Speak with our analysts today at 1.443.270.2296

ISE Blog	Featured News
Circumventing the Gmail Activity Log Posted by Gabriel Landau on December 17, 2009 at 10:25 PM I love Gmail. I like my iPhone. I like how I can access my Gmail from my iPhone via IMAP or POP. Sounds pretty good, right? Well, I don't like the fact that Apple limits how frequently I can check my mail. I want to check my mail every 3-5 minutes. When dealing with clients, it's nice to get get quick notifications about incoming emails, so I can respond in a timely manner, even when I'm not in front of my computer. I have Thunderbird set to check for new messages every 3 minutes. Why not my iPhone? This has annoyed me for the first 6 months that I've owned an iPhone. The point is (partially) moot now that Apple has added Exchange ActiveSync support and, in response, Google has added push notifications for Gmail via Google Sync. Now, instead of using IMAP to access my mail, I use ActiveSync with push notifications. It's great - my phone notifies me of new messages before my computer. There's something that really bugs me about this feature, and I'll get to that in a minute, after I introduce the Gmail Activity Monitor. The Gmail Activity Monitor The Gmail Activity Monitor, a feature which security paranoiacs like myself love, lets you see which IP addresses are signed into your account, and sign out all other sessions with the click of a button. It's great when you accidentally sign into your account from another location, but can't remember whether you clicked 'Sign out' before leaving. It's also good if you forgot the IP address of your house, office, friend's house, etc. Additionally, it shows whether the connection is from IMAP, SMTP, a web browser, etc. Importantly, the log can't be cleared, so someone with your credentials can't access your account then hide their tracks afterwards. Unfortunately, the Activity Monitor (hopefully unintentionally) relies on security through obscurity, ignoring Shannon's Maxim. There's a trick to being undetected, and that trick is to use ActiveSync. The above activity log above doesn't show me logging into my Gmail via 3G (from a different IP address), downloading and reading new messages, and sending a message at 7:06. Because there is now a backdoor, someone with my credentials could be reading and sending messages with my account without my knowledge, and I can't turn it off because ActiveSync access can't be disabled (like POP and IMAP can). I first discovered this in late September, and notified Google via their bug reporting interface. It's been over two months and the issue hasn't been addressed. Please Google, either show ActiveSync operations to the Activity Monitor, let me disable ActiveSync, or both.	April 18, 2007 Avi Rubin testifies before the United States House Subcommittee on Information Policy. Read all News Featured Publications 2007 Security Evaluation of Apple's iPhone. Read all Publications

ISE Blog

Featured News

I love Gmail. I like my iPhone. I like how I can access my Gmail from my iPhone via IMAP or POP. Sounds pretty good, right?

Well, I don't like the fact that Apple limits how frequently I can check my mail. I want to check my mail every 3-5 minutes. When dealing with clients, it's nice to get get quick notifications about incoming emails, so I can respond in a timely manner, even when I'm not in front of my computer. I have Thunderbird set to check for new messages every 3 minutes. Why not my iPhone?

This has annoyed me for the first 6 months that I've owned an iPhone. The point is (partially) moot now that Apple has added Exchange ActiveSync support and, in response, Google has added push notifications for Gmail via Google Sync. Now, instead of using IMAP to access my mail, I use ActiveSync with push notifications. It's great - my phone notifies me of new messages before my computer.

There's something that really bugs me about this feature, and I'll get to that in a minute, after I introduce the Gmail Activity Monitor.

The Gmail Activity Monitor

The Gmail Activity Monitor, a feature which security paranoiacs like myself love, lets you see which IP addresses are signed into your account, and sign out all other sessions with the click of a button. It's great when you accidentally sign into your account from another location, but can't remember whether you clicked 'Sign out' before leaving. It's also good if you forgot the IP address of your house, office, friend's house, etc. Additionally, it shows whether the connection is from IMAP, SMTP, a web browser, etc. Importantly, the log can't be cleared, so someone with your credentials can't access your account then hide their tracks afterwards.

Unfortunately, the Activity Monitor (hopefully unintentionally) relies on security through obscurity, ignoring Shannon's Maxim. There's a trick to being undetected, and that trick is to use ActiveSync. The above activity log above doesn't show me logging into my Gmail via 3G (from a different IP address), downloading and reading new messages, and sending a message at 7:06.

Because there is now a backdoor, someone with my credentials could be reading and sending messages with my account without my knowledge, and I can't turn it off because ActiveSync access can't be disabled (like POP and IMAP can). I first discovered this in late September, and notified Google via their bug reporting interface. It's been over two months and the issue hasn't been addressed.

Please Google, either show ActiveSync operations to the Activity Monitor, let me disable ActiveSync, or both.

April 18, 2007
Avi Rubin testifies before the United States House Subcommittee on Information Policy.

Read all News

Featured Publications

2007
Security Evaluation of Apple's iPhone.

Read all Publications