FaceNiff is an Android app that can be used to hijack sessions on public or private Wi-Fi networks without the need for a computer. It can hack Facebook, Twitter, YouTube, Amazon and Nasza-Klasa (a Polish social network), and more services are coming soon. Thankfully, the app only works on very certain handsets and requires jailbreaking, so it’s not going to fall into the hands of too many mischievous Android operators; at least, not yet.
Luckily, it’s easy to protect your social networking accounts. Facebook and Twitter allow you to enable secure HTTP sessions as default, so the hackers can’t access your accounts and post embarrassing status updates, or worse. On Facebook, simply go to the Account menu, select Account Settings and go to Account Security and tick the “Secure Browsing (https)” box. On Twitter, go to Account Settings and tick the “HTTPS Only” box.
If you do own an Android phone and it’s running anything before Android 2.3.3, it’s vulnerable to attacks. Any time you sign into Twitter or Facebook, your device stores an authToken that is easy for hackers to access. The hackers can set up an access point with a common SSID like “default” and if you turn on the Wi-Fi on your Android phone and have it set to automatically connect to previously known networks, it will try to connect to the access point the hackers set up. Then your phone will connect to Twitter and Facebook using the stored authTokens, making it easy for hackers to nab the authTokens and gain access to your accounts. To prevent this, just de-activate the auto-connect feature in your Android’s Wi-Fi settings.
If you still want to use public Wi-Fi, you can invest in a virtual private network (VPN) service like StrongVPN. This allows you to tunnel all your network activity over an encrypted connection, where your accounts are safe from FaceNiff.