GPush for iPhone Security Concerns

Tiverias Apps has recently released their GPush application on the iPhone App Store. GPush brings email push notification to iPhone users with GMail (or Google Apps Mail) accounts.

There are two main methods for receiving email on a phone. Using the standard method (often called poll or fetch), a user enters their email login credentials into their phone and sets a periodic update interval, say every 15 minutes. The phone then simply queries the users email server every 15 minutes and retrieves any new emails. Simple.

The alternative, i.e. push email, works the other way around. Instead of the phone querying the users email server every so often, the server simply sends emails directly to the users phone as they arrive. This is akin to SMS. Your phone doesn't poll the carrier base stations for new messages, the towers notify the phone whenever a new message arrives instead.

The problem with push emails is that most email servers typically don't have any connection to mobile carriers and would have no idea that emails for should be forwarded to say 0414 141 232. So to get the process working, a third-party is typically needed to act as the man-in-the-middle, i.e. someone must know the mapping of email address to phone number and must do the forwarding whenever a new email arrives.

This is where GPush comes in. You simply install the little application on your iPhone, enter your GMail username and password, and away you go! However, by doing this you're giving someone else full access to your GMail account!

Tiverias needs your username and password in order to log into your gmail account for you and check your emails automatically so that they can send you push notifications to your phone as soon as something new arrives. Tiverias tries to ensure its customers that this is a safe practice:

"When we created the app, we committed first and foremost to security. We are using multiple levels of encryption including SSL, obfuscation, and cipher-based encryption. SSL ensures that your credentials can be transported securely. Your login credentials are encrypted using an encryption scheme that has never been cryptographically broken, with a different 'secret key' for each user. To test these security measures, penetration tests were ran on the server with no information accessed."

That's all well and good, but it doesn't change the fact that someone other than yourself has full access to your GMail. Can you be sure that an insider at Tiverias won't sell user accounts to the highest bidder on the side? Or that their database will get hacked and your password will appear on hacker blogs and forums? Does the $1 you paid for GPush give you confidence in their long-term ability to keep your data safe?

And for many people a GMail account is not just for email, it's also used to secure the Google Calendar, Google Docs, Google Search History and Bookmarks, Blogger, Adwords, Adsense and who knows what else. So now some company that you've never heard of before has just bought full access to all your data for $1... can you imagine how much they'd stand to make by selling this information? Maybe as a company they'd never do that, but can you trust all the nameless, faceless employees behind the scenes that are responsible for keeping the service alive? I would advise anyone to stay well clear of any app that asks you for personal user credentials to other services. This is the oldest trick in the book for fishing user accounts.

Other variations of Push email services include having all your emails redirected/forwarded to some other server to which you've subscribed to and knows about your mobile phone number. This way instead of giving someone your GMail username and password, you create a new email account with them and simply give them all your emails instead. This reduces the risk considerably as you're only providing some faceless organization with read access to your emails, but you're not giving them the power to impersonate you or access any of your other linked services. There's considerably more configuration and maintenance involved however.

MobileMe can be made to work in this fashion, i.e. forward any or all of your emails to your account which gets pushed to your phone. Personally I wouldn't bother though. MobileMe is not cheap ($100 a year), and you don't really gain much from push anyway unless you want to use email as a replacement for SMS.


  1. Wow...I was not aware of all the minutiae here, although it's a no-brainer that it won't be advertised how we're giving up access to our google cloud in order to get this service (isn't it more or less the same case with other sites like twitter that allow transferring of gmail contacts with log-in creds?).

    One question, though -- isn't SSL through these types of services typically less robust than it should be as well? My sense has been that google really should encrypt their services (browser based or mobile based) with Extended Validation, but it will only properly work if all these third parties do the same. Seems like a missed opportunity, since the iPhone is EV-compatible, but maybe I'm missing something.

  2. Yes, other services like Twitter or Facebook do exactly the same thing. They ask users to import MSN/Gmail/etc contacts by supplying the login credentials and handing over full access. Now if they're nice, they'll only use your details once to retrieve the contact lists and then discard immediately without storing them in any database or log files, but who really knows what goes on...some employee out to make some cash on the side could sneak in a routine to log all the credentials for say a two hour period, and then go selling off all the details s/he can collect.

    EV would help prevent some man-in-the-middle attacks against the SSL transfer channels. My main concern however is not in someone else hacking the transport between the iPhone and GPush or between GPush and Google. Even if that part's 100% secure, GPush needs to store everyone's passwords in a database on one of their servers somewhere, and various backups and logs and such. They say the passwords are encrypted with an unbreakable cipher with a different secret-key for each...but that adds no security at basically means every password is protected by a second password...which also needs to be stored somewhere on their systems.

    This is not the same as storing a one-way hash of a password in a database for authentication purposes (which is probably what Google does). So in a sense, if the Google accounts database got leaked, a hacker would only get hashes and would have to spend time cracking each one individually to get the real credentials. If the GPush database leaks on the other hand, with both the encrypted password and the secret-key, then the hacker can run a script and get all the real passwords in a few seconds.

    It's frightening.


Post a Comment

Popular posts from this blog

Wkhtmltopdf font and sizing issues

Import Google Contacts to Nokia PC Suite

Can't delete last blank page from Word