ZipperDown catches 16,000 iOS apps with their pants down

These days, there seem to be two types of security vulnerabilities – those with alarming names and eye-catching logos, and those that make do with mere CVE numbers.

The latest example of the naming trend is ZipperDown, uncovered by Chinese jailbreakers Pangu Lab, affecting iOS apps and possibly some Android ones too.

The company offers only minimal detail on the flaw beyond, describing it as:

A common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected apps.

This sounds like trouble but this time the eye-catching bit is the number of apps the company believes might suffer from it – 15,978 (9.5%) of 168,951 iOS Apps in the App Store, a collection of computer programs that have been downloaded about 100 million times.

They admit this is a guesstimate due to the impossibility of checking such a large number of apps individually.

As for other platforms:

We have confirmed that many popular Android apps have similar issues. We will release more results for Android apps in future.

The company manually verified that a number of Chinese apps are affected including Weibo, MOMO, NetEase Music, QQ Music and Kwai, while Instagram, Pandora, Dropbox, Amazon and a Google app or two are on the long list.

Working out which apps are affected will require developers to carry out manual checks, app-by-app.

On the face of it while ZipperDown sounds like a big issue, as flaws-with-their-own-names go this one is probably a bit second division.

As Pangu Lab alludes to in its advisory, exploiting it appears to require control of a Wi-Fi network, for example using a compromised public hotspot. That’s not hard to imagine happening but still limits the chances of compromise for most users.

The company also admits:

The sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.

An unsettling aspect of the alert is that while the company has kept the guts of the flaw to itself (to give app developers time to check for the problem and fix it), further details seem to be known elsewhere, with some claiming the problem is a path traversal issue in a utility called ZipArchive.

If that’s true, exploits might not be far off. App makers need to check their software for the issue and correct it as soon as possible.

Whatever else it is, ZipperDown is an unusual flaw. With so many apps apparently affected, and so many app developers needing to be informed, responsible disclosure becomes a huge communications issue. As much as we might dislike the trend for PR-first vulnerability naming, perhaps giving this flaw a fancy name and its own badge was the right attention-grabbing tactic in this case.