After performing a Vulnerability Assessment and Penetration Test (VAPT) on an application that uses the following iOS SDK components from the CA Advanced Authentication suite:

• CA Mobile Authenticator iOS SDK version 2.2.2

• CA DeviceDNA iOS SDK version 8.4.1

The scan reported multiple vulnerabilities originating from the SQLCipher dependency used by these SDKs.

Vulnerability Details:

CA Strong Authentication 9.1.5

• CA Mobile Authenticator iOS SDK version 2.2.2
• CA DeviceDNA iOS SDK version 8.4.1
•  

The reported vulnerabilities are inherited from the SQLCipher 3.4.2 library version used within the SDKs. These issues are not directly part of Broadcom’s source code but stem from the third-party dependency.

The Advanced Authentication Engineering team has developed an updated SDK version that includes an upgraded SQLCipher dependency to mitigate the vulnerabilities.

• SQLCipher upgraded from 3.4.2 → 4.10.0

• This new version addresses the CVEs identified in the VAPT scan.

• The patch has been verified internally and is available for customer testing.

Action Steps:

1. Obtain the updated SDK package from the attachment.

2. Integrate the new SDK into your application.

3. Perform regression testing in your lower/non-production environment.

4. Re-run your vulnerability scan.

5. Confirm that the vulnerabilities are no longer reported.

If you continue to observe any reported vulnerabilities post-upgrade, please open a new support case with your scan results for further review.

Status:

Fix Released – SQLCipher dependency upgraded to version 4.10.0
Availability: General Availability (GA) build is available as attached in the article.

• Customers are encouraged to always use the latest SDK versions to ensure ongoing compliance with security and platform requirements.

• This fix is applicable only to iOS SDK components; Android SDK updates were addressed separately in a prior release.