THOSE ACCESSING Gmail on iOS devices could be at risk of having their data stolen, Lacoon Mobile Security has warned.
The security firm said that the vulnerability has been made possible through Google's failure to implement a technology to prevent attackers from viewing and modifying encrypted communications exchanged with the web giant.
Lacoon chief information security officer Avi Bashan explained in a blog post that websites use digital certificates to encrypt data traffic using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, but in some instances those certificates can be spoofed by attackers, allowing them to observe and decrypt the traffic.
"During a routine analysis of the Gmail iOS app we unexpectedly came across a vulnerability which enables a threat actor that is performing a man-in-the-middle attack to view, and even modify, encrypted communications," Bashan said.
"In general, secure communications rely on encryption, [that is,] SSL, between an app and the back-end server to prevent prying eyes from seeing into content during transmit.
"The problem with using just SSL is that a threat actor can impersonate the back-end server by creating a spoofed SSL certificate. The certificate is essentially a validation that the server is who it claims to be, in this specific scenario, that back-end server is Google's Gmail."
Bashan said that by impersonating the legitimate server with a man-in-the-middle attack through the use of a spoofed SSL certificate, the threat actor can defeat the encryption to view and even modify all communications in plain-text, including passwords, emails, and chats.
"In iOS, a threat actor can install a configuration profile which contains the root Certificate Authority (CA). The configuration profile is an extremely sensitive iOS file which allows to re-define system functionality parameters such as device, mobile carrier and network settings," he explained.
"The root CA is what enables the threat actor to create spoofed certificates of legitimate services... the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation."
Lacoon found that the Gmail iOS app does not perform certificate pinning and as a result a threat actor can perform a man-in-the-middle attack and open up the Gmail encrypted communications so the victim does not receive any indication of suspicious activity.
"We were quite surprised by this finding because Google had implemented certificate pinning for their Android Gmail app. Clearly, not implementing this for iOS was an oversight by Google," Bashan added.
Lacoon's research team informed Google about this problem on 24 February, with Google having recognised the flaw and validated it. According to Lacoon, it was told that Google was going to fix this issue, though it said that the vulnerability still exists.
Lacoon said that to mitigate the attacks, users and businesses should check the configuration profiles of devices in their enterprise to ensure that they do not include root certificates, and make sure that employees use a VPN or any other secure channel when connecting to enterprise resources.
