What It Is
A vulnerability has been reported for Google’s Gmail iOS app that would allow for an attacker to intercept all email communications through a Man-in-the-Middle (MitM) attack. The MitM attack allows a third party to intercept your data before it is received by the designated recipient. Additionally, if an attacker can trick your device into authenticating with them instead of the intended recipient, the attacker can then view encrypted traffic as well.
How It Works
This vulnerability takes advantage of the lack of certificate pinning. Certificate pinning is a technique used to authenticate the app with the back-end server’s certificate, which, in this case, is Google. By not using certificate pinning, the recipient only checks that the app is using a trusted certificate. It specifically requires a user on an iOS device to manually install a new configuration profile, which comes bundled with a certificate. This configuration profile will change your network configuration when the Gmail app is opened to redirect traffic to a third party server. Additionally, it will authenticate your device to the third party server and allow the attackers to decrypt any encrypted messages.
What It Affects
The vulnerability is specific to the Gmail app for iOS. If you are an avid user of the Gmail app, your emails and attachments are at risk. Apple’s mail app, Google’s Gmail web app, and Android devices are not affected.
How To Know If You’re Affected
There is no direct way to check if a configuration profile has been installed on a device. If you use the Gmail app and are unsure if you have downloaded the profile, it would be best to stop using it until an update is available.
What To Do If You’ve Installed The Profile
If you have installed the profile onto your iOS device, the only way to remove it is to completely erase your device. You can do this by going into Settings > General > Reset > Erase All Content and Settings. Additionally, if you backed up your iOS device after you installed the profile, you cannot use it to restore your phone. This is because configuration profile are backed up and restored with the rest of the device.
How You Can Protect Yourself
Watch out for phishing links or suspicious downloads when using your mobile device, and make sure to only install configuration profiles from sources that you trust. Additionally, never send passwords, bank or credit card information, or other personal information through emails especially if they are unencrypted.