It allows attackers to use a Man-in-the-Middle (MitM) technique to impersonate a legitimate server using a spoofed SSL certificate.
This type of threat is usually prevented using certificate pinning where the app developer codes the intended server certificate within the app. This means if communication is re-routed the mobile app will recognize the inconsistency between the back-end server certificate as coded within the app, and the certificate returned from the fake server.
Lacoon has found that the Gmail iOS app doesn't perform certificate pinning. As a result a MitM attack could open up encrypted communications and the user would see no indication of suspicious activity.
Certificate pinning is implemented in Gmail's Android app so it looks like this could be an oversight. Yet although Google was informed of the vulnerability at the end of February and validated its existence it was still present at the time of writing.
Michael Shaulov, CEO and co-founder of Lacoon Mobile Security says, "Several months after providing responsible disclosure, Google has not provided information regarding resolution and it still remains an open vulnerability. This vulnerability leaves iPhone and iPad users at risk of a threat actor being able to view and modify encrypted communications through a Man-in-the-Middle attack".
Until such time as a fix is released, enterprises are advised to check the configuration profiles of devices to ensure they don't include root certificates, ensure that a secure channel like a VPN is used when accessing corporate resources, and perform network and device analysis to detect MitM attacks.
Image Credit: Pavel Ignatov / Shutterstock
~ Ian Barker
0 comments:
Post a Comment