Is the Android Facebook app safe from session hijacking apps like FaceNif and DroidSheep?

Basel Hamadeh April 21, 2012

When using a public WiFi hotspot, I usually use Orbot on my Android phone to keep my accounts secure when surfing the internet from session hijacking apps like FaceNiff and DroidSheep etc. But it gets really slow sometimes.

So how secure are Facebook, Twitter and Google+ apps on Android phones?

  1. Alex Perkins
    September 14, 2012 at 9:39 pm

    If you can i would suggest using your mobile internet.

  2. GamerJunkdotNet
    May 6, 2012 at 3:33 am

    Anytime you use public WiFi you place yourself at risk. It is strongly suggested that you do not use public WiFi.

  3. Mike
    April 22, 2012 at 11:00 am

    It's not more or less secure than using a Linux laptop (or whatever) on a public WiFi... just make sure to always use HTTPS in addition to Orbot (or any other Onion routing or VPN network)

    For Facebook you can enable "Secure Browsing" in the Facebook Account Settings > Security. 

    This should protect against pretty much all attacks on the Starbucks WiFi or similar. If you decide to use a public WiFi at ShmooCon or DEFCON I suggest not to use any logins...

    • Basel Hamadeh
      April 22, 2012 at 3:29 pm

       Thanks buddy i am always on TOR on my phone.. Though Most of my friends doesn't really Root their devices.. So they can't use the Orbot software.. We r in Syria. And VPN like the OpenVPN is blocked by the government...

      I have tested all kinds of Session Hacking Applications. the Faceniff for example can't hijack an HTTPS session while the DroidSheep does very easily.. i managed to hijack my gmail within couple of seconds while using it from a browser But not though the Android app !!! and Thats why i thought that the Facebook App could be secure :)

      i guess i will have to test it out to see

      Thanks anyways

      • Mike
        April 22, 2012 at 3:57 pm

        Since I don't have an Android device I can't verify whether the Apps use SSL or not ~ but I believe they do simply for security reasons.

        What I can tell you is that DroidSheep cannot hijack SSL sessions.

        One thing to consider is e.g. even if you access Facebook using HTTPS some links may redirect you to the non-secure HTTP version making your session vulnerable. That is why the Security option I mentioned should always be set - it forces everything to be SSL encrypted.

        Not sure what happened to Gmail ~ where it leaked ~ SSL is default for quite some time now. 
        Did you test it on a single device [running both DroidSheep and Gmail in a browser]? In that case DroidSheep could have captured data before it was encrypted.

        • Basel Hamadeh
          April 23, 2012 at 10:47 am

          Well, i am as shocked as you are on this !! i was using gmail from my laptop and droidsheep on my Android phone.. And i had the session hijacked though i was on the main Inbox page. No links were open or anything..
          The wifi hotspot is mine as well.. Its a linksys router using a WPA2 Personal Key !!

        • Kannon Y
          May 4, 2012 at 4:26 pm

          Basel, anything you type into Android is completely insecure. Android has basically a keylogger built into it, so even if your connection with Facebook is encrypted, virtually everything you do there is observed.

          Strangely, when this was leaked in the US, very few people cared. It's believed that the FBI had been using Android's keylogger feature (called Carrier IQ) to access individual's accounts:

          I'm not sure how Syria may have bugged phones, but it could easily be done:

          I hope you're OK. Be careful!

Ads by Google