See onionbrowser.com and onionbrowser.com/security for official announcements and notes.

Changes:

See changelog for full details.

• iObfs: Onion Browser now supports "pluggable transports" like obfs4 and meek, which improve connection support in locations that try to block Tor. For more info about iObfs (an iOS framework build of obfs4proxy), please visit: https://github.com/mtigas/iObfs (Special thanks to the Onion Browser beta testers for their feedback on this new feature. Extra special thanks to The Guardian Project for supporting work on iObfs!)
• "One-click" bridge UI: Onion Browser now comes with built-in bridges for obfs4, meek-amazon, and meek-azure -- same the official Tor Browser Bundle and Orbot.
• User-agent spoofing strings updated to the most recent browser versions.
• Tor updated to 0.2.8.6, the first stable release in the 0.2.8 series. This version contains several performance and security improvements.
  https://blog.torproject.org/blog/tor-0286-released
  https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.2.8.5-rc
• OpenSSL updated to 1.0.2h.
  https://www.openssl.org/news/secadv/20160503.txt
  https://openssl.org/news/changelog.html
• Minimum required iOS version is now iOS 8.2.

See onionbrowser.com and onionbrowser.com/security for official announcements and notes.

Changes:

• Minimum required iOS version is now iOS 8.0 (was iOS 6.1). Users running iOS 8.0 and 8.1 will be warned about HTTPS insecurity in these older versions (due to FREAK exploit). iOS 8.2 will be required by the end of 2015.
• Update HTTP errors. The "HTTPS Connection Failed" error was displaying in situations where the error had nothing to do with SSL failure.
• Allow navigating to "about:blank" and allow setting the homepage to that URL. (#62)
• Update bridge handling to make it difficult to enter in an unsupported bridge type, such as "obfs4" or "scramblesuit" via text entry or the QR Code scanner. (Prevents a situation where a user ends up with an "unusable" Onion Browser.)
• Tor updated to 0.2.6.5-rc.
  https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?h=release-0.2.6
• OpenSSL updated to 1.0.2d.
  https://openssl.org/news/changelog.html

Changes:

• Allow pasting in the bridges.torproject.org text blob to set bridges, like the Tor Browser launcher. #55
• Allow scanning QR code from bridges.torproject.org to set bridges. #56
• On first run, allow user to configure bridges before trying to launch Tor. Once Pluggable Transports are working, this will be useful for users where Tor traffic looks suspicious. #57
• Tor updated to 0.2.6.5-rc.
  https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.2.6.5-rc
• OpenSSL updated to 1.0.2a.
  https://openssl.org/news/secadv_20150319.txt
  https://openssl.org/news/openssl-1.0.2-notes.html
• Redesigned "Connecting..." prompt when opening the app.

Verification:

You can check that your version of Onion Browser matches a known copy of the app. This is helpful for safety reasons, if you are not confident that your copy of Onion Browser has been tampered with.

You'll need to have this version of Onion Browser (1.5.12) downloaded and available in iTunes. Go into iTunes and make sure that Onion Browser appears in the "My Apps" tab. Since this is the most recent version of Onion Browser, ensure that the app is updated. (If it has an "Update" flag, you can right-click the app and select "Update App" to download 1.5.12.)

If you don't have Onion Browser on your computer, you can retrieve this version by syncing your iPhone/iPad to your computer or by searching for Onion Browser in iTunes with the same Apple account that you used to buy it on your iPhone/iPad.

If you get a hash that's different than cc31dad8ec3aa4f72b1de09557d5840b2039c585328098973b3cb1a7ad3205d521c95a21288443dd8eef86028800db0895b1e47b20e131054947685c5161fc44, please report it in this thread immediately, or e-mail me.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

If you have installed Onion Browser via the App Store, you can
double-check the authenticity of your copy of Onion Browser by doing
something like the following and ensuring that the resultant SHA512
hash is identical. 

Sync your phone (& sync the apps over to your computer) or download
Onion Browser via the App Store in iTunes on your computer. Then:

$ mkdir /tmp/ob1512
$ cd /tmp/ob1512
$ unzip -o "$HOME/Music/iTunes/iTunes Media/Mobile Applications/Onion Browser 1.5.12.ipa"
$ rm -fr "Payload/OnionBrowser.app/SC_Info"
$ find Payload -type f -print0 | xargs -0 shasum -a512 | shasum -a512
cc31dad8ec3aa4f72b1de09557d5840b2039c585328098973b3cb1a7ad3205d521c95a21288443dd8eef86028800db0895b1e47b20e131054947685c5161fc44  -

It'll tell you that your copy of the Onion Browser app package is
the same as everyone else's. (But of course that doesn't help if
there's fishiness in Xcode or in the App Store submission process.)

Per [1][2], although the App Store-hosted ".ipa" bundle of the app
changes from user-to-user (because the ".ipa" zip file contains
user-specific SC_Info), the remainder of the app contents should be
the same from user to user. See [3] & [4] for further work on this.

[1]: https://github.com/WhisperSystems/Signal-iOS/issues/641#issuecomment-77376731
[2]: https://github.com/WhisperSystems/Signal-iOS/issues/641#issuecomment-78202740
[3]: https://github.com/OnionBrowser/iOS-OnionBrowser/issues/58
[4]: https://github.com/WhisperSystems/Signal-iOS/issues/641
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJWKYVjAAoJEGQdTjqn+ftyZXoIAJI0iCd0Ok3zy5w5YMtLlYOn
Ii9RQ0p9DGQPOeMrvjK4TmcKapniP43VSIxsxYvSvlezVjBwx8LLkHQ7aC5NK7JA
jJglZUukdbX/5FhFof9SSRwCCVhC7jrJGNMzpB+sNP54WVsT8/sVsxSSvGEQdtvO
yqb/B7Ipv6eOMUGDUP/JsQzHExzN82eF90+8UZ2QS29WUq0esHl8zLB0D00WdLlo
oSkGtSPeNi+m3R5/hQ/MxD9hWkGRYn1hKm6rlT6yS9/tFt1jGyXsjOKhYD2Lo8ql
1+fvhObM999nVBgf9/PcOcaS5oi4zLBMFc+nuUcvrGGaJ/gAN56qtSjFRv4hwg4=
=w6XH
-----END PGP SIGNATURE-----