Gmail users on iOS at risk of data theft

  • 11 July 2014
  • 4 replies
  • 734 views

Userlevel 7
By Jeremy KirkJuly 11, 2014 05:33 AM ET IDG News Service - Apple users accessing Gmail on mobile devices could be at risk of having their data intercepted, a mobile security company said Thursday.
The reason is Google has not yet implemented a security technology that would prevent attackers from viewing and modifying encrypted communications exchanged with the Web giant, wrote Avi Bashan, chief information security officer for Lacoon Mobile Security, based in Israel and the U.S.
Websites use digital certificates to encrypt data traffic using the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols. But in some instances, those certificates can be spoofed by attackers, allowing them to observe and decrypt the traffic.
 
ComputerWorld/ Full Read Here/ http://www.computerworld.com/s/article/9249667/Gmail_users_on_iOS_at_risk_of_data_theft

4 replies

Userlevel 7
Badge +54
An update with a bit more information about this vulnerability
 
By paganinip on July 12th, 2014
 
"The MITM attack scenario on GMail is composed of the following four steps:
  • Hacker tricks victim into installing a configuration profile containing the root certificate and the details of the server to reroute the traffic to. (Note: to do this, a threat actor can use a variety of social engineering methods such as sending an email, purportedly from the IT department, requesting to install the configuration profile.)
  • Reroutes victim’s traffic through the server under the threat actor’s control, defined by the malicious configuration profile.
  • Creates spoofed certificates which are identified as valid by the victim’s device.
  • Intercepts all traffic between the attacked device and intended server."


 
Full Article
 
 
Userlevel 6
Thanks Jasper!
 
 
Userlevel 7
Badge +54
Your welcome BB97.
Userlevel 6
Summary: Attackers have an easy way to intercept and steal encrypted communications of Google's Gmail users on iOS.
By Liam Tung July 11, 2014
 


Image: Lacoon mobile security
 
Google has left out a key security measure in its Gmail app for iOS, leaving users exposed to attackers standing between their encrypted communications and Google's servers.
According to mobile security firm Lacoon, Google is aware of a security gap in its Gmail app on iOS, one which it has already closed in its equivalent app for Android.
The problem, according to Lacoon researcher Avi Bashan, is that Gmail on iOS currently lacks what's known as 'certificate pinning' — a well-known measure that developers can build in to their apps to mitigate attacks that dupe victims into installing a malicious configuration profile.
 
Full Article

Reply