A Retrospective on WebP CVE
Executive Summary
Earlier this year, Zimperium analyzed and reported on the patching process of CVE-2023-4863 for Android. Upon the conclusion of our research, we observed a steady and solid patching trend once a patch was made available. In this blog we will underline the differences and the similarities on how iOS developers reacted to the WebP vulnerability and our observed patching trends of those iOS applications.
BLASTPASS
In September 2023, Citizen Lab reported BLASTPASS, which, at the time, was a new zero-day mechanism that targeted iOS and Android devices through an image parsing vulnerability. The WebP vulnerability exploited the device by crafting an image that causes the image parser to overflow a buffer on the heap and distribute it to the victims. This later became known as the (in)-famous WebP vulnerability.
What is Flutter and why is it important?
Flutter is an open-source UI toolkit that allows developers to create natively compiled applications for multiple platforms, including iOS, Android, web, and desktop, using a single codebase. It is highly favored by app developers due to its ability to streamline cross-platform development, significantly reducing the time and resources needed to maintain separate codebases for the various supported platforms. But Flutter’s ubiquity comes at a high price when it comes to vulnerabilities. The reason for this is that a serious vulnerability in Flutter doesn’t affect just one specific platform, it affects all platforms where the framework is used. In other words, the famous quote “with great power comes great responsibility” can be extended into include: “…and with great consequences”.
During the disclosure of BLASTPASS, Zimperium had observed a bigger number of Flutter application submissions for iOS, it appears to be clear that finding an eventual exploit for the Apple ecosystem was a top priority. This could be related to many factors. Such as executives or stakeholders preferring some platforms with respect to others. Or just related to company policies and choices.
Choosing Flutter as the development framework to analyze the vulnerability patching process for CVE-2023-4863 was a natural decision, given that Flutter provides the maintenance of a nearly single codebase across multiple platforms. This allowed us to observe the patching evolution in a way that can likely reveal patterns applicable across the various platforms.
What Trend did we see for Android Applications?
Before we look at iOS, let’s review what we saw on Android. Earlier this year, Zimperium did a similar research exercise where we analyzed and reported on the patching process of CVE-2023-4863 for Android. Upon the conclusion of our research, we observed a steady and solid patching trend once a patch was made available. In this blogpost we will underline the differences and the similarities on how iOS developers reacted to the WebP vulnerability and its patching trends.
Following the white Apple: CVE-2023-4863 (WebP)
Even if the density of Flutter apps within the market places is mostly balanced (between 15% and 20%) for iOS and Android, we will focus on the Flutter applications submitted to our analysis engine.
Within one week of Citizen Labs publishing their report (7th of September), a patch was available for Flutter.
Now let’s break down the patching journey and see how it progressed.
The good news is that top brands will do the right thing. Among the top applications that use Flutter, within 30 days from the release of the patch, the likelihood of finding a vulnerable application to WebP in a random sample of top applications was negligible.
The bad news is the top applications only represent five percent of apps in the Apple AppStore. What about the remaining 95 percent?
In order to answer this question, we divided our research into two parts:
- Part 1 – Assess a random sample of apps chosen between patch day to the end of 2023
- Part 2 – Assess a random sample of apps selected between Jan 2024 – March 2024
For each part of the research, we randomly analyzed ~8000 iOS applications 6 months post release of the patch.
Part 1: Apple Developers Address Updates at a Different Pace
Of the roughly 8000 iOS applications sampled in the final three months of 2023, about 10 percent were written in Flutter. But 100 percent of these apps were still vulnerable to WebP by the end of 2023, which is disheartening. With users carrying an average of three devices (source) with an average of 80 apps (source) per device, we are likely to see several iOS WebP-vulnerable apps on our Apple devices.
Part 2 – A new year, a cold-start
Six months later (Q1 of 2024), we selected a new random sampling of 8K iOS applications. The percentage of submitted Flutter apps dropped approximately 5% even considering the growth in Flutter apps. We also witnessed a drop in the number of vulnerable apps (as expected). This time, 90% of the apps were vulnerable. It is unfortunate, however, that even after 6 months of the patch being available, the average user was still vulnerable to the WebP vulnerability.
Conclusion: Enterprise apps must be vetted prior to being published
Vulnerabilities are an inherent aspect of computing devices. As technology evolves, so too do the opportunities for vulnerabilities to be exploited, especially if they are not addressed quickly.
The iOS ecosystem seems to react especially slowly to patching, For instance prioritizing stability over new features. This does not denote more exposure per-se but it shows that there are more applications that could serve as a vector to an exploitation. For these reasons it is fundamental to do app vetting before publication on the store as well as for apps installed in one’s organization and perform continuous checks for outdated software installed.
The patching lifecycle we discussed does not take into account people using private or unofficial repositories (i.e. forking). Moreover, the “plug and play” inclusion of SDKs severely limits developer control by requiring them to track security issues of code they include or maintain in their code. In reality, these factors aggravate the situation much further for enterprises.
Mobile-powered Enterprises will encounter these app vulnerabilities in three different ways.
- For in-house developed apps, developers need to be aware of the vulnerability, and the patch and expedite applying the patch as soon as possible.
- The security team needs the ability to assess third-party personal apps on employees’ devices to mitigate any risk to enterprise access.
- Prior to distribution, security teams should ensure that commercial-off-the-shelf (COTS) work apps have no critical vulnerabilities.
It’s crucial to understand that while patches may be available, their timely application across your application footprint is not guaranteed. Control over patch availability and the installation of updated applications often lies beyond your immediate reach. Consequently, this leaves your attack surface exposed and vulnerable for extended periods. To proactively mitigate these risks to your mobile applications, it’s essential to implement additional layers of defense.
This is where Zimperium can help.
Zimperium’s Mobile Application Protection Suite (MAPS) helps to fill the gap between developers and security providing an all-around solution for mobile security. MAPS includes several components that address vulnerabilities, including WEBP.
For mobile applications developed in-house, the zScan component helps app developers identify and assess these critical vulnerabilities during development and pre-release testing. By assessing the app binary and its SBOM within minutes, the solutions provide a comprehensive app risk assessment without slowing down development.
For third-party mobile applications, the Advanced App Analysis (z3a) component assesses the apps for security and privacy risks and detects specific app behaviors, which is crucial for identifying exposure points to threats like WEBP. Upon identifying these undesired app behaviors, the solution allows the security team to mark those apps as “non-compliant”, alerting every end-user to remove the app immediately and mitigate risk.
For more information on how Zimperium can help mitigate these risks, visit us at www.zimperium.com.