A developer has released an app for Android handsets that brings website credential stealing over smartphones into the script kiddie realm.

FaceNiff, as the Android app is called, can be used to steal unencrypted cookies on most Wi-Fi networks, giving users a point-and-click interface for stealing sensitive authentication tokens sent over Facebook, Twitter, and other popular websites when users don't bother to use encrypted SSL, or secure sockets layer, connections. The app works even on networks protected by WPA and WPA2 encryption schemes by using a technique known as ARP spoofing to redirect local traffic through the attacker's device. An attacker would have to know the security password, however.

To be sure, FaceNiff doesn't do anything that hasn't been done for decades, and based on a YouTube video and comments on an official support forum, the app seems to have its share of quirks. Programs such as SSLSniff, released years ago by Moxie Marlinspike, contain considerably more powerful capabilities even if they lack a smartphone GUI.

But by making it possible for ordinary Android users to hijack other people's Web 2.0 accounts, FaceNiff has the potential to be something like the smartphone equivalent of Firesheep, a Firefox browser extension that brought new urgency to the decades-old threat of using unencrypted web connections. FaceNiff lacks some of the automated features of Firesheep, but that could change with a few updates to the Android app.

Over the past year or so, Google, Facebook, Twitter, and Microsoft have upgraded a variety of their services to add always-on SSL, which is the only effective way to prevent the theft of authentication tokens. Those protections on several occasions have been found to be far from perfect, but they're a step in the right direction.

And they've been rolled out increasingly thanks to the growing awareness that comes from DIY man-in-the-middle tools like Firesheep. ®

Related stories

• Android app logs keystrokes using phone movements (17 August 2011)

  https://www.theregister.com/2011/08/17/android_key_logger/

• Facebook password reset coming to phone near you (8 August 2011)

  https://www.theregister.com/2011/08/08/facebook_mobile_password_reset/

• Eureka! Google breakthrough makes SSL less painful (19 May 2011)

  https://www.theregister.com/2011/05/19/google_ssl_breakthrough/

• Facebook caught exposing millions of user credentials (10 May 2011)

  https://www.theregister.com/2011/05/10/facebook_user_credentials_leaked/

• How is SSL hopelessly broken? Let us count the ways (11 April 2011)

  https://www.theregister.com/2011/04/11/state_of_ssl_analysis/

• Facebook traffic mysteriously passes through Chinese ISP (23 March 2011)

  https://www.theregister.com/2011/03/23/facebook_traffic_china_telecom/

• Security shocker: Android apps send private data in clear (24 February 2011)

  https://www.theregister.com/2011/02/24/android_phone_privacy_shocker/

• Tunisia plants country-wide keystroke logger on Facebook (25 January 2011)

  https://www.theregister.com/2011/01/25/tunisia_facebook_password_slurping/

• Hotmail always-on crypto breaks Microsoft's own apps (10 November 2010)

  https://www.theregister.com/2010/11/10/lame_hotmail_encryption/

• Firesheep flames cookie capture risks (25 October 2010)

  https://www.theregister.com/2010/10/25/firesheep_cookie_capture_peril/