By Antone Gonsalves, CSO | July 11th, 2014
Google has denied a security vendor report that users of Gmail on Apple iOS could have data intercepted because of a missing security component in the popular app.
Lacoon Mobile Security, which is based in the U.S. and Israel, reported that Gmail lacks certificate “pinning,” a process that involves the developer hard coding details of a legitimate digital certificate into the application.
Certificates are used in encrypting data traffic between a mobile app and the developer’s server. The communications typically occur using the SSL/TLS security protocols.
However, sometimes attackers can spoof the certificates, making it possible for them to decrypt the traffic. Pinning is a way to remove the threat of the so-called man-in-the-middle attack.
On Friday, Google denied that not having pinning presents a security risk in Gmail.
“This is not a vulnerability in the Gmail app,” the company said in an emailed statement. “The scenario that Lacoon raises would require a user to take explicit action — specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app.”
John Pirc, chief technology officer for NSS Labs, which tests security products for corporate clients, agreed with Google that an attacker would have to find a way to send a malicious certificate in a file to an iPhone or iPad user and then trick him into opening it.
“The likelihood of someone being socially engineered to click on something like that, to me, would be highly unlikely,” Pirc said.
In describing a hypothetical attack, Lacoon acknowledged that the victim would have to be tricked into opening a malicious file.
If the target was a businessperson, then Lacoon suggested the attacker could send an email purportedly from an IT department requesting the recipient to install the attached configuration file for the phone.
However, if the file contained a root digital certificate, then pinning would not prevent its installation, Pirc said.