |
| BBC News | uk.co.bbc.newsuk | 4.9 | News | 032902a8e4248e032d07dd5fa97c8162 |
| AliExpress Shopping App | com.alibaba.iAliexpress | 6.10.0 | Shopping | 49b15d20fc0526118f4f3212a1c8bdb0 |
| musical.ly | com.zhiliaoapp.musically | 7.1.0 | Photo & Video | 3a5cbc2362476c17f3bb3f2347772fec |
| Virgin Australia Entertainment | com.lhsystems.ife.boardconnect.dj.iphone.daios.ped | 3.7.18.16 | Travel | d5ea66af006ea7d1e2bb7093dac2288f |
| Fly Delta for iPad | com.delta.mobile.ipad.flydelta | 1.8.1 | Travel | 96ef2bf0fbbd270582231a681a172870 |
Recommendations
Appthority customers already have advanced detection in place to identify iOS as well as Android apps that demonstrate the ZipperDown vulnerability in runtime by downloading a .zip file using an unencrypted connection. This advanced detection is most important for apps handling sensitive corporate and personal data such as EMM published applications and personally downloaded business related applications used by employees for productivity. Appthority MTP allows our customers to prioritize the most critical types of ZipperDown affected apps in this way.
Contact Appthority to discuss how we can help your organization identify enterprise relevant Zipperdown affected apps as well as other enterprise mobile security threat.
For mobile users:
- Avoid connecting to untrusted Wi-Fi networks, such as public networks in airports and coffee shops
- Uninstall apps that are on the top 10 list above or those listed on the ZipperDown.org website until the apps have been fixed by the developers (Pangu Lab will remove the app from its list when the developers inform them that the vulnerability has been fixed).