Is the Gmail for iOS App Insecure?

News
By published

A security company warns about an alleged security oversight in the Gmail for iOS app, but it's not time to panic yet.

UPDATED 6:30 pm ET Friday with comment from Google.

So what's the situation? San Francisco-based mobile security company Lacoon found that the Gmail app for iOS doesn't practice "certificate pinning" to ensure that the app is truly connecting to Google's servers.

But don't panic yet: certificate pinning is not an industry standard, and not having it doesn't mean the app is insecure.

MORE: Best Android Antivirus Software 2014

Secure Internet traffic, on both mobile and desktop platforms, is encrypted between the user's device and the server using a protocol called SSL. To make sure a device is connected to the real destination server (i.e. Google's Gmail servers) and not an impostor, SSL connections first ask for digital certificates that prove to "clients" such as a computer or phone that servers are what they claim to be. 

But as Lacoon pointed out in its blog post yesterday (July 10), attackers can get around SSL security by inserting themselves between the user's device and the server, and presenting the device with a forged certificate so the device is fooled into thinking it's communicating with the correct server. 

Some Web browsers and mobile apps counter these attacks with a method called "certificate pinning," wherein the legitimate server certificate is encoded within application software. The Gmail for Android app uses certificate pinning — it has the Google Gmail server certificate embedded in its code — but, as Lacoon discovered, the Gmail for iOS app does not.

This may be an "oversight" on Google's part, as Lacoon said in its blog post, but it's not a major security flaw.

"[Certificate pinning] is a deterrent to targeted attacks, but requires adds a lot of overhead for developers and makes the assumption that the entire certificate ecosystem is a failure," said Chester Wisniewski, senior security advisor at antivirus software maker Sophos.  "Now, with that said, I am the first one to admit that the entire certificate system *is* a failure ... But it is not a standard practice to do certificate pinning."

Lacoon says it contacted Google about the oversight this past February, and claims that "Google has recognized this flaw and validated it." However, Google has still not added certificate pinning to its Gmail for iOS app.

We have reached out to Google for comment, but at time of posting have not heard back.

Wisniewski summed up the controversy thus: "Is it a vulnerability? No. Should Google implement this? Probably. Is it a crisis? No."

UPDATE: Robert Graham of Atlanta security firm ErrataSec weighed in as well.

"This is not serious," Graham told Tom's Guide.

UPDATE: "This is not a vulnerability in the Gmail app," a Google representative told Tom's Guide. "The scenario that Lacoon raises would require a user to take explicit action — specifically, purposefully installing a malicious Root Certificate Authority that gives a hacker access to their app. Messages you send through Gmail app on iOS are safely transferred through Google's servers unless you've intentionally reconfigured your device."

Email jscharr@tomsguide.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

10 Comments Comment from the forums
  • toastybatch565
    Compliment it's looks, maybe that'll make it less insecure.
    Reply
  • Adroid
    Yea my gmail account is starting to frustrate me. Thanks Google, but I don't need you popping up and logging yourself in on my Youtube channel. And no, I don't want to log in with my "facebook" account.

    Also I don't want you auto-syncing and pulling random peices of information from my iphone to the "cloud".

    I tried to increase my privacy settings, but it's really invasive and annoying that Google helps itself to your personal information, and tries to "conveniently" spread it onto different web pages, but by default I wish the security settings were less invasive.

    Keep it up and Google and the whole batch of other "social media" sites can count on closing my accounts, permanently.
    Reply
  • jgrabb
    Of course it is, it's Google/Android isn't?
    Reply
  • Xivilain
    GMAIL IS FREE... so by default you should assume its insecure. If you want secure/encrypted email you can purchase such services elsewhere.
    Reply
  • jgrabb
    GMAIL IS FREE... so by default you should assume its insecure. If you want secure/encrypted email you can purchase such services elsewhere.
    Reply
  • jgrabb
    EXCEPT if want to use ANYTHING nfrom Google you NEED an email address from gmail. Therefore it potentially makes EVERYONE less secure because Google/Android is undoubtedly a very insecure OS
    Reply
  • JOSHSKORN
    Don't buy Apple. Problem solved.
    Reply
  • sykozis
    Sounds like a "security firm" is just trying to make a name for themselves using scare tactics...like usual...
    Reply
  • hitman40
    Who the hell uses a gmail app on the iPhone when you can log into the stock mail option with your gmail account? Almost as stupid as someone downloading a "mirror" app when the camera has a front camera option.
    Reply
  • therealduckofdeath
    The only thing I am wondering is, why haven't this "article" been deleted yet?
    Reply