Apple iPhone and iPad users will have to be extra cautious with the usage of the Gmail app on their phones now due to an inherent security flaw which Google has acknowledged.
According to Laccon researcher Avi Bashan, the Gmail app does not perform something called certificate pinning. This is a serious flaw as it allow attacks where victims may be cheated to install a malicious configuration profile which in turn provides the attacker full access to the traffic from the Gmail server to the victim.
The certificates allow the browsing platform to recognize the authenticity of a secured connection and will proceed with the communication traffic after verification. Without certificate pinning, attackers are free to create bogus security certificates, which on the face of the platform seems to be the one issued by Google. This allows the attackers to view, control and divert all traffic in any way they desire.
While Bashan filed for the security flaw in February, the inquiry case was left open and nothing was done. Subsequently after the same issue was filed by one of the Indian government agency Google worked with Microsoft to resolve the issue but they did not completely resolve it.
The situation was resolved in the Android platforms as well as the Chrome browser itself, the flaw still exists in the Gmall app, which is available in the iOS.
As of now, Google has verified and has completed the patches on the Android platform but however the case is still not closed without any formal explanation from the giant themselves. Bashan’s company has also released details on the weakness in hope to add pressure on Google to close this security issue once and for all.
While Google has not responded on the issue, Bashan recommends that their consumers ensure that their internet profiles do not include root certificates, and ensure that users make use of secure portals like VPN when connecting to the enterprise’s servers.