Android Mobile

DroidSheep for Android Can Actually Hijack WiFi Sessions – Demo-ed on FB

Earlier, I wrote an article about ANTI for Android – which is said to be the best wifi spoofing app for android but many of its features are paid. I have discovered another, totally free, app called DroidSheep; which is similar to ANTI and can capture the web pages opened in any wifi network (Open / Secure). It actually works best with facebook, as there are many people browsing facebook on an open wifi network in school, college, office, hotspots, etc. This amazing app was available to download from Android Market few weeks ago but unfortunately, Google removed the app from the market.

If you have ever tried FireSheep plugin for Firefox then you are quite familiar with DroidSheep. Firesheep is an extension developed by Eric Butler for the Firefox web browser. The extension uses a packet sniffer to intercept unencrypted cookies from certain websites (such as Facebook and Twitter) as the cookies are transmitted over networks, exploiting session hijacking vulnerabilities.

What is DroidSheep? – Explained as an story!

Maybe you know Bob. Bob is a wellknown person and Bob loves coffee. Every morning, he takes his laptop and visits one the famous green coffee bars, has a “grande vanilla latte” and writes messages to his facebook friends. For doing that, Bob uses the coffee bars WiFi – because it´s free and fast.

One Morning, Bob is just writing a message to his girlfriend, Eve enters the coffee bar. Eve has an Android phone and Eve uses DroidSheep. After ordering a “venti caramel macchiato”, Eve sits down, takes her phone and starts browsing facebook. Using Bobs identity. She can watch at his friends. Read his messages. Write messages. Write wall posts. Remove friends. Delete Bobs account. Without getting ever in touch with Bob.

What happened?

When Bob is using the WiFi, his laptop sends all the data intended to be received by facebook, over the air to the coffee bars wireless router. As “over the air” means “captureable by everybody”, Eve (or her phone) can read all the data sent by Bob. As some data is encrypted before being sent, she cannot read Bobs facebook password, but in order not to make Bob enter his password after each click, facebook sends Bob a so called “session id” after logging in, which Bob sends with each interaction, making it possible for facebook to identify Bob. Usually only Bob knows this id, as he receives it encrypted. But when Bob uses the coffee bars WiFi, he spreads his session id over the air to everybody. So Eve takes this session id and uses it as hers – and facebook cannot determine, if Bob or Eve uses this id.

DroidSheep in Action – Video

Requirements for DroidSheep:

  • An Android Device running Android OS 2.1 or later
  • Root Access

Exceptional Feature: It even captures the websites which are stored in web browsers; e.g. if your browser has saved the username and password of your facebook account and your are just browsing google while facebook is closed, DroidSheep will capture the data as well.

How to SafeGuard yourself from such WiFi Hijackers

Don’t use open wifi hotspots and if you use, try not to access facebook, twitter, bank website, email accounts, etc. If you want to surf web using open/free wifi, open another browser(which you seldom use) clear its cache and cookies. At your home/office wifi network, don’t give your password to anyone unknown.

Quick Tip: Use VPN.

How does this work?

When you use web applications, they usually require you to enter your credentials in order to verify your identity. To avoid entering the credentials at every action you do, most web applications use sessions where you need to log-in once. A sessions gets identified by a session token which is in possession of the user and is sent together with any subsequent request within the HTTP packets.
DroidSheep reads all the packets sent via the wireless network and captures this session token, what allows you to use this session token as yours and make the web application think you are the person identified by this token. There is no possibility for the server to determine if you’re the correct person or not.

Where to get DS from? Visit DroidSheep Website. Or scan this QR Code below:

By Anil

Anil is a tech blogger at WideFide. To know more about me or if you want to follow my latest updates, Follow me on twitter @TheOnlyAnil or Join me @ Facebook