Google Gmail application for iOS is exposed to risks of Man-in-the-Middle (MitM) attacks which allow bad actors to monitor encrypted email communications.
An expert at mobile security firm Lacoon has discovered that version of Gmail for iOS based mobile device does not perform the certificate pinning procedure when establishing a trusted connection to the service provider, this means that an attacker can view plaintext emails and steal credentials in MitM attack, millions of its Apple device users are exposed to the risk of attack.
“By impersonating the legitimate server (i.e. performing a Man-in-the-Middle) through the usage of a spoofed SSL certificate, the threat actor can open up the encryption, view, and even modify, all communications in plain-text – including passwords, emails, and chats.“
“Several months after providing responsible disclosure, Google has not provided information regarding resolution and it still remains an open vulnerability,” “This vulnerability leaves iPhone and iPad users at risk of a threat actor being able to view and modify encrypted communications through a Man-in-the-Middle attack.” said Michael Shaulov, CEO and co-founder of Lacoon Mobile Security.
“The configuration profile is an extremely sensitive iOS file which allows [them] to re-define system functionality parameters such as device, mobile carrier and network settings. The root CA [certificate authority] is what enables the threat actor to create spoofed certificates of legitimate services,” said Avi Bashan. “It is important to note that the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation.“