Why HTTPS in facebook is not what it claims to be

Posted on %A %B %e%q, %Y by admin| Leave a comment

It was October 2010, when Eric Butler introduced “Firesheep” - an easy to use Firefox plug-in for Session hijacking on Windows and Mac. There soon was a big hipe and lots of ethic discussion about that - though the attack itself was neither new nor based on exploits, but only uses data which is shout as a wireless broadcast over the air.

In January 2011, facebook took care of the public pressure and added optional HTTPS support to their web site.

But there is one thing specially mobile users should not forget: The HTTPS setting does not work for m.facebook.com - there is no encryption for the mobile version of the facebook web site.

Another thing is the facebook Android app: Facebook enforces every developer, who wants to use facebook API in his application, to use SSL for any request to facebook (LINK). This is ironic - they do not use encryption for their api themselves!

The official facebook Android app sends it’s cookie and HTTP requests unencrypted to facebook and DroidSheep can simply hijack the requests and the account - even if the user has HTTPS enabled.

So if someone uses mobile website or Android App (I don´t have an iPhone but I can imagine there is no security too in iOS facebook App) there is no way for him to secure his session against hijacking. This is very poor, facebook!

I made a short screencast that shows this lack of security.

→ Leave a comment

Posted in Uncategorized

Android Market removal

Posted on %A %B %e%q, %Y by admin| Leave a comment

On Wednesday I received this eMail from Android Market team:

This is a notification that the application, DroidSheep [ROOT REQUIRED] with package ID de.trier.infsec.koch.droidsheep has been removed from Android Market due to a violation of the Developer Content Policy. Please review the Content Policies and Business and Program Policies before you create or upload additional applications. Note that repeated violations may result in a suspension of your Android Market Publisher account.

For more information, or to contact us, please reply to this email, or visit the Android Market Help Center.

Thanks,

The Android Market Team

So damn! DroidSheep had more than 17.000 users till then - why did they take more than six weeks to find out DroidSheep does “not comply to their Policies”??
I responded to their mail and asked them for some more explaination. DroidSheep was not made as an malicious software!
It does neither use an programming issue/exploit, nor does is unencrypt anything by doing an attack.

So in my opinion, the main thing is to show the users how easy it can be to steal their identities! I read a lot of very surprised comments, and people realizing how dangerous public WiFi can be.

Maybe they respond to my mail, though I do not think they will change anything on their behaviour… :-(

This was what I wrote them:

Dear Android Market Team,

yesterday, my App “DroidSheep” has been removed from Android Market. You claimed it violates the Developer Content Policy.

So in reponse to your removal, I read the policies very carefully and I can imagine you treat DroidSheep as “malicious software”.
In my opinion (and in the opinion of most people talking about DroidSheep) this is not justified because:

- DroidSheep is a research project and does not intend to harm any person or its data. The main and only intention of DroidSheep is to make the Web more secure. There are very poor security properties on most websites, especially on big webservices like FaceBook, Yahoo, ebay, … - they deal with millions of users´ data and do enforce them to send this data via unencrypted and plain text channels - and nobody knows that. (Even the FB Android app sends the session cookies unencrypted!!!).
I think, as a developer it is my duty to help people to gain knowledge of this. Most people are not aware of the fact what happens to their data and are shocked, when they see what is possible. This pressure (or the one generated by “FireSheep”) was the only reason for FB to implement SSL (opt on) for their web service. SO PUBLIC PRESSURE WAS SUCCESSFUL!
DroidSheep does neither unencrypt any data by exploiting any issues, nor does it show any passwords or uses SSL stripping. It uses the unencrypted data on the air. DroidSheep will never use any exploits.
- Users should have the possibility to find out, how easy it can be to hijack their own account by trying it themselves. There are only two commands to execute in order to do DroidSheep´s work by hand - so it is not harder than using DroidSheep - but the technical barrier prevents most people to try it - and therefor they never find out how unprotected their data is.
If you read market comments, there are lots of people who learned about security issues and do not use public wifi from now - THIS IS A GREAT SUCCESS of my work.

DroidSheep is also free, open source (hosted on googlecode) and tries to help people to secure themselves (see www.droidsheep.de).
So I would greatly appreciate, if you consider readding DroidSheep to AndroidMarket in order to make internet more secure.

Just as a note - Google is one of the few companies, which state a very good example in how easy security can be gained. This Article shows, how easy and low cost switching to SSL can be - and there really is now barrier to implement SSL. (http://techie-buzz.com/tech-news/google-switch-ssl-cost.html)

So if you do not think, DroidSheep can be on the Android Market, please tell me if there is any possibility to change DroidSheeps functionalities to comply with Market ToS in order to make internet more secure and tell people to care for privacy.

Thanks,

Andreas Koch

→ Leave a comment

Posted in Blog