Yesterday on German TV, a smartphone session hijacking app has been introduced (provided by cydia). “Stern TV” showed us on how a smartphone session can be hijacked easily when being logged in a public WLAN. With this app, it seems to be possible to spy out other smartphones, IPhones and Notebooks within the same WLAN (Spy-App / Spionage-App). So a personal Facebook account can be taken over by a stranger.
On the programers hompage I can read: was developed as a tool for testing the security of your accounts and is based on my Bachelor thesis with title “Session Hijacking on Android Devices”.
Ok, this is fine. But why is it so easy to create such a smartphone hijack app ? Searching the web I found several other packet sniffer apps. With all of them, hijacking within a open public WLAN is possible!
It seems as there exists also a smartphone session hijacking defense app – DroidSheepGuard – but does it really protect? Is it save?
Why does no “https everywhere” exist?
Use HTTPS wherever it is possible! It seems as following services do not provide HTTPS per default, so be careful when using them in a public WLAN:
- Youtube
- Amazon
- VKontakte
- Tumblr
- MySpace
- Tuenti
- MeinVZ/StudiVZ
- blogger
- Nasza-Klasa
On topic HTTPS, Google seems to be pretty good (but you have to be logged in – when your operating system is android, you usually are logged in on Google)