Sign in with
Sign up | Sign in

Is the Gmail for iOS App Insecure?

By - Source: Tom's Guide US | B 10 comments

UPDATED 6:30 pm ET Friday with comment from Google.

Do you use the Gmail app on an iPhone, iPad or iPod Touch? Then you're ... probably fine. Despite warnings from a security company about the app's verification methods, the Gmail iOS app doesn't contain any serious flaws.

So what's the situation? San Francisco-based mobile security company Lacoon found that the Gmail app for iOS doesn't practice "certificate pinning" to ensure that the app is truly connecting to Google's servers.

But don't panic yet: certificate pinning is not an industry standard, and not having it doesn't mean the app is insecure.

MORE: Best Android Antivirus Software 2014

Secure Internet traffic, on both mobile and desktop platforms, is encrypted between the user's device and the server using a protocol called SSL. To make sure a device is connected to the real destination server (i.e. Google's Gmail servers) and not an impostor, SSL connections first ask for digital certificates that prove to "clients" such as a computer or phone that servers are what they claim to be. 

But as Lacoon pointed out in its blog post yesterday (July 10), attackers can get around SSL security by inserting themselves between the user's device and the server, and presenting the device with a forged certificate so the device is fooled into thinking it's communicating with the correct server. 

Some Web browsers and mobile apps counter these attacks with a method called "certificate pinning," wherein the legitimate server certificate is encoded within application software. The Gmail for Android app uses certificate pinning — it has the Google Gmail server certificate embedded in its code — but, as Lacoon discovered, the Gmail for iOS app does not.

This may be an "oversight" on Google's part, as Lacoon said in its blog post, but it's not a major security flaw.

"[Certificate pinning] is a deterrent to targeted attacks, but requires adds a lot of overhead for developers and makes the assumption that the entire certificate ecosystem is a failure," said Chester Wisniewski, senior security advisor at antivirus software maker Sophos.  "Now, with that said, I am the first one to admit that the entire certificate system *is* a failure ... But it is not a standard practice to do certificate pinning."

Lacoon says it contacted Google about the oversight this past February, and claims that "Google has recognized this flaw and validated it." However, Google has still not added certificate pinning to its Gmail for iOS app.

We have reached out to Google for comment, but at time of posting have not heard back.

Wisniewski summed up the controversy thus: "Is it a vulnerability? No. Should Google implement this? Probably. Is it a crisis? No."

UPDATE: Robert Graham of Atlanta security firm ErrataSec weighed in as well.

"This is not serious," Graham told Tom's Guide.

UPDATE: "This is not a vulnerability in the Gmail app," a Google representative told Tom's Guide. "The scenario that Lacoon raises would require a user to take explicit action — specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app. Messages you send through Gmail app on iOS are safely transferred through Google's servers unless you've intentionally reconfigured your device."

Email jscharr@tomsguide.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 3 Hide
    toastybatch565 , July 11, 2014 11:37 AM
    Compliment it's looks, maybe that'll make it less insecure.
  • -1 Hide
    Adroid , July 11, 2014 11:40 AM
    Yea my gmail account is starting to frustrate me. Thanks Google, but I don't need you popping up and logging yourself in on my Youtube channel. And no, I don't want to log in with my "facebook" account.

    Also I don't want you auto-syncing and pulling random peices of information from my iphone to the "cloud".

    I tried to increase my privacy settings, but it's really invasive and annoying that Google helps itself to your personal information, and tries to "conveniently" spread it onto different web pages, but by default I wish the security settings were less invasive.

    Keep it up and Google and the whole batch of other "social media" sites can count on closing my accounts, permanently.
  • 0 Hide
    jgrabb , July 11, 2014 11:44 AM
    Of course it is, it's Google/Android isn't?
  • Display all 10 comments.
  • -1 Hide
    Xivilain , July 11, 2014 12:38 PM
    GMAIL IS FREE... so by default you should assume its insecure. If you want secure/encrypted email you can purchase such services elsewhere.
  • 0 Hide
    jgrabb , July 11, 2014 3:55 PM
    Quote:
    GMAIL IS FREE... so by default you should assume its insecure. If you want secure/encrypted email you can purchase such services elsewhere.

  • -1 Hide
    jgrabb , July 11, 2014 3:58 PM
    EXCEPT if want to use ANYTHING nfrom Google you NEED an email address from gmail. Therefore it potentially makes EVERYONE less secure because Google/Android is undoubtedly a very insecure OS
  • 1 Hide
    JOSHSKORN , July 11, 2014 6:19 PM
    Don't buy Apple. Problem solved.
  • 1 Hide
    sykozis , July 11, 2014 6:46 PM
    Sounds like a "security firm" is just trying to make a name for themselves using scare tactics...like usual...
  • -1 Hide
    hitman40 , July 12, 2014 2:32 PM
    Who the hell uses a gmail app on the iPhone when you can log into the stock mail option with your gmail account? Almost as stupid as someone downloading a "mirror" app when the camera has a front camera option.
  • 0 Hide
    therealduckofdeath , July 13, 2014 6:30 AM
    The only thing I am wondering is, why haven't this "article" been deleted yet?
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter