How can faulty version of an iOS app (such as WhatsApp) expose the whole device to crashes or take-over

Question

There was a lot of recent, prominent news about a security vulnerability in WhatsApp that affects also iOS versions of the app. The volnerability has been described as carrying the risk of an attacker crashing the device (e.g. mentioned in the original report from Google Project Zero) or taking over control of a smart phone (e.g. mentioned by heise.de here in German; translation courtesy of Google Translate here). The suggested remedy is upgrading to at least version 2.18.93 of the iOS app; apparently no updates to iOS itself are required.

Since this is described as a bug in an app (not iOS itself) it makes me wonder: how can an app (legitimate or otherwise) crash or take over an iOS device in the first place? FWIK there are no SDK calls that would grant an app such powers and indeed the report mentions heap corruption. But how can heap corruption inside a single app cause such havoc to the entire system? I could imagine for this to be the case if the app's heap overlapped with memory owned by the operating system in a peculiar way such that (a faulty version of) the app could inject malicious code there. But in this case I would expect for this to be treated as a bug in iOS (not only the app), which is not the case here.

So what's going on here? How can a faulty version of an app (such as WhatsApp) crash an iOS device or allow for it to be taken over in its entirety?

UPDATE This article mentions the names of two Google engineers involved. Their twitter handles are @natashenka and @taviso. Perhaps somebody with a Twitter account could reach out to them and draw attention to this question.

Answer 1

I guess what could conceivably be going on here is that there is (was) a bug in a library that might be used both by the WhatsApp app, iOS, Android, etc. This would explain why the problem surfaces in iOS and Android apparently at root level. Perhaps what could have happened in such a case is that Google informs the OS vendor(s), who informs the maintainer of the upstream library and then what?

To make this more concrete by way of an example, here is an excerpt from iOS 12's Settings | General | About | Legal:

And here is a bit of text from the cisco/libsrtp's GitHub project (srtp_protect is also mentioned in the original report):

• The srtp_protect() function assumes that the buffer holding the rtp packet has enough storage allocated that the authentication tag can be written to the end of that packet. If this assumption is not valid, memory corruption will ensue.

The project is at least somewhat active (last commit 7 days ago), but its issue #322 is apparently open since July 2017. I'm not an experienced white hat (nor black hat), but my current estimate is that it's fair to post such a (theoretical) example in this context exactly because all ingredients are already out in the open. Perhaps one could even qualify as a Google Zero engineer by just googling (no pun intended) such stuff :)

UPDATE For what it's worth, Sonatype OSS Index (a free service used by developers to identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities) currently does not list any vulnerabilities for libsrtp.