Skip to main content
Jul 29, 2011

Important Security Update for iOS: 4.3.5 - Do it Now!

0I just updated my iPad and iPhone to iOS 4.3.5. And you should, too.

It's not often that I would talk about "point releases" of iOS software. However, this one is pretty important. Apple has just released iOS 4.3.5 for the iPhone, iPad and iPod touch, which comes only a few days after the iOS 4.3.4 release to address different security issues. However, 4.3.5 resolves a serious "security issue" having to do with certificate verification.

Why should you care? Great question, especially since Apple's fairly bland description ("Fixes a security vulnerability with certificate validation") doesn't quite explain what's up here.

I didn't appreciate it either until a meeting with David Wang yesterday from Securigin ( who apprised me of the importance of this update.

At issue was Apple's "core code" that checks certificate chain validation. It was based on a 9-year old code base that had never been updated. And until now, no one had really worried about it. But the issue came to light, and based on research work done by a number of Internet security teams, Apple moved forward and patched the hole.

The problem, in a nutshell, is that a bad actor with a privileged network position (i.e., on the wire) could capture or modify data in sessions protected by SSL/TLS.

Apple's previous version of code did not properly handle the "certificate chain validation" for X.509 certificates.

Specifically, iOS's SSL certificate parsing contained a flaw where it failed to check the "basicConstraints" parameter of certificates in the chain. So, by signing a new certificate using a legitimate end entity certificate, an attacker could obtain a "valid" certificate for any domain.

So, any SSL traffic using a named certificate could be intercepted and decrypted by the issuer. The iOS user would never know that the invalid certificate was being used. This type of attack is the standard "man-in-the-middle" approach used to break encrypted communication.

More details are available at Trustwave's site (

Time to update IOS, folks!


More from the Blog
May 27, 2020

Application Security: Testing is NOT Enough

In the software development world, developers are faced with a breakneck release schedule and tasked to produce applications ...
Read more
Apr 30, 2020

Mobile Application Management: A Forward View

IT Is Adapting in the Midst of the COVID-19 Pandemic The Coronavirus pandemic is a human tragedy, affecting hundreds of thou ...
Read more
Apr 16, 2020

The Next Step in the Arxan Journey

As many of you may have seen, we just announced that w
Read more