Google denies report of Gmail security risk on Apple iOS

Google has denied a security vendor report that users of Gmail on Apple iOS could have data intercepted because of a missing security component in the popular app.

Lacoon Mobile Security, which is based in the U.S. and Israel, reported that Gmail lacks certificate "pinning," a process that involves the developer hard coding details of a legitimate digital certificate into the application.

Certificates are used in encrypting data traffic between a mobile app and the developer's server. The communications typically occur using the SSL/TLS security protocols.

However, sometimes attackers can spoof the certificates, making it possible for them to decrypt the traffic. Pinning is a way to remove the threat of the so-called man-in-the-middle attack.

On Friday, Google denied that not having pinning presents a security risk in Gmail.

"This is not a vulnerability in the Gmail app," the company said in an emailed statement. "The scenario that Lacoon raises would require a user to take explicit action -- specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app."

John Pirc, chief technology officer for NSS Labs, which tests security products for corporate clients, agreed with Google that an attacker would have to find a way to send a malicious certificate in a file to an iPhone or iPad user and then trick him into opening it.

"The likelihood of someone being socially engineered to click on something like that, to me, would be highly unlikely," Pirc said.

In describing a hypothetical attack, Lacoon acknowledged that the victim would have to be tricked into opening a malicious file.

If the target was a businessperson, then Lacoon suggested the attacker could send an email purportedly from an IT department requesting the recipient to install the attached configuration file for the phone.

However, if the file contained a root digital certificate, then pinning would not prevent its installation, Pirc said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags mobile securityGoogleApplesoftwaredata protectionapplicationsGmailNSS Labsmobile device securityGoogle securityApple iOS securitycertificate authoritymobile app securitymobile security threatsmobile application securitycertificate management

More about AppleGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Antone Gonsalves

Latest Videos

More videos

Blog Posts