Gmail App for iOS vulnerable to Man-in-the-Middle Attacks

Security experts at Lacoon discovered a vulnerability in the Gmail iOS app which enables a bad actor to perform a Man-in-the-Middle.

Google Gmail application for iOS is exposed to risks of  Man-in-the-Middle (MitM) attacks which allow bad actors to monitor encrypted email communications.

An expert at mobile security firm Lacoon has discovered that version of Gmail for iOS based mobile device does not perform the certificate pinning procedure when establishing a trusted connection to the service provider, this means that an attacker can view plaintext emails and steal credentials in MitM attack, millions of its Apple device users are exposed to the risk of attack.

“By impersonating the legitimate server (i.e. performing a Man-in-the-Middle) through the usage of a spoofed SSL certificate, the threat actor can open up the encryption, view, and even modify, all communications in plain-text – including passwords, emails, and chats.“

According to the researcher Avi Bashan of Lacoon Mobile Security, an attacker exploiting the flaw could generate bogus certificates from configuration profiles, he just needs to install a configuration profile on the iOS device. To install a configuration profile the attackers are tricking users into downloading it by sending out a link in mass phishing emails.

The MITM attack scenario on GMail is composed of the following four steps:

Waiting Google will fix it, the experts suggest to follow these best practices in absence of certificate pinning:

• Check the configuration profiles of devices in your enterprise to ensure that they do not include root certificates.
• Ensure that employees use a VPN or any other secure channel when connecting to enterprise resources
• Perform on-device and network analysis to detect MitM attempts

Pierluigi Paganini

Security Affairs –  (Gmail, MITM)