Results 1 to 1 of 1
-
13th Jul 2014, 01:47 PM #1
Gmail for iOS Poses Man-in-the-Middle Attack Risk
A vulnerability that allows a potential attacker to intercept encrypted communication between the Gmail app for iOS and the server via the man-in-the-middle (MitM) technique has been reported by security researchers.
The flaw resides in the fact that the mobile app does not incorporate the legitimate certificate that validates the server receiving the communication, a feature called certificate pinning.
Pinning basically consists in the certificate for the intended server being hard-coded into the client, Gmail for iOS in this case, permitting traffic to be initiated only when it encounters a match at the other end of the line.
Because Gmail for iOS devices lacks this feature, cybercriminals could use a rogue certificate to impersonate the server and route all traffic through their systems, thus gaining access to the information in unencrypted form. Certificate pinning is available in the Gmail app for Android, though.
Researchers from Lacoon mobile security firm present an attack scenario, involving cybercriminals duping the victim into installing a hostile configuration profile, which adds the unauthorized CA certificate. iOS is vulnerable to this form of attack, which can be carried out by luring the victim to visit a webpage from their device.
When the victim runs the Gmail app, all traffic is then routed through the server under the control of the cybercriminals, giving them access to all communication in plain text.
Google is very sensitive about security issues in their products, but in this case, they delayed the release of a patch. Lacoon says that they reported the issue more than four months ago, on February 24, and the search giant still has not fixed it.
“Lacoon’s research team informed Google about this problem on February 24. Google had recognized this flaw and validated it. We were told that they were going to fix this issue though to date, this vulnerability still exists,” said Avi Bashan in a blog post.
Recently, the National Informatics Centre in India, which was authorized to issue intermediate digital certificates trusted by the Indian Controller of Certifying Authorities (India CCA), was compromised and rogue certificates were found.
The full extent of the breach is not known at the moment, but Google took the necessary steps to limit India CAA root certificates to a handful of domains.
This shows that organizations handling validation documents are vulnerable to outside attacks that can lead to issuing unauthorized certificates trusted by web browsers and applications implicitly, posing a serious risk to the secure communication of sensitive information.
Mitigating the risks depends primarily on the developer. “First and foremost, it’s up for the mobile app developer to implement certificate pinning. With enough public concern, let’s hope that app developers start listening to their customers and placing the necessary security measures,” writes Avi Bashan.Kepler Reviewed by Kepler on . Gmail for iOS Poses Man-in-the-Middle Attack Risk http://i1-news.softpedia-static.com/images/news-700/Gmail-for-iOS-Poses-Man-in-the-Middle-Risk.jpg A vulnerability that allows a potential attacker to intercept encrypted communication between the Gmail app for iOS and the server via the man-in-the-middle (MitM) technique has been reported by security researchers. The flaw resides in the fact that the mobile app does not incorporate the legitimate certificate that validates the server receiving the communication, a feature called Rating: 5
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
Exchanger for Emoney that available in the entire market
By Moneylover in forum OtherReplies: 4Last Post: 22nd Feb 2012, 07:39 PM -
HELP wordpress,make dash in the middle of the hotlink...
By jozawa in forum Web Development AreaReplies: 2Last Post: 15th Aug 2011, 04:08 AM -
EA and Steam going head-to-head, Crysis 2 stuck in the middle
By ShareShiz in forum News & Current EventsReplies: 1Last Post: 16th Jun 2011, 05:29 PM -
Looking for a windows vps in the NL or FR or DE
By Jamiek94 in forum Hosting DiscussionReplies: 3Last Post: 30th Aug 2010, 03:33 PM -
Who is the Fourth Man in The Pirate Bay Case?
By Lease in forum News & Current EventsReplies: 1Last Post: 4th Feb 2008, 01:57 AM
themaLeecher - leech and manage...
Version 4.94 released. Open older version (or...