Using WiFi became a little more risky once FireSheep was introduced, a simplified way to snatch authentication info out of wireless packets, and a few big companies (Facebook, Twitter) responded by enabling HTTPS-by-default settings to mitigate the problem. The next incarnation of this threat has made its way to Android smartphones through an app called FaceNiff.
FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to.
It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK)
It’s kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!).
Even if you’re not interested in this app for educational purposes, it should serve as a reminder to be careful on wireless networks and use SSL whenever necessary. Even WPA2 wireless connections are susceptible to FaceNiff though it does require being connected to the same wireless network.
FaceNiff is available for rooted phones only. You can download the FaceNiff.apk from the FaceNiff site.
Confirmed to work on:
- HTC Desire CM7
- Original Droid/Milestone CM7
- SE Xperia X10
- Samsung Galaxy S
- Nexus 1 CM7
- HTC HD2
- LG Swift 2X
- LG Optimus Black – original rom
- LG Optimus 3D – original rom
- Samsung Infuse