An attacker could intercept encrypted communication between the Gmail app for iOS and the server via the man-in-the-middle (MitM) technique, researchers said.
The flaw resides is in the mobile app that does not incorporate the legitimate certificate that validates the server receiving the communication, a technique called certificate pinning.
Pinning consists of the certificate for the intended server being hard-coded into the client. Gmail for iOS, in this case, should permit traffic to initiate only when it encounters a match at the other end of the line.
Because Gmail for iOS devices lacks this feature, cybercriminals could use a rogue certificate to impersonate the server and route all traffic through their systems, thus gaining access to the information in unencrypted form. Certificate pinning is available in the Gmail app for Android, though.
Researchers from mobile security firm, Lacoon, point out an attack scenario, involving cybercriminals duping the victim into installing a hostile configuration profile, which adds the unauthorized CA certificate. iOS is vulnerable to this form of attack, which can be carried out by luring the victim to visit a webpage from their device.
When the victim runs the Gmail app, all traffic then routes through the server under the control of the cybercriminals, giving them access to all communication in plain text.
Google is very sensitive about security issues in their products, but in this case, they delayed the release of a patch. Lacoon said they reported the issue more than four months ago, on February 24, and the search giant still has not fixed it.