Stealing Passwords With An Android App Is Easy: Learn How To Protect Yourself

You read that headline right: If  you and I were on the same WiFi network, I could probably log in to some of your sensitive accounts — and I’m not even a hacker. This is thanks to an app for rooted Android devices called dSploit. You see, most websites out there nowadays use HTTPS instead of HTTP, and it’s that extra S that makes web surfing safe. But if any of the websites you use don’t use HTTPS, a hacker could get into those accounts using dSploit.

DSploit may sound pretty malicious then, but its intentions are surprisingly good. If you understand how other people could hack your information, you can learn to protect yourself. Please please please do not use any of the information in this article to steal other people’s information. Only test it on your own devices and accounts. Plus, it has some other features that are pretty fun just to play with.

So with that out of the way, what all can you do with this app? Read on to find out.

Steal Passwords

We’re all warned when logging onto public WiFi that our information may be viewable to others on the network. I’ve always seen that and thought that it would take a really advanced hacker to actually do that. I was wrong.

Turns out that it’s pretty easy. Good news is that most major websites use HTTPS, keeping your stuff safe from wannabe hackers using dSploit. Facebook, Twitter, Google, and most major websites all use HTTPS by default. In fact, in using this app, it was very difficult for me to find any website not using HTTPS by now. But I did find one: InterPals.

Screenshot 22   Stealing Passwords With An Android App Is Easy: Learn How To Protect Yourself

It’s smaller websites like these that people with malicious intent could access, should you happen to be on the same WiFi network as them. I don’t imagine you would have much sensitive information on InterPals (maybe you do — I don’t know you), but this could open up the gateway if your other security priorities aren’t in order.

Screenshot 2013 07 08 13 12 46   Stealing Passwords With An Android App Is Easy: Learn How To Protect Yourself

For instance, do you have one password across all your accounts? That is dangerous. If a hacker gets a low-level password, like to InterPals, they could then access your bank website, Facebook, or PayPal account. You should try to vary your passwords as much as possible across your different accounts.

Hijack A Session

This is the slightly less capable cousin of the stealing passwords feature. Session hijacking allows the user to intercept information sent over WiFi and then access whatever page (login information intact) the victim was on. Again, this won’t work with HTTPS websites, but many websites only use HTTPS when sending sensitive login information, leaving other parts of the session open to hijacking, which is still relatively dangerous.

Screenshot 2013 07 08 12 57 42   Stealing Passwords With An Android App Is Easy: Learn How To Protect Yourself

From my phone, I was able to hijack the Amazon.com session that was running on my computer. This gave me access to everything in my Amazon account. Terrifying, right? Well, the good news is that Amazon has you verify your password before major events like checking out, viewing your credit card info, etc. All I could really do was add items to my cart without ever buying them.

Screenshot 2013 07 08 10 25 12   Stealing Passwords With An Android App Is Easy: Learn How To Protect Yourself

My main worry was initially with 1-Click ordering, Amazon’s fancy way of allowing you to buy items with just the push of a button. It turns out, though, that 1-Click ordering should really be called 1-Click-Then-Type-A-Password-Then-Click-Again ordering. So I wouldn’t worry too much about strangers hijacking your Amazon account. Still, the fact that they could login as you without you ever knowing is eerie to say the least.

Screenshot 2013 07 08 12 56 14   Stealing Passwords With An Android App Is Easy: Learn How To Protect Yourself

I also managed to hijack my College’s website session. Not a whole lot someone could do with this information except for seeing what classes I’m taking and maybe read some of my submitted essays. Aside from being creepy and stalker-ish, this wouldn’t really affect me too terribly.

Screenshot 2013 07 08 12 49 44   Stealing Passwords With An Android App Is Easy: Learn How To Protect Yourself

I could even hijack my session on the XDA Developers forums. But again, this doesn’t affect me unless the hacker just wanted to spam like crazy and get me banned.

Replace All The Images On A Website

Now, this is the most fun part of this app. If you don’t care about security at all and just want to have some fun, download this app and connect to the same WiFi network as one of your friends. This feature is absolutely hilarious, and if you don’t believe me, here’s the MakeUseOf website with all the pictures replaced with a picture of me wearing a horse mask.

Screenshot 21   Stealing Passwords With An Android App Is Easy: Learn How To Protect Yourself

Come on, tell me that’s not funny. Horse masks just make you forget about all the world’s problems, don’t they?

Usability And User Interface

The app itself is pretty simple to use, but you’ll probably be better if you have a good level of tech knowledge. There are many other features available in this app that I didn’t cover, including Trace, Port Scanner, Inspector, Vulnerability Finder, Login Cracker, and Packet Forger. If you’re a real security master, those other features may interest you, but for the average user, let me show you to the MITM (Man In The Middle) section.

Screenshot 2013 07 08 10 18 39   Stealing Passwords With An Android App Is Easy: Learn How To Protect Yourself

The MITM section has all the features I went through before: Password Sniffer, Session Hijacker, and Replace Images. You can also do a Simple Sniff which will just log all the information coming through.

Redirect could be the most malicious thing here if this app fell into the wrong hands. The hacker could potentially redirect someone to a scam website that poses as Facebook or Google and asks for login information, or the victim could get one of those “Please Download Flash Now” pop-ups even though they’re pretty sure they’ve already downloaded flash but they do it anyway and, BAM, virus.

Screenshot 2013 07 08 10 21 25   Stealing Passwords With An Android App Is Easy: Learn How To Protect Yourself

Also, the app forces itself into landscape mode, which is infinitely aggravating. It would freeze for about 30-40 seconds every few seconds while sniffing for passwords or trying to hijack sessions, and it crashed my phone twice, causing it to reboot. That’s just my personal experience on my Galaxy S3, so your mileage may vary. For me, the app was too unstable to think about using it on a daily basis. I might just use it to prank my friends a bit, test my own safety, and then be rid of it.

Protect Yourself

Are you scared yet? Perfect, now just buy my anti-dSploit app for only 3 monthly payments of — I’m kidding, I’m kidding! The best way to protect yourself is to be especially careful when on public WiFi or even protected WiFi that you potentially share with untrustworthy folks like on a large university campus.

Always use HTTPS. There is a Firefox and Chrome extension called HTTPS Everywhere that will attempt to force all the websites you visit to use HTTPS. It’s not perfect, but it can help, and you can learn how to use the Firefox version in this handy article. If you have an absolutely most favorite website ever that seems to think HTTPS is too mainstream, avoid using it on public WiFi. I’m looking at you, InterPallers.

While on unsecure WiFi connections, be wary of redirected web pages. If you type in Facebook.com and Favebook.com comes up, asking for your login information or credit card to confirm your account, don’t do it! You can also use VPNs and tunnels which are described in more detail in this article.

We also have 5 Firefox add-ons that can help protect you and 8 Chrome extensions. There’s even a Firefox add-on called Blacksheep that can help detect apps like dSploit on the network. Remember, always practice safe web browsing.

Have you ever had your information stolen over a public WiFi network? Any other tips for staying safe out there? Let us know in the comments!

Check out more about:

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

2 Comments -

0 votes

Johann

And watch out if you’re even on your own network should you being using your default SSID and password because there’s plenty of tools to generate default passwords for common routers like those supplied by BigPond.

0 votes

Sassah122 S

I agree. You should always change your default router password.