The websites generally employ digital certificates such as TLS/SSL (Transport Layer Security/ Secure Sockets Layer) protocols for data traffic encryption. Even these certificates can be imitated by the hackers enabling them to understand the details of the traffic.
The threat can be removed by certificate ‘pinning’. This includes hard encryption of the details for a legal digital certificate in an application. This hasn’t been done by Google for iOS but for the Android that enables an attacker to implement a man-in-the-middle attack and get the coded communications read, said an Israel and US based chief information security officer for Lacoon Mobile Security, Avi Bashan.
A cyber attacker tricked a user to get an iOS device management system configured which has a fake digital root certificate. This would enable a person to move to a malicious Gmail website by validating an imitated certificate. It is not clear that why Google hasn’t done certificate pinning on iOS. Sometimes, the substitute servers employed by the companies will stop the HTTPS connections that use ephemeral certificates, local which can override “pins” that are meant for the purpose of checking a particular certificate.