← Back to all briefings
Cybersecurity 5 min read Published Updated Credibility 73/100

Platform Security — iOS 13.3.1

Apple’s iOS and iPadOS 13.3.1 updates fix location privacy enforcement gaps and multiple CVEs in CoreFoundation, UIKit, and WebKit; enterprises must speed up deployment and verify MDM posture.

Kodi C.

Editor & Research Lead

Reviewed for accuracy by Kodi C.

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

Apple released iOS and iPadOS 13.3.1 on 28 January 2020, addressing location services enforcement issues related to the U1 Ultra Wideband chip and patching multiple security vulnerabilities across FaceTime, Foundation, Kernel, and WebKit components. The update resolves privacy concerns where location services controls were being bypassed and closes memory corruption vulnerabilities that could enable arbitrary code execution. Enterprise mobile device management teams must speed up deployment and verify MDM compliance to maintain security posture across managed device fleets.

Security Vulnerabilities Addressed

The iOS 13.3.1 release addresses multiple CVEs affecting core system components with potential for serious security impact. WebKit vulnerabilities include memory corruption issues that could allow arbitrary code execution when processing maliciously crafted web content. Since WebKit powers Safari and in-app web views throughout iOS, these vulnerabilities affect virtually all web browsing activity on affected devices.

Kernel vulnerabilities in this release could allow applications to execute arbitrary code with kernel privileges, potentially bypassing security controls and accessing protected system resources. Memory corruption in the kernel represents the highest severity class of mobile vulnerabilities, as successful exploitation provides complete device compromise including access to encrypted data and the ability to install persistent malware.

Foundation framework vulnerabilities could allow applications to gain elevated privileges through memory corruption attacks. The Foundation framework provides core data types and system interfaces used throughout iOS, making these vulnerabilities potentially exploitable across many applications and system services.

FaceTime vulnerabilities addressed in this release could allow attackers to cause application crashes or potentially execute arbitrary code through malformed FaceTime session data. Given FaceTime's widespread use for personal and business video communications, these vulnerabilities posed risks to user privacy and device security.

U1 Ultra Wideband Location Privacy

The most publicized issue addressed in iOS 13.3.1 involves the U1 Ultra Wideband chip and location services privacy controls. Users discovered that even when Location Services were disabled, the U1 chip continued to query location data for spatial awareness features. Apple stated this behavior was by design for the U1 chip's spatial awareness functionality, but user expectations of location privacy controls conflicted with this setup.

iOS 13.3.1 modifies the behavior to respect system-wide location services settings for U1 chip queries, aligning device behavior with user privacy expectations. Organizations with location-sensitive deployments should verify that updated devices honor location service restrictions as expected. Privacy impact assessments for applications using location services may require updates to reflect the corrected behavior.

The incident highlighted the complexity of location privacy in modern mobile devices, where multiple hardware components and software features may access location data independently. If you are affected, maintain awareness of location data flows throughout their mobile application portfolios and ensure privacy controls are consistently enforced across all location-aware features.

Enterprise Deployment Considerations

Organizations managing iOS device fleets through Mobile Device Management (MDM) solutions should focus on rapid deployment of iOS 13.3.1 to address the security vulnerabilities included in this release. MDM platforms should be configured to push the update to supervised devices with appropriate urgency based on organizational risk tolerance and device sensitivity classifications.

Pre-deployment testing should validate compatibility with enterprise applications, VPN configurations, certificate profiles, and integration with backend services. While Apple generally maintains backward compatibility across point releases, you should verify critical functionality before broad deployment. Testing should cover authentication flows, data protection policies, and MDM control enforcement.

Staged deployment approaches allow organizations to identify issues in limited rollouts before affecting the entire device fleet. Deploy to test devices and pilot user groups first, monitoring for application compatibility issues, battery performance impacts, and connectivity problems. Expand deployment in phases based on successful pilot outcomes.

MDM Compliance and Monitoring

After initiating update deployment, you should monitor MDM compliance reporting to track adoption across the device fleet. Identify devices that fail to update due to insufficient storage, network connectivity issues, or user deferral. Establish escalation procedures for devices that remain on vulnerable iOS versions beyond acceptable timeframes.

Compliance dashboards should provide visibility into update status by business unit, device model, and user group. Track metrics including percentage of devices updated, average time to update, and devices remaining on vulnerable versions. Use compliance data to identify patterns and address systematic deployment barriers.

Device trust policies should incorporate OS version requirements, restricting access to sensitive resources from devices running outdated iOS versions. Conditional access policies can enforce minimum version requirements before granting access to corporate applications, email, and network resources. These controls create user incentives for prompt updates while protecting organizational resources.

Post-Update Validation

After deployment, you should validate that security configurations remain correctly applied. Verify that passcode policies, encryption settings, and application restrictions are enforced as expected. Some iOS updates may reset certain configuration profiles, requiring MDM platforms to reapply settings.

Test VPN connectivity, certificate-based authentication, and Wi-Fi profile configurations to ensure enterprise network access remains functional. Enterprise applications using certificate pinning or custom trust stores should be validated against the updated certificate trust store. Report any connectivity issues to affected users and speed up resolution.

Monitor device telemetry for crash reports, battery consumption anomalies, and performance issues that may show problems introduced by the update. Establish support channels for users to report issues and track resolution. Document any significant issues for communication to Apple through enterprise support channels.

Application and Integration Testing

Enterprise applications should be tested on updated devices to verify continued functionality. Focus testing on critical business applications, particularly those handling sensitive data or requiring specific iOS capabilities. Test push notification delivery, background refresh behavior, and integration with device sensors and peripherals.

Applications using deprecated APIs or relying on undocumented iOS behaviors may experience issues after updates. Application developers should review Apple's release notes for deprecated features and behavioral changes. Prioritize updates for applications experiencing compatibility issues to minimize business disruption.

Integration testing should cover connections to backend services, authentication flows, and data synchronization. Verify that mobile applications correctly communicate with APIs, identity providers, and enterprise systems after the iOS update. Monitor error logs and support tickets for integration-related issues.

Related articles

Curated signals from the same pillar or overlapping topics.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

References

  1. About the security content of iOS 13.3.1 and iPadOS 13.3.1 — Apple
  2. About privacy and Location Services — Apple
  3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
  • iOS 13.3.1
  • iPadOS
  • Apple Security Updates
  • Ultra Wideband
  • FaceTime
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.