Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Gmail App for iOS Doesn’t Perform Certificate Pinning: Researchers

Researchers at Lacoon Mobile Security have uncovered an issue in Google’s Gmail application for iOS they contend could help an attacker performing a man-in-the-middle attack.

Researchers at Lacoon Mobile Security have uncovered an issue in Google’s Gmail application for iOS they contend could help an attacker performing a man-in-the-middle attack.

According to Lacoon, an analysis of the application revealed it does not perform certificate pinning. As a result, an attacker launching a man-in-the-middle attack can open and modify Gmail’s encrypted communications. The victim would not receive any indication anything suspicious was going on.

“We were quite surprised by this finding because Google had implemented certificate pinning for their Android Gmail app,” blogged Avi Bashan, CISO of Lacoon. “Clearly, not implementing this for iOS was an oversight by Google.”

According to Lacoon, the issue was reported to Google February 24. Google responded to the company but has not addressed the issue, Bashan wrote.

“In general, secure communications rely on encryption, i.e. SSL, between an app and the back-end server to prevent prying eyes from seeing into content during transmit,” he explained. “The problem with using just SSL is that a threat actor can impersonate the back-end server by creating a spoofed SSL certificate. The certificate is essentially a validation that the server is who it claims to be (in this specific scenario, that back-end server is Google’s Gmail).”

“By impersonating the legitimate server (i.e. performing a Man-in-the-Middle) through the usage of a spoofed SSL certificate, the threat actor can open up the encryption, view, and even modify, all communications in plain-text – including passwords, emails, and chats,” he continued. “In particular, in iOS, a threat actor can install a configuration profile which contains the root Certificate Authority (CA). The configuration profile is an extremely sensitive iOS file which allows to re-define system functionality parameters such as device, mobile carrier and network settings. The root CA is what enables the threat actor to create spoofed certificates of legitimate services. It is important to note that the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation.”

In statement to SecurityWeek, a Google spokesperson said the issue was not a vulnerability in the Gmail app.

The scenario that Lacoon raises would require a user to take explicit action — specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app,” the spokesperson said. “Messages you send through Gmail app on iOS are safely transferred through Google’s servers unless you’ve intentionally reconfigured your device.”

Advertisement. Scroll to continue reading.

To address this type of situation, mobile app developers need to implement certificate pinning, Bashan noted. He recommended enterprises dealing with corporate apps that do not use certificate pinning should follow these best practices:

  • Check the configuration profiles of devices in your enterprise to ensure that they do not include root certificates.
  • Ensure that employees use a VPN or any other secure channel when connecting to enterprise resources
  • Perform on-device and network analysis to detect MitM attempts

“With certificate pinning, the app developer codes the intended server certificate within the app,” Bashan blogged. “So if communication is re-routed via the threat actor’s server, the mobile app will recognize the inconsistency between the back-end server certificate as coded within the app, and the certificate returned from the so-called server.”

*This story was updated with additional commentary from Google.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Mario Duarte, formerly head of security at Snowflake, has joined Aembit as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.