Gmail iOS app vulnerable to MitM attack, emails and credentials at risk

Share this article:
Gmail iOS app vulnerable to MitM attacks, emails and credentials at risk
Lacoon reported the problem on Feb. 24 and Google said it would fix it, but the issue still exists.

The Gmail app for iOS does not perform certificate pinning – this means an attacker can view plaintext emails and steal credentials in a man-in-the-middle (MitM) attack, researchers with Lacoon discovered earlier this year.

The mobile security company notified Google on Feb. 24, explaining that implementing certificate pinning would mitigate the issue, according to a Thursday post. The internet corporation validated the problem and said it would be fixed, but the flaw still exists.

“Certificate pinning is a method in which the application defines, explicitly, the certificate that the server it is connected to will work with,” Avi Bashan, CISO at Lacoon, told SCMagazine.com in a Thursday email correspondence.

That means an attacker, who spoofs the communication from the server, cannot supply [their] own certificate to the application [that] will be used to encrypt the SSL communication channel, Bashan said, adding that the Gmail app for Android does perform certificate pinning.

In the post, Lacoon chalked up the flaw as an oversight on Google's part. As a result, a MitM attack can be performed to gain control over the traffic between Google's server and an iOS device, enabling an attacker to intercept emails and user credentials in plaintext, Bashan said.

“The [iOS] app is implemented in such a way that it allows the attacker to change the certificate, which is used to encrypt the communication channel to Google's servers, to [their] own signed certificate,” Bashan said. “Once the attacker supplies the new certificate, he can decrypt the traffic and view it.”

For the MitM to be performed, a configuration profile must first be installed on the iOS device, Bashan said, explaining the attacker could trick users into downloading the configuration profile by sending out mass phishing emails containing a link.

“The configuration profile can be crafted to contain any text the threat actor decides, [such as] free Wi-Fi,” Bashan said. “The configuration profile allows [the changing of] sensitive system configurations, such as proxy, VPN, and CA certificates.”

Users running iOS can check to see if they have installed a configuration profile by going into the device settings, tapping into ‘general,' and searching for ‘profiles' at the bottom of the list. If the option is not available, no configuration profiles are installed.

Google did not respond to a SCMagazine.com request for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.