January 21st, 2015
Today I just installed by the first time the
Gmail official client for
iOS and I was really surprised on how a company like
iPhone I decided to write this post to share with you why you must do the same as soon as possible and also show a very common dangerous practice in mobile apps.
The dream of phishing scammers
The main security concern about the Gmail client for
iOS is that it uses a very dangerouse security practice, that unfortunately is very common in this days mobile apps: it opens unknown links in an embedded webview.
Basically when you receive a new email containing a link, when you click on the link it launches the link inside of the app, in the embedded web view, instead of launching a browser.
This is the worst thing that you can do, from security standpoint, in an app which basic functionality is to receive messages from other people (even strangers) and it seems the dream of phishing scammers, because when you use an embedded web view you don’t have any UI element protecting you from phishing: you don’t have any
TLS padlock validation icon nor address bar like you would have in a browser.
So while you are looking at, what you think is, your home banking login screen, you could be at
http://hacker.com and you don’t have any clue of that.
How can it get worse? Spoofing…
Please don’t do this at home, but it get worse if you add a bit of email spoofing to this thing, specially on
Apple devices, because, for some reason that I can’t explain, spoofing an
Apple email address is a very easy thing to do, due to they have on their DNS configuration the SPF record set to
~all instead of
SoftFail instead of
Fail. For this reason if an attacker spoofs any
@apple.com address the victim will not see any error in the gmail client, so he will think that it is a valid
So, to collect victim
iCloud credentials you just need to go to some online email spoofer and send some email like:
And that’s all, this is how the victim phone will looks like:
Notice that when reading the email there is no clue about that the email is a fake, it says
firstname.lastname@example.org and it doesn’t have any warning, at the same time, when we click the link, thanks to the webview, there is no clue that we are not in
https://apple.com, it only shows the window.title content, which you know can be set to anything.
The right approach
Basically, this kind of attack would be imposible if the Gmail application had launched the link in a browser instead of using the embedded webview because the UI elements (padlock and address bar) would tell you where you are, and if you are using a
TLS/SSL against the right host.
So, What you think now? Will you uninstall the gmail app?