On Mon, Jun 17, 2013 at 2:09 PM, Robert Dailey <[email protected]> wrote: > Is it possible for MITM to occur for traffic on the Android Gmail client > when connected to a Wifi network Yes, its possible.
> If so, how can I verify whether or not my > SSL certificate has been compromised for Gmail? Pin the server's certificate or public key. https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning. If you are dealing with a browser-based app, then you are out of luck. Javascript, WebSockets, WebCrypto and other components in the stack don't make the required connection information available. In this case, you need to write a hybrid app or native app. Many people don't want to hear their browser-based app can't handle a particular data sensitivity level, and it usually goes over like a turd in a punch bowl. Not all apps need to pin. If the app is dealing with throwaway, low value data, then it does not matter - browser-based apps are fine. For medium value (for example, an organization's Single Sign On password) and high value data (such as information covered under US Federal law), then you probably can't use a browser-based app. In the future, sites (servers) will [likely] be able to ask the browser (clients) to pin certificates via https://tools.ietf.org/id/draft-ietf-websec-key-pinning-05.txt. However, there is no guarantee a client will perform a pin in the absence of a server's request. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
