1

My scenario:

  • I connected to an open WiFi at Kuala Lumpur Airport to read a news site from home (I know I was being absolutely careless).

  • I forgot to turn off sync on my Android phone, so all my apps "fired".

  • 2 minutes later I get a warning email from Google that someone knows my password and tried to log in from the Netherlands.

I would like to know how it was possible - is Android Gmail app susceptible to MITM + sslstrip attacks? If no, how else could it have happened? Does a well-configured VPN protect against such attacks?

Anders
  • 65,052
  • 24
  • 180
  • 218
Itarill
  • 13
  • 3
  • So you never entered you password manually once when connected to the airport wifi? Did you set up any other email accounts besides Gmail? – Arminius May 20 '17 at 14:12
  • No captive portals on the network. 2 Gmail accounts, no other email accounts. P.S. it just occurred to me that gmail push notifications cannot be tunneled in VPN due to play services if I'm not mistaken, so my last question may or may not be a stupid question. – Itarill May 20 '17 at 14:16
  • 1
    The message **really contains** "someone knows your password", or just "someone just logged in from the Netherlands"? – ThoriumBR Nov 25 '19 at 15:10
  • @ThoriumBR this is the key in my opinion. If it was only a login, then the message from Google might have only been a mistake in locating the IP. – MiaoHatola Nov 25 '19 at 16:41

1 Answers1

8

SSL-strip is not an issue when you are using an app, it is only an issue when you are browsing the web through a browser. It works by replacing HTTPS links with HTTP links in an HTTP page. Since the URLs are usually hardcoded into an app, they can not be replaced by a MITM. So there is not the same need to worry about SSL-strip. (I guees you could get in trouble if the app follows URL:s in an API response, but I am pretty sure Google is smart enough to make sure they are to the right domain and use the right protocol.)

I have not been able to find an official statement, but I am pretty sure that the Gmail app uses TLS. Their webmail is only served over HTTPS, and other clients connecting to Gmail must use TLS. I find it hard to believe that they would make an exception for the Android app. So I would not worry about a MITM even if you're using public Wi-Fi.

Besides, I am not sure the app even uses the password - probably it uses some other kind of access token.

So how was your password stolen? I have no idea. Maybe you reused it on some other site? Maybe you entered it somewhere else? All I'm saying is that it was probably not sniffed from the Android app. Anyway, if you haven't already done it, you should change it.

Anders
  • 65,052
  • 24
  • 180
  • 218