Categories: Hacking

Gmail App for iOS vulnerable to Man-in-the-Middle Attacks

Security experts at Lacoon discovered a vulnerability in the Gmail iOS app which enables a bad actor to perform a Man-in-the-Middle.

Google Gmail application for iOS is exposed to risks of Man-in-the-Middle (MitM) attacks which allow bad actors to monitor encrypted email communications.

An expert at mobile security firm Lacoon has discovered that version of Gmail for iOS based mobile device does not perform the certificate pinning procedure when establishing a trusted connection to the service provider, this means that an attacker can view plaintext emails and steal credentials in MitM attack, millions of its Apple device users are exposed to the risk of attack.

“By impersonating the legitimate server (i.e. performing a Man-in-the-Middle) through the usage of a spoofed SSL certificate, the threat actor can open up the encryption, view, and even modify, all communications in plain-text – including passwords, emails, and chats.“

Experts at Lacoon reported the problem to the Google company at the end of February, the security issue was fixed, but it appears still exploitable in Gmail’s iOS app. Google was informed once again, but its experts haven’t yet responded.

“Several months after providing responsible disclosure, Google has not provided information regarding resolution and it still remains an open vulnerability,” “This vulnerability leaves iPhone and iPad users at risk of a threat actor being able to view and modify encrypted communications through a Man-in-the-Middle attack.” said Michael Shaulov, CEO and co-founder of Lacoon Mobile Security.

The certificate pinning is a mechanism used to prevent MITM attacks, the client after obtaining the server’s certificate, with a standard connection, checks the server’s certificate against trusted validation data.

Typically the application itself includes a trusted copy of that certificate, or a trusted hash or fingerprint of that certificate or the certificate’s public key, in this way, even if an attacks performs a MITM attack, its bogus certificates are refused.

If a user accessed Google.com from his browser, it will trust the certificate if it’s signed by any trusted “Certificate Authority” (e.g.Digicert), but if he will connect to a Google server via an app on mobile, it will only trust the certificates signed by Google itself.

According to the researcher Avi Bashan of Lacoon Mobile Security, an attacker exploiting the flaw could generate bogus certificates from configuration profiles, he just needs to install a configuration profile on the iOS device. To install a configuration profile the attackers are tricking users into downloading it by sending out a link in mass phishing emails.

“The configuration profile is an extremely sensitive iOS file which allows [them] to re-define system functionality parameters such as device, mobile carrier and network settings. The root CA [certificate authority] is what enables the threat actor to create spoofed certificates of legitimate services,” said Avi Bashan. “It is important to note that the configuration profile is very simple to install. More so, many legitimate enterprise policies demand its installation.“

The MITM attack scenario on GMail is composed of the following four steps:

Hacker tricks victim into installing a configuration profile containing the root certificate and the details of the server to reroute the traffic to. (Note: to do this, a threat actor can use a variety of social engineering methods such as sending an email, purportedly from the IT department, requesting to install the configuration profile.)
Reroutes victim’s traffic through the server under the threat actor’s control, defined by the malicious configuration profile.
Creates spoofed certificates which are identified as valid by the victim’s device.
Intercepts all traffic between the attacked device and intended server.

Waiting Google will fix it, the experts suggest to follow these best practices in absence of certificate pinning:

Check the configuration profiles of devices in your enterprise to ensure that they do not include root certificates.
Ensure that employees use a VPN or any other secure channel when connecting to enterprise resources
Perform on-device and network analysis to detect MitM attempts

Pierluigi Paganini

Security Affairs – (Gmail, MITM)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.