ZipperDown: Remote Code Execution Attack on iOS Apps

On May 15, 2018, Pangu Lab announced the ZipperDown vulnerability, which allows a remote code execution attack on iOS apps. Although Pangu Lab did not disclose the details of the ZipperDown vulnerability, we can infer from its researcher’s public comments and Weibo’s incident response, that the vulnerability exists in the “SSZipArchive” and “ZipArchive” libraries, which are commonly used to decompress .zip files inside iOS apps.

One of the pre-conditions for a ZipperDown attack is that the user has to be in an unsafe Wi-Fi environment. Only then can an attacker launch a Man-in-the-Middle (MiTM) attack and replace the benign .zip file with malicious .zip file over the unencrypted network.

The attack works as follows:

• An iOS application downloads a malicious zip file over an unencrypted connection.
• The app uses the ZipArchive or SSZipArchive library to decompress it. Since the ZipArchive and SSZipArchive libraries allow unzipping files in parent directories, malicious .zip file can be unzipped to overwrite app data or codes. Apps that dynamically load the codes, such as via JavaScript bridges, make it easier for an attacker to overwrite the codes and launch remote code execution attacks.
• In this way, a ZipperDown attacker can gain access to user information and/or perform other malicious functions, such as sending premium SMSes on users’ devices.

Extent of Potential Damage

The remote code execution occurs inside the affected app allowing a remote attacker to possess the same privileges or permissions as the vulnerable app. For instance, if a vulnerable app has permission to access the user’s address book, the ZipperDown attacker will also have access to the affected user’s address book. Fortunately, the attacker cannot escalate his/her privilege to system-level processes and take over the device. Nonetheless, it is wise for enterprises to pay more attention to ZipperDown-Vulnerable apps with excessive or high risk permissions or entitlements.

How Common are ZipperDown Vulnerable Apps?

Searching our database of apps in enterprise environments, Appthority found 190,420 apps that contain the “SSZipArchive” and “ZipArchive” libraries and 31,820 apps that succeeded in downloading .zip files unencrypted. 37% of Appthority customer enterprises contain apps downloading .zip files unencrypted. Although Pangu Lab indicates that it’s working on Android detection, Appthority already detects both Android and iOS apps that download unencrypted .zip files.

The following table represents the top 10 enterprise iOS apps that download .zip files unencrypted based on the highest number of affected enterprise devices. An interesting observation is that among the top 10 apps, 3 of them are travel-related apps created by airlines. This is particularly bad news since airports are one of the most common places where users use unsafe Wi-Fi networks. With airline apps being vulnerable to the ZipperDown vulnerability, this increases both the risk and likelihood of an attack against mobile users.

Application Name	Package Name	Version	Category	File Hash
Calculator Pro+ for iPad	com.apalonapps.calcfree	5.3	Utilities	6f15cbc9b39ec88df706d1384e924fea
BBC News	uk.co.bbc.news	4.9	News	31b1f916ec8fcd062b25abe83baa9cf7
LATAM Entertainment	com.lan.entertainment	2.0.35	Travel	87d5225e28def4f693f2e827ca23e902
Taobao – Shopping	com.taobao.taobao4iphone	7.8.2	Shopping	9e8f2f0ecb282adc5552951b75be5f5c
Meitu	com.meitu.mtxx	8.0.02	Photo & Video	5940544642a23625d87691519ae077bf
BBC News	uk.co.bbc.newsuk	4.9	News	032902a8e4248e032d07dd5fa97c8162
AliExpress Shopping App	com.alibaba.iAliexpress	6.10.0	Shopping	49b15d20fc0526118f4f3212a1c8bdb0
musical.ly	com.zhiliaoapp.musically	7.1.0	Photo & Video	3a5cbc2362476c17f3bb3f2347772fec
Virgin Australia Entertainment	com.lhsystems.ife.boardconnect.dj.iphone.daios.ped	3.7.18.16	Travel	d5ea66af006ea7d1e2bb7093dac2288f
Fly Delta for iPad	com.delta.mobile.ipad.flydelta	1.8.1	Travel	96ef2bf0fbbd270582231a681a172870

Recommendations

Appthority customers already have advanced detection in place to identify iOS as well as Android apps that demonstrate the ZipperDown vulnerability in runtime by downloading a .zip file using an unencrypted connection. This advanced detection is most important for apps handling sensitive corporate and personal data such as EMM published applications and personally downloaded business related applications used by employees for productivity. Appthority MTP allows our customers to prioritize the most critical types of ZipperDown affected apps in this way.

Contact Appthority to discuss how we can help your organization identify enterprise relevant Zipperdown affected apps as well as other enterprise mobile security threat.

For mobile users:

• Avoid connecting to untrusted Wi-Fi networks, such as public networks in airports and coffee shops
• Uninstall apps that are on the top 10 list above or those listed on the ZipperDown.org website until the apps have been fixed by the developers (Pangu Lab will remove the app from its list when the developers inform them that the vulnerability has been fixed).

*** This is a Security Bloggers Network syndicated blog from Mobile Threat Blog Posts | Appthority authored by Su Mon Kywe. Read the original post at: https://www.appthority.com/mobile-threat-center/blog/zipperdown-remote-code-execution-attack-on-ios-apps/