According to a mobile security company, iOS users accessing Gmail could put their data at risk. This is because Google has not yet put any security system in place for preventing attackers from getting access to encrypted data transfer when using the app.
Websites make use of digital certificates for encrypting data traffic using SSL or TLS protocols. However, sometimes the certificates could be attacked and these attackers could view or even decrypt the data.
This threat could be prevented only through certificate pinning. This will involve hard coding the information in the certificate into an app. Google has actually done this for Android and helped secure mobile data for Android users, but the same has not been done for iOS.
Attackers could execute attacks for data transfer between iOS devices and Gmail and read the communications. Although the issue was acknowledged several months ago, Google has not yet fixed it.
The mobile security company and other security experts are not sure why Google has not implemented certificate pinning on iOS. A few years ago security engineers at Google had reported that the management of digital certificates is a little more complicated than what it appears to be on the top.
Proxy servers being used by organizations could intercept HTTPS connections via local and brief certificates. Even some parental control applications and security programs could do this. Such certificates could overrule pins set up to verify certain certificates.
A typical attack scenario involving Gmail and iOS has been demonstrated by the reporting security company where a user could be tricked into installing an iOS device management config file containing a malicious root certificate. It could validate a fake certificate, enabling the user to reach a deceptive or phishing Gmail website.
Google has already implemented the certificate pinning system for the Android Gmail application, but not doing so for Apple’s platform could prove to be a big security lapse.