Android app brings cookie stealing to unwashed masses
A developer has released an app for Android handsets that brings website credential stealing over smartphones into the script kiddie realm. FaceNiff, as the Android app is called, can be used to steal unencrypted cookies on most Wi-Fi networks, giving users a point-and-click interface for stealing sensitive authentication …
And this is why full disclosure is the right thing to do. If you don't do it, the big firms never fix anything. If you do, things get fixed. It's a no-brainer.
If it was called GooNIff and sniffed the (previously unencrypted) Google authentication tokens, would Google remote kill the application?
Even with the fix (has it gone everywhere?) it should be possible to use the same ARP poisoning used in this one to convince the Androids to stupidly fall back on HTTP.
Guess there's only one way to find out.
"Even with the fix (has it gone everywhere?) it should be possible to use the same ARP poisoning used in this one to convince the Androids to stupidly fall back on HTTP."
The fix was server based according to this[1] article - so I assume the fix went along the lines of forcing encryption on the server.
"The server-side fix addresses an implementation error in earlier versions of Android, which is used by more than 99 percent of those using the mobile operating system, according to Google figures. Versions 2.3.3 and earlier failed to transmit authentication tokens over an encrypted channels."
1. http://www.theregister.co.uk/2011/05/18/google_android_security_fix/
It's a big problem that today's society doesn't follow up on information and just take journalists or bloggers word for it. Even though Mr Goodin tries somewhat, he like others have deadlines or other issues to attend and thus takes shortcuts.
Going back to the source of the original article (Uni Uulm), they have now posted:
"Google announced that they are going to fix the issue also for devices with older Android versions. The fix does not require an update of the Android OS and will be transparent to the user. So, as far as we know, users will not get any feedback when the update will be available on their devices. The fix is based on a changed configuration file for Google services on the device. The update mechanism might be similar to the application removal or Android Cloud to Device Messaging (C2DM) features. The update will only ensure encrypted synchronization of Calendar and Contacts. The Picasa synchronization, which was integrated in Android 2.3, will remain unencrypted.
Note: The fix will not prevent the reuse of already captured authTokens. So if you think that you were compromised, e.g., some contacts or events changed or disappeared, you should immediately change the password of your Google account. This will render all existing authTokens for this particular account useless." [1]
So
1) Picasa is still as bad as it was
2) Calendar and Contacts just require a bit more skill as it wasn't really a server side thing, just a configuration update on the devices.
Learn to be a bit more critical of the sources you read.
[1] http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html
So when is El Reg going to support always-on SSL (or even sometimes on) for the comments?
So we can read what we like without fearing that BT/Phorm, Vodafone/Bluecoat, or TalkTalk/Huawei or any other bent ISP can monitor, censor, or interfere with the articles here?
If only to save your revenue. One of those three bragged they were capable of rewriting ads on the fly... to make them 'more relevant'.
C'mon Reg. You're supposed to be savvy. You know what these evil crooks are doing. Set an example.
It is time to encrypt the web.
when I can run AirCrack on my Android. Sniffing cookies is one thing. Playing with the network would be a lot more fun. ;-)
It's been time for always-on SSL since about 2005.
But SOME companies still refuse to move to it.
If SSL certificates were not such a cash-cow for Verisign and the likes, SSL might have been adopted earlier. We need a trusted root provider that doesn't charge (excessively) for a couple of bytes - maybe one of the Universities could do it?
..the main issue is around stopping unencrypted traffic (not proof of server identity). Therefore any cheap/free certificate authority will suffice for most sites. Admittedly they SHOULD be ensuring their identity also (so should be using a trusted authority) but would you care for sites like El Reg? Not really - even a cheap Comodo cert would do to enable the encryption.
I always find it better to use a tunnel for any connection, the WPA2 hotel network is worse than open access as peple somehow trust it, and the DNS poisoned caching, URL rewriting, transparent proxy connection to their online banking account.
Unless it's all wrapped up in a tunnel you may as well have no security at all.
Sign up, sign up for The Register's weekly IT security newsletter - click here
