ZipperDown Programming Vulnerability Could Let Hackers Execute Code in iOS Apps

A recently discovered vulnerability in iOS applications could allow hackers to execute code within affected apps, provided the device is connected to an attacker-controlled Wi-Fi network. The number of potentially vulnerable applications is estimated at around 10 percent of iOS applications, and the programming error has been validated by an Apple security researcher.

The jailbreaking team that reported the vulnerability, Pangu Team, has not yet released any technical details about how the programming glitch can be exploited, but they did release a proof-of-concept video.

“While auditing iOS Apps from various customers, Pangu Lab noticed a common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected Apps,” reads the ZipperDown website. “Surprisingly, we found that round 10% iOS Apps might be affected by the same or similar issues.”

Speculation that the programming vulnerability might lie in the commonly used utility named ZipArchive has not yet been confirmed by the Pangu Team, which says it is keeping mum about it to prevent hackers from exploiting it in the wild. However, the team did post a list of potentially affected iOS applications, ranging from Instagram and Pandora to Dropbox and Amazon.

“Due to the large amount of potentially affected apps, we cannot verify all the results precisely. To protect the end-users, the detail of ZipperDown is not available to the public for now.”

Since the premise for the attack to work involves users connecting their vulnerable applications â€“ and devices, of course â€“ to attacker controlled networks, developers are theoretically tasked with fixing their apps. However, Apple has yet to officially confirm the vulnerability and publish guidelines on what developers need to do to fix it.

The same researchers also noted that Android applications might be affected as well, as they have already confirmed that a number popular Android apps share the same programming vulnerability.