Gmail on iOS May Be Risky for Data Theft
If you are one of the numerous users of iOS devices, you may have to think twice before accessing your Gmail account in your gadget. There is a recent research finding that indicates a possible risk of having Gmail users’ data intercepted when using Apple Inc devices.
A security technology firm called Lacoon Mobile Security has found the risk for Gmail users in iOS. It has determined that Google is yet to implement a security technology that would help prevent online scammers and attackers from viewing as well as modifying encrypted communications exchanged between iOS and Google.
The technology firm said it was quite surprised of this finding. That is because Google has already implemented so-called certificate pinning for Gmail app in Android devices. It added that it is clear that not implementing the same for iOS is an oversight by Google alone.
Online sites usually use digital certificates for encryption of data traffic through the use of SSL/TLS or Secure Sockets Layer/ Transport Layer Security protocols. In several instances, such certificates could be easily spoofed by online attackers so they could observe and decrypt Web traffic.
This threat could easily be eliminated though the use of certificate ‘pinning.’ It involved hard coding of the details for legitimate digital certificate into application.
As mentioned, Google is yet to apply this to iOS, although it has already been applied to Android. Thus, an online attacker could readily execute an instant attack to read encrypted communications between Google and iOS devices.
Lacoon Mobile Security also revealed that it has reported the problem and Google already acknowledged it on February 24. However, the company is yet to issue any fix to this pressing problem.
Right now, it is still not clear what is keeping Google from using certificate pinning for iOS. But some experts recall that about three years ago, a security engineer from the search giant already described a scenario wherein handling of digital certificates would become complicated.
In an attack, an iOS user would be asked to install an iOS device management configuration file containing malicious root digital certificate. In turn, that would validate spoofed certificate, which would allow the user to navigate using a fraudulent Gmail site. The real risk emanates from there.