January 21st, 2015

Gmail App for iOS: An example of a terrible security practice in mobile apps

Today I just installed by the first time the Gmail official client for iOS and I was really surprised on how a company like Google has produced such an insecure app, so, before of uninstalling the app forever from my iPhone I decided to write this post to share with you why you must do the same as soon as possible and also show a very common dangerous practice in mobile apps.

The dream of phishing scammers

bofa The main security concern about the Gmail client for iOS is that it uses a very dangerouse security practice, that unfortunately is very common in this days mobile apps: it opens unknown links in an embedded webview.

Basically when you receive a new email containing a link, when you click on the link it launches the link inside of the app, in the embedded web view, instead of launching a browser.

This is the worst thing that you can do, from security standpoint, in an app which basic functionality is to receive messages from other people (even strangers) and it seems the dream of phishing scammers, because when you use an embedded web view you don’t have any UI element protecting you from phishing: you don’t have any TLS padlock validation icon nor address bar like you would have in a browser.

So while you are looking at, what you think is, your home banking login screen, you could be at http://hacker.com and you don’t have any clue of that.

How can it get worse? Spoofing…

Please don’t do this at home, but it get worse if you add a bit of email spoofing to this thing, specially on Apple devices, because, for some reason that I can’t explain, spoofing an Apple email address is a very easy thing to do, due to they have on their DNS configuration the SPF record set to ~all instead of -all:

appledns

Which means SoftFail instead of Fail. For this reason if an attacker spoofs any @apple.com address the victim will not see any error in the gmail client, so he will think that it is a valid Apple email.

So, to collect victim iCloud credentials you just need to go to some online email spoofer and send some email like:

spoof

And that’s all, this is how the victim phone will looks like:

phones

Notice that when reading the email there is no clue about that the email is a fake, it says tim@apple.com and it doesn’t have any warning, at the same time, when we click the link, thanks to the webview, there is no clue that we are not in https://apple.com, it only shows the window.title content, which you know can be set to anything.

The right approach

Basically, this kind of attack would be imposible if the Gmail application had launched the link in a browser instead of using the embedded webview because the UI elements (padlock and address bar) would tell you where you are, and if you are using a TLS/SSL against the right host.

So, What you think now? Will you uninstall the gmail app?

  • Leandro Diaz Guerra

    I wouldn’t buy an iPhone in the first place 🙂

    • Leandro Diaz Guerra

      But it’s the same crap facebook app does in Android phones, they open a website inside the app, just to avoid the user from leaving the app. At least now the Facebook app added the possibility of opening the link in Chrome, you didn’t have that possibility before 🙁

      • yes, its awful and it seems amazing companies like Google or Facebook promoting this practices

    • l1x

      Thank you for sharing your shopping habits, it is very valuable information. Do you have anything about the article as well?

  • Eduardo Campañó

    I don’t know what version of the Gmail app you tested, but the one I have installed has the address bar and shows the lock

    • I just installed the version published on appstore. I guess that maybe you have chrome installed?

      • Eduardo Campañó

        Correct! Google’s take for vendor lock-in