Using Gmail from Your iPhone Turns Out to Be Dangerous

Lacoon Mobile Security has warned Gmail users with iOS devices that using Gmail from iPhone turns out to be dangerous, as they could be at great risk of having their data stolen. It seems that Gmail’s vulnerability allows attackers to use a Man-in-the-Middle (MitM) technique to impersonate a legitimate server using a fake SSL certificate.

This happened because Google has yet to implement a security technology that would eventually stop attackers from viewing and modifying encrypted communications exchanged with the Web giant, explained Avi Bashan chief information security officer for Lacoon Mobile Security, based in Israel and the U.S.

In case you were wondering, Lacoon was founded in 2011 by “experts from the mobile cyber security and defense industries to address the gaps in mobile security, ” according to their own presentation, from their official blog. As far as their name is concerned, Lacoon was a Trojan priest, the only one who warned the Trojans about the potential danger in the wooden horse offered to the city by the Greeks.

How Does the Attack Take Place?

First of all this prevention method is called certificate pinning, where the app developer codes the intended server certificate within the app. This means if communication is re-routed, the mobile app will recognize the inconsistency between the back-end server certificate as coded within the app, and the certificate returned from the fake server.

“In iOS, a threat actor can install a configuration profile which contains the root Certificate Authority (CA). The configuration profile is an extremely sensitive iOS file which allows to re-define system functionality parameters such as device, mobile carrier and network settings,” Bashan explained.

On the other hand, certificate pinning has aleready been implemented on the Android applications. Could this be an innocent mistake? Bashan said this was probably just “an oversight” by Google.

“Several months after providing responsible disclosure, Google has not provided information regarding resolution and it still remains an open vulnerability. This vulnerability leaves iPhone and iPad users at risk of a threat actor being able to view and modify encrypted communications through a Man-in-the-Middle attack”, says Michael Shaulov, CEO and co-founder of Lacoon Mobile Security.

It seems that Lacoon’s research team first informed Google about this problem on 24 February. Google on the other hand recognized the flaw and validated it. According to Lacoon, he was assured that Google was going to fix this issue. The vulnerability still exists to this day.

In the meantime, enterprises are encouraged to check the configuration profiles of devices to ensure they don’t include root certificates, ensure that a secure channel like a VPN is used when accessing corporate resources, and perform network and device analysis to detect MitM attacks.

What does an Attack for iOS Look Like?

The threat actor performs the following steps: First of all, it tricks the victim into installing a configuration profile containing the root certificate and the details of the server to reroute the traffic to (Note: to do this, a threat actor can use a variety of social engineering methods such as sending an email, purportedly from the IT department, requesting to install the configuration profile.)

Afterwards the actor re-routes the victim’s traffic through the server under the threat actor’s control, defined by the malicious configuration profile.

After that it creates spoofed certificates that are identified as valid by the victim’s device, followed by it’s intercepting all traffic between the attacked device and the intended server.

In a nutshell, using Gmail from your iPhone turns out to be dangerous after all. As far as previous similar experiences are concerned, it appears that this issue had been raised before. For instance, following Facebook’s $19B acquisition of WhatsApp, researchers found that WhatsApp had never used certificate pinning.

Leave a Reply

Your email address will not be published. Required fields are marked *