Skip to main content
Jul 29, 2011

Important Security Update for iOS: 4.3.5 - Do it Now!

0I just updated my iPad and iPhone to iOS 4.3.5. And you should, too.

It's not often that I would talk about "point releases" of iOS software. However, this one is pretty important. Apple has just released iOS 4.3.5 for the iPhone, iPad and iPod touch, which comes only a few days after the iOS 4.3.4 release to address different security issues. However, 4.3.5 resolves a serious "security issue" having to do with certificate verification.

Why should you care? Great question, especially since Apple's fairly bland description ("Fixes a security vulnerability with certificate validation") doesn't quite explain what's up here.

I didn't appreciate it either until a meeting with David Wang yesterday from Securigin ( who apprised me of the importance of this update.

At issue was Apple's "core code" that checks certificate chain validation. It was based on a 9-year old code base that had never been updated. And until now, no one had really worried about it. But the issue came to light, and based on research work done by a number of Internet security teams, Apple moved forward and patched the hole.

The problem, in a nutshell, is that a bad actor with a privileged network position (i.e., on the wire) could capture or modify data in sessions protected by SSL/TLS.

Apple's previous version of code did not properly handle the "certificate chain validation" for X.509 certificates.

Specifically, iOS's SSL certificate parsing contained a flaw where it failed to check the "basicConstraints" parameter of certificates in the chain. So, by signing a new certificate using a legitimate end entity certificate, an attacker could obtain a "valid" certificate for any domain.

So, any SSL traffic using a named certificate could be intercepted and decrypted by the issuer. The iOS user would never know that the invalid certificate was being used. This type of attack is the standard "man-in-the-middle" approach used to break encrypted communication.

More details are available at Trustwave's site (

Time to update IOS, folks!


More from the Blog
Feb 20, 2019

Part 4: App Security Should Be An Integral Part Of Your DevSecOps Process — Not An Afterthought

How Arxan can help streamline and optimize your DevSecOps process One of the most important factors to keep in mind when dep ...
Read more
Feb 13, 2019

Part 3: App Security Should Be An Integral Part Of Your DevSecOps Process — Not An Afterthought

Situations When DevSecOps Won’t Work Though DevSecOps is getting more popular by the day, and has many benefits to an organi ...
Read more
Feb 06, 2019

Part 2: App Security Should Be An Integral Part Of Your DevSecOps Process — Not an Afterthought

How to start implementing a DevSecOps process As you may have read in our
Read more