ZipperDown vulnerability puts thousands of iOS apps at risk
Tuesday, May 22, 2018
Austin Harris |
ZipperDown iOS vulnerability poses risk to thousands of applications on the market, leaving companies scrambling to make security updates.
ZipperDown vulnerability has put at risk potentially thousands of iOS apps on the market. Pangu Lab recently found that a vulnerability previously discovered in OAuth security is now being exploited by hackers to run malicious code on iOS applications. Casey Ellis, CTO of Bugcrowd, recently spoke on the matter, giving an in-depth technical overview of ZipperDown to developers:
“The ZipperDown disclosure from Pangu Lab finds that approximately 16,000 iOS applications are potentially vulnerable to security flaw that, in the worst cases, would allow an attacker to execute malicious code on a mobile device.
ZipperDown is not a "bug" per se, nor does it seem to be an issue in iOS itself; It’s the discovery of a common developer anti-pattern, or a commonly accepted development practice that turns out to be vulnerable. At Bugcrowd, we refer to instances such as Zipperdown as “0-day behavior” since they aren’t 0-days (i.e. one mistake in one piece of code that many people use), but can have a similar magnitude of impact. Anti-patterns like ZipperDown occur because the risk of a vulnerability is unknown it takes a hacker to discover, understand, and then educate the builders of these patterns and their overall impact. Until the vulnerability created by the anti-pattern is surfaced, developers continue introducing it into the wild.
A similar famous example of an anti-pattern is the "Covert Redirect" flaw within OAuth protocols which was uncovered in 2014. As is the norm with this type of vulnerability, it takes a crowd to find it, and for those building software to take this feedback on in order to fix it.
iOS is considered one of the more resilient operating systems, and people commonly use their phones and tablets on unsecured Wi-Fi in hotels, airports, bars and planes so it’s important that the operating itself is secure. I'm happy to see this class of issues being discussed as it brings awareness to a broader consumer audience, and I expect to see a flurry of app updates on my phone over the next few days.”
“The ZipperDown disclosure from Pangu Lab finds that approximately 16,000 iOS applications are potentially vulnerable to security flaw that, in the worst cases, would allow an attacker to execute malicious code on a mobile device.
ZipperDown is not a "bug" per se, nor does it seem to be an issue in iOS itself; It’s the discovery of a common developer anti-pattern, or a commonly accepted development practice that turns out to be vulnerable. At Bugcrowd, we refer to instances such as Zipperdown as “0-day behavior” since they aren’t 0-days (i.e. one mistake in one piece of code that many people use), but can have a similar magnitude of impact. Anti-patterns like ZipperDown occur because the risk of a vulnerability is unknown it takes a hacker to discover, understand, and then educate the builders of these patterns and their overall impact. Until the vulnerability created by the anti-pattern is surfaced, developers continue introducing it into the wild.
A similar famous example of an anti-pattern is the "Covert Redirect" flaw within OAuth protocols which was uncovered in 2014. As is the norm with this type of vulnerability, it takes a crowd to find it, and for those building software to take this feedback on in order to fix it.
iOS is considered one of the more resilient operating systems, and people commonly use their phones and tablets on unsecured Wi-Fi in hotels, airports, bars and planes so it’s important that the operating itself is secure. I'm happy to see this class of issues being discussed as it brings awareness to a broader consumer audience, and I expect to see a flurry of app updates on my phone over the next few days.”
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here