Skip to main content
App management icon

This post is from the Apperian blog and has not been updated since the original publish date.

Last Updated Jul 29, 2011 — App Management expert

Important Security Update for iOS: 4.3.5 - Do it Now!

App Management
0I just updated my iPad and iPhone to iOS 4.3.5. And you should, too.

It's not often that I would talk about "point releases" of iOS software. However, this one is pretty important. Apple has just released iOS 4.3.5 for the iPhone, iPad and iPod touch, which comes only a few days after the iOS 4.3.4 release to address different security issues. However, 4.3.5 resolves a serious "security issue" having to do with certificate verification.

Why should you care? Great question, especially since Apple's fairly bland description ("Fixes a security vulnerability with certificate validation") doesn't quite explain what's up here.

I didn't appreciate it either until a meeting with David Wang yesterday from Securigin (www.securigin.com) who apprised me of the importance of this update.

At issue was Apple's "core code" that checks certificate chain validation. It was based on a 9-year old code base that had never been updated. And until now, no one had really worried about it. But the issue came to light, and based on research work done by a number of Internet security teams, Apple moved forward and patched the hole.

The problem, in a nutshell, is that a bad actor with a privileged network position (i.e., on the wire) could capture or modify data in sessions protected by SSL/TLS.

Apple's previous version of code did not properly handle the "certificate chain validation" for X.509 certificates.

Specifically, iOS's SSL certificate parsing contained a flaw where it failed to check the "basicConstraints" parameter of certificates in the chain. So, by signing a new certificate using a legitimate end entity certificate, an attacker could obtain a "valid" certificate for any domain.

So, any SSL traffic using a named certificate could be intercepted and decrypted by the issuer. The iOS user would never know that the invalid certificate was being used. This type of attack is the standard "man-in-the-middle" approach used to break encrypted communication.

More details are available at Trustwave's site ( https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt).

Time to update IOS, folks!

More from the Blog

View more
Apr 30, 2020

Mobile Application Management: A Forward View

App Management
  IT Is Adapting in the Midst of the COVID-19 Pandemic The Coron ...
Read More
May 19, 2019

Sneak Peek: How Are IT Leaders Driving Mobile App Adoption?

App Management
Apperian conducted the The Mobile Enterprise Application Survey to fin ...
Read More
Jan 30, 2019

Part 1: App Security Should Be an Integral Part of Your DevSecOps Process — Not an Afterthought

Application Security
What are the key considerations and components of DevSecOps? The in ...
Read More
Nov 19, 2018

Breaking Down the New California IoT Law

Application Security
Recently California passed legislation regarding the security of all I ...
Read More
Contact Us