Researchers at Lacoon Mobile Security have uncovered an issue in Google’s Gmail application for iOS they contend could help an attacker performing a man-in-the-middle attack.
According to Lacoon, an analysis of the application revealed it does not perform certificate pinning. As a result, an attacker launching a man-in-the-middle attack can open and modify Gmail’s encrypted communications. The victim would not receive any indication anything suspicious was going on.
“We were quite surprised by this finding because Google had implemented certificate pinning for their Android Gmail app,” blogged Avi Bashan, CISO of Lacoon. “Clearly, not implementing this for iOS was an oversight by Google.”
According to Lacoon, the issue was reported to Google February 24. Google responded to the company but has not addressed the issue, Bashan wrote.
“In general, secure communications rely on encryption, i.e. SSL, between an app and the back-end server to prevent prying eyes from seeing into content during transmit,” he explained. “The problem with using just SSL is that a threat actor can impersonate the back-end server by creating a spoofed SSL certificate. The certificate is essentially a validation that the server is who it claims to be (in this specific scenario, that back-end server is Google’s Gmail).”
“By impersonating the legitimate server (i.e. performing a Man-in-the-Middle) through the usage of a spoofed SSL certificate, the threat actor can open up the encryption, view, and even modify, all communications in plain-text – including passwords, emails, and chats,” he continued. “In particular, in iOS, a threat actor can install a configuration profile which contains the root Certificate Authority (CA). The configuration profile is an extremely sensitive iOS file which allows to re-define system functionality parameters such as device, mobile carrier and network settings. The root CA is what enables the threat actor to create spoofed certificates of legitimate services. It is important to note that the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation.”
In statement to SecurityWeek, a Google spokesperson said the issue was not a vulnerability in the Gmail app.
“The scenario that Lacoon raises would require a user to take explicit action — specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app,” the spokesperson said. “Messages you send through Gmail app on iOS are safely transferred through Google’s servers unless you’ve intentionally reconfigured your device.”
To address this type of situation, mobile app developers need to implement certificate pinning, Bashan noted. He recommended enterprises dealing with corporate apps that do not use certificate pinning should follow these best practices:
- Check the configuration profiles of devices in your enterprise to ensure that they do not include root certificates.
- Ensure that employees use a VPN or any other secure channel when connecting to enterprise resources
- Perform on-device and network analysis to detect MitM attempts
“With certificate pinning, the app developer codes the intended server certificate within the app,” Bashan blogged. “So if communication is re-routed via the threat actor’s server, the mobile app will recognize the inconsistency between the back-end server certificate as coded within the app, and the certificate returned from the so-called server.”
*This story was updated with additional commentary from Google.