Gmail iOS app vulnerable to MitM attack, emails and credentials at risk

Share this article:
Gmail iOS app vulnerable to MitM attacks, emails and credentials at risk
Lacoon reported the problem on Feb. 24 and Google said it would fix it, but the issue still exists.

The Gmail app for iOS does not perform certificate pinning – this means an attacker can view plaintext emails and steal credentials in a man-in-the-middle (MitM) attack, researchers with Lacoon discovered earlier this year.

The mobile security company notified Google on Feb. 24, explaining that implementing certificate pinning would mitigate the issue, according to a Thursday post. The internet corporation validated the problem and said it would be fixed, but the flaw still exists.

“Certificate pinning is a method in which the application defines, explicitly, the certificate that the server it is connected to will work with,” Avi Bashan, CISO at Lacoon, told SCMagazine.com in a Thursday email correspondence.

That means an attacker, who spoofs the communication from the server, cannot supply [their] own certificate to the application [that] will be used to encrypt the SSL communication channel, Bashan said, adding that the Gmail app for Android does perform certificate pinning.

In the post, Lacoon chalked up the flaw as an oversight on Google's part. As a result, a MitM attack can be performed to gain control over the traffic between Google's server and an iOS device, enabling an attacker to intercept emails and user credentials in plaintext, Bashan said.

“The [iOS] app is implemented in such a way that it allows the attacker to change the certificate, which is used to encrypt the communication channel to Google's servers, to [their] own signed certificate,” Bashan said. “Once the attacker supplies the new certificate, he can decrypt the traffic and view it.”

For the MitM to be performed, a configuration profile must first be installed on the iOS device, Bashan said, explaining the attacker could trick users into downloading the configuration profile by sending out mass phishing emails containing a link.

“The configuration profile can be crafted to contain any text the threat actor decides, [such as] free Wi-Fi,” Bashan said. “The configuration profile allows [the changing of] sensitive system configurations, such as proxy, VPN, and CA certificates.”

Users running iOS can check to see if they have installed a configuration profile by going into the device settings, tapping into ‘general,' and searching for ‘profiles' at the bottom of the list. If the option is not available, no configuration profiles are installed.

Google did not respond to a SCMagazine.com request for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.

Report: 75 million records compromised so far in 2014

Report: 75 million records compromised so far in ...

An updated report indicates that since this time last year, breaches have increased by 29.4 percent, with 568 breaches occurring this year.