A vulnerability which allows a potential attacker to intercept the encrypted communication between his application gmail for iOS devices and the Google server with a man-in-the-middle technique (MitM) was discovered by security researchers.
The vulnerability lies in the fact that the application does not use the legitimate certificate that validates it connection from the receiving server, a feature called certificate pinning.
The pinning on the certificate for the server should normally be hard-coded to allow the respchange information only when it encounters a server-side match.
The Gmail app for iOS devices does not have this feature, so cybercriminals could use a malicious certificate to emulate the server through their systems, thus gaining access to the information in unencrypted form.
Researchers from the company Lacoon mobile security presented an attack scenario, which includes a man-in-the-middle attack. In the attack, the researchers manage to add an unauthorized CA certificate.
So when the victim runs the Gmail application, all of the application traffic is under the control of the researchers, giving them access to all communication in plain text.
Google which is usually very sensitive to issues better safetys in their products, it seems that this time there is not much he can do. Lacoon mobile security said it has shared the vulnerability with Google since February 24th and no patch has been released to date.
“The Lacoon research team informed Google of this problem on 24 February. Google recognized the defect and validated it. We were told they were going to fix it but to this day, the vulnerability still exists, "said Avi Bashan.