Nearly five months after Lacoon Security notified Google of what it called a vulnerability in the lack of certificate pinning on the Gmail app for iOS, the software giant dismissed the oversight as having no particular capability of exposing users to threats.
In the report, Lacoon Security researchers claimed that Google’s Gmail application for iOS devices did not implement the certificate pinning function, potentially opening the back-end doors for hackers to attack users of compromised mobile devices through man-in-the-middle attacks. This kind of attack involves snooping on encrypted email communications.
Google, however detailed the report from Lacoon, expressed no worries over the findings as it said the lack of certificate pinning does not necessarily mean possibilities of vulnerability in the Gmail app. The Mountain View giant went on to explain that for attackers to exploit the vulnerability, Gmail users will have to install a malicious Root Certificate Authority, which hackers could use to gain access to the Gmail app.
An easy and common way for hackers to bypass an SSL certificate and eavesdrop on private communications is by snooping on the SSL’s back-end server. Certificate pinning works to prevent this incident. In the Gmail app particularly, Google controls and operates the server, which takes away the hassle of keeping attackers at bay from end users.
In the case of a certificate pinning that is not functional, the user can verify himself that the Gmail app sends the message through a trusted certificate. Otherwise, Google’s server does the authentication of the message when it receives the message.
This is Google’s argument for dismissing Lacoon Security’s research. But when Google received the report in mid February, it told Lacoon that the bug has been fixed with due acknowledgment. So this is not merely a case of whether the lack of certificate pinning poses risks to users, it is also about Google’s truthfulness to its words when the exploitable bug remains at large on Gmail app for all iOS devices. You never know when a user accidentally installs a malicious Root Certificate Authority, right?
The vulnerability does not have an impact on the Gmail app for Android and other operating systems, including Apple’s email application. For iOS users, an attacker could perform a man-in-the-middle attack without the knowledge of the victim.
Lacoon Mobile Security laments that Google failed to provide updates on the resolution of the bug, which by the way it acknowledged. The bug only works if a user installs an iOS configuration profile.