Public access to WiFi gets most people excited. If only you had the slightest idea how vulnerable this leaves you to hacking. Surfing the web over unprotected wireless networks increases your chances of getting hacked through session hijacking. These days however, hackers don’t need a computer or program to take over your personal accounts. They can do it from their Android with an app called DroidSheep.
What is DroidSheep?
DroidSheep is a one-click session hijacking application for Android smartphones and tablets. The app can be used to hack accounts like Facebook, Twitter, LinkedIn, Yahoo, and others. Because it requires root access, you need a rooted Android for it to work. How does session hijacking work? When you log in to your accounts over public WiFi using a browser, you send data to the wireless router and leave traces of your session id. A session id makes it possible to associate accounts with an identity. If you log in to Facebook for example, your Facebook session id will register on the router. People using the same wireless connection can hijack the session id and use Facebook with your identity. Facebook won’t be able to tell that someone else is using your account.

Besides logging in, opening a page of a saved log-in also makes you vulnerable to attacks. The router can still detect your session id. Once your sessions are hijacked, people can snoop around your accounts and even perform actions. Hackers can read or send messages, post status updates or tweets, or even delete your accounts! The only good news is that your passwords remain undetectable by session hijackers.

How do I use DroidSheep?

First, you need to download and install the application on your Android device. You can get an .apk from this forum thread. Then use the following steps:

Launch DroidSheep. You have to grant root access and accept the disclaimer during first use.
Make sure that the ARP-spoofing is ticked. Press “Start”
Keep the app running and wait for a session id to appear.
When DroidSheep picks up session ids, select one and and open it as a website or mobile site. You will be redirected to the account of the chosen person.

You can choose to save cookies of a session id and hack it at a later time using the same wireless network. But if the victim logs out his/her accounts, the wireless router will lose the session ids and DroidSheep can no longer hijack them.

Protecting your accounts from session hijacking (and DroidSheep)

Use DroidSheep. The app was developed to detect accounts that are vulnerable to session hijacking. Use it to your advantage and find out which of them can be easily hacked.

Use SSL or HTTPS. When allowed by a website, use SSL or HTTPS. SSL and HTTPS encrypt data which makes it impossible for DroidSheep and session hijackers to pick up your session ids.

Don’t use browsers to log-in. Computer and mobile browsers are equally vulnerable to session hijacking. If possible, use mobile applications to log in to your accounts. Going incognito with your browser is useless and still leaves you open to attacks.

Judene Macariola is a tech enthusiast who enjoys writing about gadgets and mobile applications. He also writes about health, modern lifestyle, and his business at Broadband Expert, a company that helps home owners and businesses find cheap internet.

Subscribe And Get Ethical Hacking Book!

If you enjoyed this post and wish to be informed whenever a new post is published, then make sure you subscribe to my regular Email Updates. Subscribe Now!

Kindly Bookmark and Share it: