As banking and other sensitive functions in society increasingly move to cell phones, another mobile phone security bug has been discovered, this one that puts iOS users at risk when using Gmail.
Lacoon, a mobile security firm, recently released details of the new vulnerability that allows hackers to view and even modify encrypted communication.
Goole’s Gmail for iOS does not perform certificate pinning
The security firm’s research discovered that the Gmail iOS app, run on Macintosh mobile devices, does not perform certificate pinning. As a result allows attackers to use a Man-in-the-Middle (MitM) technique to impersonate a legitimate server using a spoofed SSL certificate. Such a MitM attack could open up encrypted communications and the user would see no indication of suspicious activity.
This pinning of threat is most often prevented using certificate pinning where the app developer codes the intended server certificate within the app. This means if communication is re-routed the mobile app will recognize the inconsistency between the back-end server certificate as coded within the app, and the certificate returned from the fake server. This isn’t happening with Apple Inc. (NASDAQ:AAPL) products, however.
Google previously informed of the vulnerability
Could Google’s Android be signaling out iPhone users?
Certificate pinning is implemented in Gmail’s Android app, a report in BetaNews noted. While they chawked it up to an oversight, Google was informed of the vulnerability at the end of February and validated its existence it was still present at the time of writing, the report noted.
“Several months after providing responsible disclosure, Google Inc (NASDAQ:GOOG) (NASDAQ:GOOGL) has not provided information regarding resolution and it still remains an open vulnerability,” said Michael Shaulov, CEO and co-founder of Lacoon Mobile Security. “This vulnerability leaves iPhone and iPad users at risk of a threat actor being able to view and modify encrypted communications through a Man-in-the-Middle attack.”
Until the issue addressed, enterprise customers are being told to take precautions. Among them: check the configuration profiles of devices to ensure they don’t include root certificates, make certain a secure channel like a VPN is used when accessing corporate resources, and conduct network and device analysis to detect MitM attacks.