This week, security researchers discovered a vulnerability in the Gmail App for iOS, which they claimed could leave the app exposed to a man-in-the-middle (MitM) attack. Researchers stated that Google left a security gap in the iOS app (the Android version is fine) by not employing “certificate pinning.” (Certificate pinning is the process by which a digital certificate, signed by a trusted agency, is sent via encrypted data to another site. “Pinning” the certificate to the site makes it easier to authenticate the server, when communicating with the application.)
Basically, certification pinning acts like a passport that contains sensitive information, but is nearly impossible to forge. Since the Gmail app lacks this method, researchers asserted that attackers might spoof their way in by using someone else’s Gmail account and then, introduce their own malicious certificates. The data could then be decrypted to be read in plain text files that may contain private information. The MitM attack would continue the process by tricking users into downloading a configuration profile on an iOS device. This secondary trick works by sending massive phishing emailscontaining a bogus link, changing system configurations in the iOS and granting access to the mobile device. Time to put out the welcome mat?
Not so fast. Google countered the researchers’ claims, explaining that the lack of certificate pinning in the Gmail app does not mean the app has a security risk. Google stated that there is no flaw in the app and that an attacker would have to trick a person to download a malicious file onto their device, which they say is highly unlikely. However, “unlikely” as this case may be, why not play it safe, secure and private? Here are a few of Appthority’s tips, “just in case”:
- Check to make sure your device configuration does not include root certificates
- Use a VPN or other secure channel when connecting to the enterprise
- Check your device for man-in-the-middle attempts
In other app-related news, the Federal Trade Commission recently sued against Amazon over in-app purchasing. For background, Amazon had previously pushed back against the FTC’s proposed settlement, which would require Amazon to make changes to the app store to prevent unintentional in-app purchases made by children, and to refund parents of children who previously shopped their hearts out (in-apps). In-app purchasing is a common revenue-generator for mobile developers, who frequently offer their apps for free, but include the option to purchase virtual goods such as, a sword that gives you more power in a game, or a key that unlocks more features of the free app, for a mere $1 to $5.
In-app purchasing is one of the risky app behaviors identified by the Appthority App Risk Management Service. For companies that issue mobile devices to employees, in-app purchasing may be a concern as it may incur new costs that will appear on an employer’s bill. And of course, in-app purchasing is also a concern when it comes to gaming apps for children, as they may be able to purchase content within apps without the parents’ knowledge until the bill arrives. In Appthority’s Winter 2014 App Reputation Report, we found that 51% of the top 200 free iOS and Android apps use in-app purchasing, while 39% of the top 200 paid iOS iOS and Android apps use it. We also found that of the top 200 free and paid iOS apps, 55% offered in-app purchasing, compared to 35% of the top 200 free and paid Android apps. Long story short: In-app purchasing is a risky app behavior and not an uncommon one! In-app purchasing effects both consumers and the enterprise, which is just one more reason why organizations need to have a mobile app risk management solution in place to test for this potentially risky behavior.
The FTC is concerned that millions of unauthorized in-app purchases have been made by children using their parents’ mobile phones and tablets and they claim that Amazon’s refund process is inadequate. The FTC has specified that Amazon needs to provide more prominent notices about in-app purchases, passwords for all such purchases, and a simpler process for refunds. Amazon is currently arguing that they meet, and possibly surpass, Apple’s consent procedures and are operating within the law. There’s no word yet on what will come of this dispute, however, Apple recently refunded $32.5 million to settle a similar complaint.
Thoughts or comments on this week’s news? Reach the Appthority team on Twitter at @Appthority.