Gmail app on iOS vulnerable to snooping, thanks to 'certificate pinning' flaw

Gmail app on iOS vulnerable to snooping, thanks to 'certificate pinning' flaw

Summary: Attackers have an easy way to intercept and steal encrypted communications of Google's Gmail users on iOS.

TOPICS: Security, Android, Google, iOS
Image: Lacoon mobile security

Google has left out a key security measure in its Gmail app for iOS, leaving users exposed to attackers standing between their encrypted communications and Google's servers.

According to mobile security firm Lacoon, Google is aware of a security gap in its Gmail app on iOS, one which it has already closed in its equivalent app for Android.

The problem, according to Lacoon researcher Avi Bashan, is that Gmail on iOS currently lacks what's known as 'certificate pinning' — a well-known measure that developers can build in to their apps to mitigate attacks that dupe victims into installing a malicious configuration profile.

Configuration profiles are commonly used in the enterprise to specify settings such as wi-fi, VPN, email server, and most importantly in this case, credentials and encryption keys. However, they also expose devices to attacks that undermine secure sockets layer (SSL) encryption between an app and server.

"In particular, in iOS, a threat actor can install a configuration profile which contains the root Certificate Authority (CA). The configuration profile is an extremely sensitive iOS file which allows [them] to re-define system functionality parameters such as device, mobile carrier and network settings. The root CA is what enables the threat actor to create spoofed certificates of legitimate services. It is important to note that the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation," Bashan noted.

Google began certificate pinning within Chrome some years ago to tackle the threat of bogus certificates to its own services by making the browser check the certificates it sees align with those it knows Google is using. Mobile developers can do the same for all apps that use an SSL connection. Separately, Google and Microsoft have been cleaning up a digital certificate mess this week after an Indian government agency issued bogus certificates for Google and Yahoo domains. In that case, Google's certificate pinning in Chrome protected users from spoofed Google domains.

According to Bashan, the company notified Google of the problem on 24 February and although Google had recognised, validated and said it would fix the flaw, it remains open. The company published details of the weakness in the hope of pressuring Google into fixing the issue.

Google highlighted the manual nature of the attack vector. "This is not a vulnerability in the Gmail app. The scenario that Lacoon raises would require a user to take explicit action — specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app. Messages you send through Gmail app on iOS are safely transferred through Google's servers unless you've intentionally reconfigured your device," Google said in a statement.

Google declined to comment when asked by ZDNet when or if it will include certificate pinning in future iOS Gmail apps.

In the absence of a fix from Google, Bashan advised enterprises to check that their device configuration profiles do not include root certificates, ensure employees are using a VPN or other secure channel when connecting to the enterprise, and to check the device for man-in-the-middle attempts.

Read more on Android security

Topics: Security, Android, Google, iOS

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Requires action by iOS user?

    Just to confirm, if the user did not install the faulty configuration file, they would be fine, correct? Or can these files be installed on the iOS devices without the users knowledge or consent? This is just a check by gMail that iOS did not allow fraudulent credentials to be loaded on the device?
    Harlon Katz
    • Installing them is a manual process.

      "Just to confirm, if the user did not install the faulty configuration file, they would be fine, correct?"

      It appears to be that way.

      And installing them is a manual process that requires going through some prompts. A website can start the process, I think, but the user has to verify they want to do it. It's a very unusual thing to ask the user to do, and should be waving red flags like crazy if you ever find something that wants to do it.

      If you didn't intentionally set out to install a profile after a lot of research, you should refuse all attempts to install a configuration profile.
  • Configuration profiles should never, ever be used casually.

    Configuration profiles should never, ever be used casually. The average joe should NEVER use them, a developer or beta tester should only ever use one: The test flight profile for testing apps.

    Even enterprise IT use should only ever use a configuration profile after extensive research, and never EVER just accept a random one via a random email.

    These are things that never, ever should be used casually, and should always be used after extensive research. 99% of users should have ZERO configuration profiles installed on their iOS devices. They are very narrow, extremely limited use things.

    If you didn't set out to look for one to fill a specific need, don't let anybody even try to convince you to install one.