Security Experts:

Connect with us

Hi, what are you looking for?



Google Gmail App for iOS Doesn’t Perform Certificate Pinning: Researchers

Researchers at Lacoon Mobile Security have uncovered an issue in Google’s Gmail application for iOS they contend could help an attacker performing a man-in-the-middle attack.

Researchers at Lacoon Mobile Security have uncovered an issue in Google’s Gmail application for iOS they contend could help an attacker performing a man-in-the-middle attack.

According to Lacoon, an analysis of the application revealed it does not perform certificate pinning. As a result, an attacker launching a man-in-the-middle attack can open and modify Gmail’s encrypted communications. The victim would not receive any indication anything suspicious was going on.

“We were quite surprised by this finding because Google had implemented certificate pinning for their Android Gmail app,” blogged Avi Bashan, CISO of Lacoon. “Clearly, not implementing this for iOS was an oversight by Google.”

According to Lacoon, the issue was reported to Google February 24. Google responded to the company but has not addressed the issue, Bashan wrote.

“In general, secure communications rely on encryption, i.e. SSL, between an app and the back-end server to prevent prying eyes from seeing into content during transmit,” he explained. “The problem with using just SSL is that a threat actor can impersonate the back-end server by creating a spoofed SSL certificate. The certificate is essentially a validation that the server is who it claims to be (in this specific scenario, that back-end server is Google’s Gmail).”

“By impersonating the legitimate server (i.e. performing a Man-in-the-Middle) through the usage of a spoofed SSL certificate, the threat actor can open up the encryption, view, and even modify, all communications in plain-text – including passwords, emails, and chats,” he continued. “In particular, in iOS, a threat actor can install a configuration profile which contains the root Certificate Authority (CA). The configuration profile is an extremely sensitive iOS file which allows to re-define system functionality parameters such as device, mobile carrier and network settings. The root CA is what enables the threat actor to create spoofed certificates of legitimate services. It is important to note that the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation.”

In statement to SecurityWeek, a Google spokesperson said the issue was not a vulnerability in the Gmail app.

The scenario that Lacoon raises would require a user to take explicit action — specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app,” the spokesperson said. “Messages you send through Gmail app on iOS are safely transferred through Google’s servers unless you’ve intentionally reconfigured your device.”

To address this type of situation, mobile app developers need to implement certificate pinning, Bashan noted. He recommended enterprises dealing with corporate apps that do not use certificate pinning should follow these best practices:

  • Check the configuration profiles of devices in your enterprise to ensure that they do not include root certificates.
  • Ensure that employees use a VPN or any other secure channel when connecting to enterprise resources
  • Perform on-device and network analysis to detect MitM attempts

“With certificate pinning, the app developer codes the intended server certificate within the app,” Bashan blogged. “So if communication is re-routed via the threat actor’s server, the mobile app will recognize the inconsistency between the back-end server certificate as coded within the app, and the certificate returned from the so-called server.”

*This story was updated with additional commentary from Google.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.