Search for blog posts, documentation, or pages

UPDATE: We have developed a more effective workaround documented here.

A few weeks ago, researchers at TrustWave’s SpiderLabs announced that they had discovered a severe flaw in the way Apple iOS devices validate SSL certificates. In particular, iOS failed to check a particular field - basicConstraints - in certificates that indicates whether or not they are permitted to sign other certificates. This flaw could potentially allow an attacker to intercept and decrypt all traffic between an iOS device and any SSL server, with no indication to the device’s end-user.

Although this flaw is conceptually identical to one initially reported by Moxie Marlinspike in Internet Explorer nearly a decade ago, this was excellent work: it is easy to fall into a trap of complacency in which we assume that, because a class of vulnerabilities was identified and widely publicized/patched long ago, it is now dead and buried. Clearly, these sorts of assumptions are dangerous and need to be challenged regularly.

Apple has since released iOS updates to patch this flaw (although it does appear that updates for some older devices are not currently available). For all iPhone, iPod, and iPad users for whom updates are available, we strongly recommend installing these updates immediately.

In addition, on Sunday (at DEFCON 19), researchers from SpiderLabs announced a potential workaround that would allow individual app developers to ensure that their apps communicate securely over SSL, even on devices running vulnerable versions of iOS.

Unfortunately, this workaround appears not to work.

(Note: To better understand the rest of this post, we suggest first reading Moxie’s original explanation of the flaw).

To be more precise, the workaround - if implemented in exactly the form suggested by SpiderLabs - may indeed reject certificates crafted using attacks that exploit the basicConstraints vulnerability, but it also appears that it will reject any certificates which use an intermediate CA certificate at all (unless the intermediate CA is somehow cached by the system). This would therefore affect a substantial fraction - if not a vast majority - of SSL-enabled sites on the internet.

We performed a few tests to confirm this, using two iOS devices:

  • A vulnerable device: a second-generation iPod Touch, running iOS 4.2.1. Notably, this still appears to be the latest iOS version available for a second-generation iPod Touch, so there is no (official?) way to patch it.
  • A patched device: an iPhone 4 running iOS 4.3.5

For our first test, we fetched the certificate chain currently used to identify It consists of three certificates:

  • A root CA: Equifax Secure Certificate Authority
  • An intermediate CA: Google Internet Authority
  • A leaf certificate: *

We then attempted to use the provided isCertValid function to validate only the leaf certificate, as suggested by the SpiderLabs post. On both devices, this certificate - a valid certificate (if my laptop is to be believed) - failed to validate on both devices. We then followed Apple’s documentation to change the call to SecTrustCreateWithCertificates from passing only a leaf certificate to passing an array containing both the leaf certificate and the intermediate CA, at which point, the certificate validated successfully on both devices.

Second, we created a few certificate chains of our own for testing. Again, each chain had three certificates: a root CA, an intermediate CA, and a leaf certificate. In addition, while one of these chains was perfectly valid, the other contained an intermediate certificate with its basicConstraints extension set to CA:FALSE. A correct implementation should reject this second chain, but an implementation that fails to check basicConstraints would accept it as valid.

Because we were using a custom-generated test root certificate, we had to install it as a trusted root on both devices before proceeding. This is easy to do on an iOS device (though not in the simulator): you merely need to open a link to download the certificate in Safari, and the OS will prompt you to install/trust it.

With the root certificate installed, we performed the same tests as we had done with the Google certificate chain. We began by attempting to validate only the leaf certificate on each chain: this failed for both chains, on both devices.

Next, we attempted validation, for each chain, with both the leaf certificate and the intermediate certificate. On the vulnerable device, both chains validated successfully. On the patched device, only the chain with the correct basicConstraints flag validated successfully. This is exactly the behavior we would have expected to see with no workaround in place.

Even though their workaround appears incorrect, the motivations suggested by the SpiderLabs researchers in developing it are entirely valid. We do believe it may be possible to construct a successful workaround, though it may have to be rather more complicated than the code they provided. In particular, a successful workaround could require replacing - or at least augmenting - the actual chain-validation implementation. (One possibility might be to cross-compile OpenSSL for iOS/ARM, and write a custom handler that grabs all the DER data for the certificates in the SSL peer’s chain, and uses OpenSSL’s validation rather than - or in addition to - iOS’s.) We will continue investigating these possibilities, and we encourage others to do so as well.

Otherwise, the one bit of good news is that uptake for iOS updates is much faster than on just about any other mobile platform. It would be nice if Apple provided patches for older devices, though…

Adam Goodman
Working around phoney SSL certificates on iOS (...or not!)

Adam is Principal Security Architect at Duo Security, where he is responsible for leading Duo's security engineering practice. He has spent nearly a decade building secure systems, protocols, and culture (and occasionally veering into security research) at a variety of start-ups.


Free Guide

Security for an Age of Zero Trust

Think your organization is ready for the cloud and decentralized security? Download this white paper to learn why you may not be.


phishing (20)  two-factor-authentication (18)  security news (17)  healthcare security (17)  passwords (15)  weekly ink (13)  cloud security (12)  mobile security (11)  federal cybersecurity (10)  malware (10)  infosec-evolution (9)  duo mobile (8)  rsac2015 (8)  retail data breaches (8)  banking security (8)  data breaches (7)  stolen credentials (7)  financial data breach (7)  stolen-passwords (7)  pci dss (6)  ios security (6)  remote access attacks (6)  2fa (6)  encryption (6)  ooba (6)  financial institutions (6)  remote access security (6)  healthit (5)  healthcare cybersecurity (5)  uk security (5)  platform edition (5)  higher education (5)  media security (5)  webinar (5)  atms (5)  transaction-level 2fa (5)  pos malware (5)  retail (4)  2-factor-authentication (4)  security research (4)  third-party security (4)  vulnerability (4)  data breach notification (4)  security threats (4)  financial data security (4)  rig exploit kit (4)  endpoint security (4)  medical identity theft (4)  google (4)  retail data security (4)  healthcare data breach (4)  ios (4)  bank security (4)  defcon-23 (4)  hipaa (4)  blackhat 2015 (4)  law firm security (3)  health it (3)  cisco vpn (3)  duo-security-summit (3)  car security (3)  payment card breach (3)  ffiec (3)  ssl (3)  retail data risks (3)  stock market (3)  aws security (3)  retail ebook (3)  hipaa security rule (3)  windows security (3)  strong-authentication (3)  two-factor (3)  manufacturing security (3)  critical infrastructure security (3)  out of band authentication (3)  flash vulnerabilities (3)  ios vulnerabilities (3)  flash security (3)  otp bypass (3)  dyre trojan (3)  social engineering (3)  byod (3)  twitter (3)  home depot (3)  defense in depth (3)  e-prescriptions (3)  defcon (3)  end-user authentication (3)  target (3)  anthem (3)  ehr (3)  iot security (3)  outlook-web-app (3) 

Duo is hiring!

View our open positions

Subscribe to our Newsletter

Get product updates, interesting content, and invitations to online and live events.