In what's been described as a shocking oversight, a mobile security firm has discovered a vulnerability in the iOS version of Gmail that leaves open the possibility for a "middle man" to intercept and decrypt data exchanged between app and Google servers.
The iOS version of the Gmail app is vulnerable to fake security certificates, which could be used by third parties to access encrypted messages. Digital certificates, usually the Secure Socket Layer (SSL) variety, are used to authenticate transmissions and to encrypt data.
Avi Bashan of Lacoon Mobile Security, the firm that found the vulnerability, stated attackers could generate fake certificates from configuration profiles.
"The configuration profile is an extremely sensitive iOS file which allows [them] to re-define system functionality parameters such as device, mobile carrier and network settings. The root CA [certificate authority] is what enables the threat actor to create spoofed certificates of legitimate services," stated Bashan. "It is important to note that the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation."
iOS users would have to install the spoofed certificate onto their devices to open the already unlocked door for attack from hackers. Because the certificates look legitimate and claim to be from Google, it'd be hard to fault even IT professionals for falling into the trap.
Once the certificate has been installed on an iOS device, hackers can discreetly redirect users through spoof sites or filter content through another server between the mobile device and Google.
While the iOS version of the app is vulnerable to adopting fake certificates, the Android version of Gmail uses "certificate pinning" to protect it from certificate spoofing. Certificate pinning involves packaging a list of a trusted, legitimate certificates inside of the app so the mobile device can scrutinize the legitimacy of the certificates it encounters over the Internet.
"With certificate pinning, the app developer codes the intended server certificate within the app," stated Bashan. "So if communication is re-routed via the threat actor's server, the mobile app will recognize the inconsistency between the back-end server certificate as coded within the app, and the certificate returned from the so-called server."
So far, Google hasn't released any details on its efforts to resolve the vulnerability.
Lacoon recommended users should check for the presence of root certificates, publicly or individually signed certificates, and scan their devices and network for evidence of "middle-man" reroutes. The firm also recommended only using the app over secure connections, such as virtual private networks.