Gmail on iphone..notsosecure

burp logs showing http request

burp logs showing http request

If you are concerned about the security of your emails, accessing Gmail from a mobile device may not be a great idea.

1. A few weeks ago, google introduced a new feature in GMAIL, through which you can force the gmail session to not use HTTP at all, and only talk over HTTPS. This unfortunately does not apply to google mobile( and even though you set your preferences to only use HTTPS, gmail accessed via mobile devices still make requests over HTTP. The HTTP request takes place in the background. The clear text response contains all the session cookies and also a URL over HTTPS.

2. Further to make matter worse, this URL returned over port 80, contains session-id in URL and is sufficient to access email(attacker does not need your session cookie). Thus, if your mobile device is going through a proxy server, and an attacker manages to access the logs of this proxy server, he will have access to this URL containing session id, and thus its slightly more concerning. Of course, once you log out, this URL will be no longer valid and hence the attack has a time limitation.

Update: Google has fixed the second issue and don't appear to be too keen to fix the first one.