Gmail iOS app vulnerable to MitM attack, emails and credentials at risk
Lacoon reported the problem on Feb. 24 and Google said it would fix it, but the issue still exists.
The Gmail app for iOS does not perform certificate pinning – this means an attacker can view plaintext emails and steal credentials in a man-in-the-middle (MitM) attack, researchers with Lacoon discovered earlier this year.
The mobile security company notified Google on Feb. 24, explaining that implementing certificate pinning would mitigate the issue, according to a Thursday post. The internet corporation validated the problem and said it would be fixed, but the flaw still exists.
“Certificate pinning is a method in which the application defines, explicitly, the certificate that the server it is connected to will work with,” Avi Bashan, CISO at Lacoon, told SCMagazine.com in a Thursday email correspondence.
That means an attacker, who spoofs the communication from the server, cannot supply [their] own certificate to the application [that] will be used to encrypt the SSL communication channel, Bashan said, adding that the Gmail app for Android does perform certificate pinning.
In the post, Lacoon chalked up the flaw as an oversight on Google's part. As a result, a MitM attack can be performed to gain control over the traffic between Google's server and an iOS device, enabling an attacker to intercept emails and user credentials in plaintext, Bashan said.
“The [iOS] app is implemented in such a way that it allows the attacker to change the certificate, which is used to encrypt the communication channel to Google's servers, to [their] own signed certificate,” Bashan said. “Once the attacker supplies the new certificate, he can decrypt the traffic and view it.”
For the MitM to be performed, a configuration profile must first be installed on the iOS device, Bashan said, explaining the attacker could trick users into downloading the configuration profile by sending out mass phishing emails containing a link.
“The configuration profile can be crafted to contain any text the threat actor decides, [such as] free Wi-Fi,” Bashan said. “The configuration profile allows [the changing of] sensitive system configurations, such as proxy, VPN, and CA certificates.”
Users running iOS can check to see if they have installed a configuration profile by going into the device settings, tapping into ‘general,' and searching for ‘profiles' at the bottom of the list. If the option is not available, no configuration profiles are installed.
Google did not respond to a SCMagazine.com request for comment.