Gmail app on iOS vulnerable to snooping, thanks to 'certificate pinning' flaw

Attackers have an easy way to intercept and steal encrypted communications of Google's Gmail users on iOS.

Image: Lacoon mobile security

Google has left out a key security measure in its Gmail app for iOS, leaving users exposed to attackers standing between their encrypted communications and Google's servers.

According to mobile security firm Lacoon, Google is aware of a security gap in its Gmail app on iOS, one which it has already closed in its equivalent app for Android.

The problem, according to Lacoon researcher Avi Bashan, is that Gmail on iOS currently lacks what's known as 'certificate pinning' — a well-known measure that developers can build in to their apps to mitigate attacks that dupe victims into installing a malicious configuration profile.

Read this

iOS vs Android: Which is more of a security threat for the enterprise?

Apple has kept malware out of its App Store but iOS devices, like their Android rivals, are still susceptible to all sorts of attacks.

Read More

Configuration profiles are commonly used in the enterprise to specify settings such as wi-fi, VPN, email server, and most importantly in this case, credentials and encryption keys. However, they also expose devices to attacks that undermine secure sockets layer (SSL) encryption between an app and server.

"In particular, in iOS, a threat actor can install a configuration profile which contains the root Certificate Authority (CA). The configuration profile is an extremely sensitive iOS file which allows [them] to re-define system functionality parameters such as device, mobile carrier and network settings. The root CA is what enables the threat actor to create spoofed certificates of legitimate services. It is important to note that the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation," Bashan noted.

Google began certificate pinning within Chrome some years ago to tackle the threat of bogus certificates to its own services by making the browser check the certificates it sees align with those it knows Google is using. Mobile developers can do the same for all apps that use an SSL connection. Separately, Google and Microsoft have been cleaning up a digital certificate mess this week after an Indian government agency issued bogus certificates for Google and Yahoo domains . In that case, Google's certificate pinning in Chrome protected users from spoofed Google domains.

According to Bashan, the company notified Google of the problem on 24 February and although Google had recognised, validated and said it would fix the flaw, it remains open. The company published details of the weakness in the hope of pressuring Google into fixing the issue.

Google highlighted the manual nature of the attack vector. "This is not a vulnerability in the Gmail app. The scenario that Lacoon raises would require a user to take explicit action — specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app. Messages you send through Gmail app on iOS are safely transferred through Google's servers unless you've intentionally reconfigured your device," Google said in a statement.

Google declined to comment when asked by ZDNet when or if it will include certificate pinning in future iOS Gmail apps.

In the absence of a fix from Google, Bashan advised enterprises to check that their device configuration profiles do not include root certificates, ensure employees are using a VPN or other secure channel when connecting to the enterprise, and to check the device for man-in-the-middle attempts.

Read more on Android security