Is the Gmail for iOS App Insecure?
UPDATED 6:30 pm ET Friday with comment from Google.
Do you use the Gmail app on an iPhone, iPad or iPod Touch? Then you're ... probably fine. Despite warnings from a security company about the app's verification methods, the Gmail iOS app doesn't contain any serious flaws.
So what's the situation? San Francisco-based mobile security company Lacoon found that the Gmail app for iOS doesn't practice "certificate pinning" to ensure that the app is truly connecting to Google's servers.
But don't panic yet: certificate pinning is not an industry standard, and not having it doesn't mean the app is insecure.
Secure Internet traffic, on both mobile and desktop platforms, is encrypted between the user's device and the server using a protocol called SSL. To make sure a device is connected to the real destination server (i.e. Google's Gmail servers) and not an impostor, SSL connections first ask for digital certificates that prove to "clients" such as a computer or phone that servers are what they claim to be.
But as Lacoon pointed out in its blog post yesterday (July 10), attackers can get around SSL security by inserting themselves between the user's device and the server, and presenting the device with a forged certificate so the device is fooled into thinking it's communicating with the correct server.
Some Web browsers and mobile apps counter these attacks with a method called "certificate pinning," wherein the legitimate server certificate is encoded within application software. The Gmail for Android app uses certificate pinning — it has the Google Gmail server certificate embedded in its code — but, as Lacoon discovered, the Gmail for iOS app does not.
This may be an "oversight" on Google's part, as Lacoon said in its blog post, but it's not a major security flaw.
"[Certificate pinning] is a deterrent to targeted attacks, but requires adds a lot of overhead for developers and makes the assumption that the entire certificate ecosystem is a failure," said Chester Wisniewski, senior security advisor at antivirus software maker Sophos. "Now, with that said, I am the first one to admit that the entire certificate system *is* a failure ... But it is not a standard practice to do certificate pinning."
Lacoon says it contacted Google about the oversight this past February, and claims that "Google has recognized this flaw and validated it." However, Google has still not added certificate pinning to its Gmail for iOS app.
We have reached out to Google for comment, but at time of posting have not heard back.
Wisniewski summed up the controversy thus: "Is it a vulnerability? No. Should Google implement this? Probably. Is it a crisis? No."
UPDATE: Robert Graham of Atlanta security firm ErrataSec weighed in as well.
"This is not serious," Graham told Tom's Guide.
UPDATE: "This is not a vulnerability in the Gmail app," a Google representative told Tom's Guide. "The scenario that Lacoon raises would require a user to take explicit action — specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app. Messages you send through Gmail app on iOS are safely transferred through Google's servers unless you've intentionally reconfigured your device."