It's using the original PKZIP 2.0 encryption (variously referred to as "traditional" or "legacy" encryption), described in section 6 of the .ZIP file format specification. It's based on using CRC32 to mix the password, a (hopefully) random seed, and the compressed file. It is not considered secure; at the very least, it has serious vulnerabilities to known-plaintext attacks (see this crypto.se answer for a summary).
Update: Michael Stay developed a better attack in order to recover some Bitcoin private keys for a client. Details in Michael's blog post and DEF CON talk, and coverage at Wired and Hacker News.
This is based on: looking at Apple's source code for ZIP. The README.CR says:
The encryption code is a direct transcription of the algorithm from
Roger Schlafly, described by Phil Katz in the file appnote.txt. This
file is distributed with the PKZIP program (even in the version
without encryption capabilities). Note that the encryption will
probably resist attacks by amateurs if the password is well chosen and
long enough (at least 8 characters) but it will probably not resist
attacks by experts. Paul Kocher has made available information
concerning a known-plaintext attack for the PKWARE encryption scheme;
see http://www.cryptography.com/ for details.) Short passwords
consisting of lowercase letters only can be recovered in a few hours
on any workstation. But for casual cryptography designed to keep your
mother from reading your mail, it's OK.
Note that the file says was last updated in 2008, so when it talks about password recovery "in a few hours on any workstation", it's talking about decade-old hardware. I'm slightly confused about what version of Zip Apple is actually using. README.CR seems to indicate it's v2.31, but WHATSNEW lists new features in Zip v3.0 beta (and says AES is planned for v3.1). In any case, it's pretty old.
As further support, the file crypto.c (while a bit hard to follow) is clearly using CRC32 for the encrypt/decrypt processes, and the only mentions of AES are in several files that say it's planned for a later version.
Oh, and I also tried creating an encrypted file with it, and then looked at a hex dump. It doesn't contain 0x0017, which is the header ID for a "strong encryption header". It does have an extra 12 bytes of seed data (part of the "legacy" format) along with each file. So that matches the source code and README.
Summary: don't use it. I'd look for third-party Zip utilities that support more modern encryption, but I'm not familiar enough with any of them to make recommendations.