Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Gmail App for iOS Doesn’t Perform Certificate Pinning: Researchers

Researchers at Lacoon Mobile Security have uncovered an issue in Google’s Gmail application for iOS they contend could help an attacker performing a man-in-the-middle attack.

Researchers at Lacoon Mobile Security have uncovered an issue in Google’s Gmail application for iOS they contend could help an attacker performing a man-in-the-middle attack.

According to Lacoon, an analysis of the application revealed it does not perform certificate pinning. As a result, an attacker launching a man-in-the-middle attack can open and modify Gmail’s encrypted communications. The victim would not receive any indication anything suspicious was going on.

“We were quite surprised by this finding because Google had implemented certificate pinning for their Android Gmail app,” blogged Avi Bashan, CISO of Lacoon. “Clearly, not implementing this for iOS was an oversight by Google.”

According to Lacoon, the issue was reported to Google February 24. Google responded to the company but has not addressed the issue, Bashan wrote.

“In general, secure communications rely on encryption, i.e. SSL, between an app and the back-end server to prevent prying eyes from seeing into content during transmit,” he explained. “The problem with using just SSL is that a threat actor can impersonate the back-end server by creating a spoofed SSL certificate. The certificate is essentially a validation that the server is who it claims to be (in this specific scenario, that back-end server is Google’s Gmail).”

“By impersonating the legitimate server (i.e. performing a Man-in-the-Middle) through the usage of a spoofed SSL certificate, the threat actor can open up the encryption, view, and even modify, all communications in plain-text – including passwords, emails, and chats,” he continued. “In particular, in iOS, a threat actor can install a configuration profile which contains the root Certificate Authority (CA). The configuration profile is an extremely sensitive iOS file which allows to re-define system functionality parameters such as device, mobile carrier and network settings. The root CA is what enables the threat actor to create spoofed certificates of legitimate services. It is important to note that the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation.”

In statement to SecurityWeek, a Google spokesperson said the issue was not a vulnerability in the Gmail app.

The scenario that Lacoon raises would require a user to take explicit action — specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app,” the spokesperson said. “Messages you send through Gmail app on iOS are safely transferred through Google’s servers unless you’ve intentionally reconfigured your device.”

Advertisement. Scroll to continue reading.

To address this type of situation, mobile app developers need to implement certificate pinning, Bashan noted. He recommended enterprises dealing with corporate apps that do not use certificate pinning should follow these best practices:

  • Check the configuration profiles of devices in your enterprise to ensure that they do not include root certificates.
  • Ensure that employees use a VPN or any other secure channel when connecting to enterprise resources
  • Perform on-device and network analysis to detect MitM attempts

“With certificate pinning, the app developer codes the intended server certificate within the app,” Bashan blogged. “So if communication is re-routed via the threat actor’s server, the mobile app will recognize the inconsistency between the back-end server certificate as coded within the app, and the certificate returned from the so-called server.”

*This story was updated with additional commentary from Google.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.