Gmail users on iOS at risk of data theft
Lacoon Security found Google hasn't yet implemented a security technology that could prevent data loss
IDG News Service - Apple users accessing Gmail on mobile devices could be at risk of having their data intercepted, a mobile security company said Thursday.
The reason is Google has not yet implemented a security technology that would prevent attackers from viewing and modifying encrypted communications exchanged with the Web giant, wrote Avi Bashan, chief information security officer for Lacoon Mobile Security, based in Israel and the U.S.
Websites use digital certificates to encrypt data traffic using the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols. But in some instances, those certificates can be spoofed by attackers, allowing them to observe and decrypt the traffic.
That threat can be eliminated through certificate "pinning," which involves hard coding the details for the legitimate digital certificate into an application.
Unlike for Android, Google doesn't do this for iOS, which means an attacker could execute a man-in-the-middle attack and read encrypted communications, Bashan wrote. Google acknowledged the problem after being notified by Lacoon on Feb. 24, but the problem has not been fixed, he wrote.
Google officials did not have an immediate comment.
It isn't clear why certificate pinning isn't used by Google on iOS. But three years ago, a Google security engineer that works on such security issues described a scenario where the handling of digital certificates becomes complicated.
Occasionally, proxy servers used by companies will intercept HTTPS connections using local, ephemeral certificates, wrote Adam Langley on his personal blog. Some security applications and parental control programs will also do this, he wrote.
Those certificates have the authority to override "pins" that have been set to check for a specific certificate, he wrote.
Lacoon described an attack scenario that involved tricking a user into installing an iOS device management configuration file that contains a malicious root digital certificate. That would validate a spoofed certificate, allowing the person to navigate to a fraudulent Gmail site.
"We were quite surprised by this finding because Google had implemented certificate pinning for their Android Gmail app," Bashan wrote. "Clearly, not implementing this for iOS was an oversight by Google."
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!