Current version of Gmail Android app (18.104.22.168199545 at the time of writing), has an insecure Network Security Configuration, opening the possibility for MITM via user supplied CAs on Android versions 7+ (~43% of the Android ecosystem).
Android Nougat brought security improvements when it comes to certificate authorities (CAs). By default, all applications that target API level 24+, and are running on a device with Android 7+, implement a default Network Security Configuration that will not trust user supplied CAs configured on the system, invalidating MITM attacks scenarios when the user is lured into installing an attacker controlled CA.
Protection of all application data is a key goal of the Android application sandbox. Android Nougat changes how applications interact with user- and admin-supplied CAs. By default, apps that target API level 24 will—by design—not honor such CAs unless the app explicitly opts in. This safe-by-default setting reduces application attack surface and encourages consistent handling of network and file-based application data.
A custom Network Security Config allows to explicitly weaken the default behavior of the default one, by allowing the particular app to trust in user supplied CAs.
That brings us to Gmail Android app. While implementing the static analysis checks in Droidstat-x for this topic, I’ve tested the process against several apps and discovered this issue. The current version (22.214.171.124199545 at the time of writing) is explicitly trusting in user supplied CAs in the Network Security Config file by setting a custom trust anchor where user supplied CAs are trusted. This means that as soon as an attacker succeeds to lure a user to install a CA, he is able to intercept the app communication when in the same network segment.
The Network Security Config file is located in the /res/xml folder under the name network_security_config.xml
<?xml version="1.0" encoding="utf-8"?> <network-security-config> <base-config cleartextTrafficPermitted="true"> <trust-anchors> <certificates src="system" /> <certificates src="user" /> </trust-anchors> </base-config>
Using Burp Suite to simulate the MITM attack scenario, we installed Burp Suite Root CA on a non rooted Android device running Android 8.1.0.
As soon as we start the Gmail app, we can observe all app communication such as the new emails sync.
On other hand, if you try to use Google Play Store in the same setup, since the app is using the default Network Security Config, you cannot see any HTTP requests from the app and errors will be present in the Alerts tab of Burp Suite.
This issue also brings up the importance of certificate pinning. Even with a user supplied CA installed and trusted by the app, certificate pinning would invalidate this type of attack.
We’ve investigated your submission and made the decision not to track it as a security bug.
It looks to us as the issue you’re describing can only result in social engineering, and we think that addressing it would not make our users less prone to such attacks. Please take a look at https://sites.google.com/site/bughunteruniversity/nonvuln/attacks-facilitating-phishing-or-social-engineering for more explanation.
This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users’ data are in scope, and we feel the issue you mentioned does not meet that bar.
If you think we’ve misunderstood, please do let us know!”
I don’t know why Android team made such decision. It’s not a security bug we would accept for Google VRP for the aforementioned reasons.
Having looked again, you’re right. I’m not sure if and why Gmail app does this, but it would make it opt out from the hardening settings present in Nougat - we’ll investigate.
Thanks for your report.
I’ve filed a bug based on your report. At first glance, this might not be severe enough to qualify for a reward, though the panel will take a look shortly.
The panel will evaluate your report at the next meeting and we’ll update you once we’ve got more information. All you need to do now is wait. If you don’t hear back from us in 2-3 weeks or have additional information about the vulnerability, let us know!
Thanks for reporting this bug. We have notified the team about this issue; they will review your report and decide whether they want to make a change or not.
As a part of our Vulnerability Reward Program, we decided that it does not meet the bar for a financial reward, but we would like to acknowledge your contribution to Google security in our Hall of Fame:
If you wish to be added to the page Hall of Fame, please create a profile here: https://bughunter.withgoogle.com/new_profile
Your ranking is based on the number of valid reports.
Hi, while we haven’t confirmed we are going to fix, I see no problem with that date at this time. Thanks for letting us know