Thousands of iOS apps apparently contain a programming error that can expose the products to hijacking, according to security researchers in China.
Pangu Team, a group of iPhone jailbreaking experts, say they discovered the problem while auditing several iOS apps. The programming error can let a hacker on the same Wi-Fi network as an iPhone to overwrite data and execute code within the affected apps.
“Surprisingly, we found that around 10 percent iOS apps might be affected by the same or similar issues,” the team said. To come to this number, the jailbreaking experts took a sample of 169,000 iOS apps, and found that close to 16,000 had the flaw.
Pangu has created a website about the programming error, which they’re calling “ZipperDown.” They’ve also uploaded a video, demonstrating the problem. In it, the user downloads a Chinese microblogging service called Weibo, which is then hacked over an open Wi-Fi network to gain remote code execution within the app.
To prevent bad actors from exploiting the flaw, Pangu isn’t revealing technical details of it. Nevertheless, an iOS security researcher named Will Strafach was given access to the details and told PCMag that the programming error is indeed legit.
“This is certainly genuine and an interesting find,” Strafach said in a Twitter direct message. “I think the main action item for users here is to keep an eye out for app updates over these new few weeks, and make an effort to update ASAP as app updates become available.”
So far, Apple hasn’t commented on the problem and it isn’t clear if Pangu reported the programming error to the company or any app developers. Apple has over 2 million apps on its App Store.
“Is ZipperDown a new type of vulnerability? No. ZipperDown is a very typical programming error, and we did not expect that so many iOS apps to have the issue,” the team’s website says.
Although Pangu is withholding the technical details about the problem, other researchers in China have posted more details about ZipperDown. According to those posts, the error involves a third-party utlity called ZipArchive, which lets iOS apps read and write Zip files. An error in implementation can let an attacker exploit the utility to run malicious computer code. Doing this appears to require the hacker to have control over a Wi-Fi network, so that they can hijack the traffic and spoof app services.
To help app developers patch the flaw, the Pangu Team has uploaded a list of all the affected iOS apps its found. Included are Instagram, Pandora, Dropbox and Amazon, but the experts note its possible any apps on the list may have been falsely flagged, and so they’re recommending app developers to manually check.
The Pangu Team said it personally verified that several popular Chinese apps including Weibo, social networking service Momo and QQ Music all had the programming error.
“We have confirmed that many popular Android apps have similar issues. We will release more results for Android apps in future,” the team added.
Computers and Software Buyers Guide
Compare Computers and Laptops
Mobile Phones Buyers Guide
- Mobile Phones Buyers Guide
- Mobile Phones Accessories Buyers Guide
- All in one Printers Buyers Guide
- Fax Machines Buyers Guide
- Home Telephones Buyers Guide
Compare Mobile Phones
- Compare Mobile Phones
- Compare Mobile Phone Accessories
- Compare Smart Watches
- Compare All in One Printers
- Compare Fax Machines
- Compare Home Telephones
- Compare Home Telephone Accessories