A vulnerability that allows a potential attacker to intercept encrypted communication between the Gmail app for iOS and the server via the man-in-the-middle (MitM) technique has been reported by security researchers.

The flaw resides in the fact that the mobile app does not incorporate the legitimate certificate that validates the server receiving the communication, a feature called certificate pinning.

Pinning basically consists in the certificate for the intended server being hard-coded into the client, Gmail for iOS in this case, permitting traffic to be initiated only when it encounters a match at the other end of the line.

Because Gmail for iOS devices lacks this feature, cybercriminals could use a rogue certificate to impersonate the server and route all traffic through their systems, thus gaining access to the information in unencrypted form. Certificate pinning is available in the Gmail app for Android, though.

Researchers from Lacoon mobile security firm present an attack scenario, involving cybercriminals duping the victim into installing a hostile configuration profile, which adds the unauthorized CA certificate. iOS is vulnerable to this form of attack, which can be carried out by luring the victim to visit a webpage from their device.

When the victim runs the Gmail app, all traffic is then routed through the server under the control of the cybercriminals, giving them access to all communication in plain text.

Google is very sensitive about security issues in their products, but in this case, they delayed the release of a patch. Lacoon says that they reported the issue more than four months ago, on February 24, and the search giant still has not fixed it.

“Lacoon’s research team informed Google about this problem on February 24. Google had recognized this flaw and validated it. We were told that they were going to fix this issue though to date, this vulnerability still exists,” said Avi Bashan in a blog post.

Recently, the National Informatics Centre in India, which was authorized to issue intermediate digital certificates trusted by the Indian Controller of Certifying Authorities (India CCA), was compromised and rogue certificates were found.

The full extent of the breach is not known at the moment, but Google took the necessary steps to limit India CAA root certificates to a handful of domains.

This shows that organizations handling validation documents are vulnerable to outside attacks that can lead to issuing unauthorized certificates trusted by web browsers and applications implicitly, posing a serious risk to the secure communication of sensitive information.

Mitigating the risks depends primarily on the developer. “First and foremost, it’s up for the mobile app developer to implement certificate pinning. With enough public concern, let’s hope that app developers start listening to their customers and placing the necessary security measures,” writes Avi Bashan.
Kepler Reviewed by Kepler on . Gmail for iOS Poses Man-in-the-Middle Attack Risk http://i1-news.softpedia-static.com/images/news-700/Gmail-for-iOS-Poses-Man-in-the-Middle-Risk.jpg A vulnerability that allows a potential attacker to intercept encrypted communication between the Gmail app for iOS and the server via the man-in-the-middle (MitM) technique has been reported by security researchers. The flaw resides in the fact that the mobile app does not incorporate the legitimate certificate that validates the server receiving the communication, a feature called Rating: 5