[APP][2.1+] Wifi Protector v1.4.5 Wireless Security | Anti WifiKill | Anti DroidSheep

Search This thread
By:
Advanced…
gurkedev

gurkedev

Senior Member
Nov 17, 2011
52
362
Nov 15 2013 Version 1.4.5 released.

This app is for those, who are tired of being kicked from the network by WifiKill. And for those, who are a little bit paranoid, because they know it's quite easy to read the Wi-Fi traffic with tools like DroidSheep, ettercap, FaceNiff, Cain & Abel and others. Such programs use the same technique to prevent you from accessing the network or to sniff your data. You can defend yourself with a single app.

What is Wifi Protector?
Wifi Protector is a Android security app specifically designed to detect and prevent ARP spoofing attacks against your phone in Wi-Fi networks.

How does it work?
Wifi Protector is continuously monitoring network related parameters. When abnormal behaviour is detected, an alert is triggered. The type of alert can be configured. Detection, basic protection and alert work on all phones. On rooted phones it is also possible to reconfigure the phone to make it immune against the attack.

Get it!
You can download the attached free version or get it for free from Google Play (mobile link).

Comments, questions, bug reports are welcome.

If you find the app useful please donate to this Bitcoin address: 19jqzdWFYTf5KZKnS6CJfG9vMX86ghysJQ



FAQ

Q: What is a MAC address?
A: The Media Access Control address is a hardware address of a network interface. Every device in the (Wifi) network has a unique MAC address.

Q: What is ARP?
A: ARP stands for Address Resolution Protocol. When two devices want to communicate via Internet Protocol (IP) in a (Wifi) network they need to know each others MAC address. The ARP protocol is used to resolve the MAC address for a given IP address.

Q: What is the ARP cache?
A: The ARP cache is a temporary storage on your phone that holds pairs of IP and MAC addresses that belong together.

Q: What is ARP cache poisoning?
A: ARP cache poisoning is a method to inject false information into your phone's ARP cache by sending forged packets to the (Wifi) network.

Q: What is DOS attack (Denial Of Service) through ARP cache poisoning?
A: An attacker changes the ARP cache on your phone in a way that invalid MAC addresses are associated with certain IP addresses. Very popular is to inject a false MAC address for the default gateway of your phone. This is an effective way to prevent your phone from accessing the internet. The attack is very lightweight, so a single attacker can disturb large networks. With Wifi Protector on a rooted phone you are immune to this kind of attack.

Q: What is MITM attack (Man In The Middle) through ARP cache poisoning?
A: Like in DOS attacks an attacker changes the MAC address of your phone's default gateway in your phone's ARP cache. Instead of injecting an invalid MAC address he places the MAC address of his own device into the cache. If possible, he also poisons the ARP cache of the default gateway in the Wifi network and changes the MAC address associated with your phone's IP address in the gateway's ARP cache. If the default gateway is vulnerable, the attacker has established a full-routing MITM. He can now read and change everything you send and receive over the network, in some special cases even if you use encryption. If the default gateway is not vulnerable, the attacker has established a half-routing MITM. He can then read and change everything you send, but not the data you receive. With Wifi Protector on a rooted phone you are immune against half-routing and - to some extent - against full-routing MITM. In the full-routing MITM scenario Wifi Protector prevents the attacker to read and change everything you send, but not the data to receive. In any cases you get an alarm.


Changelog

Code: 
1.4.5
- OTHER: Added ACCESS_SUPERUSER permission

1.4.4
- OTHER: Changed su handling which fixes issues with outdated su binaries

1.4.3
- BUGFIX: Notification icon no longer disappears when "Clear notification" button is pressed
- FEATURE: Added option to force start at boot, which is useful on devices that don't signal Wi-Fi start at boot
- OTHER: Added CHANGE_NETWORK_STATE permission, which is required on some Samsung tablets running Android 3.2 in order to disable Wi-Fi on attack

1.4.2
- BUGFIX: Fixed ANR on some devices that happened in rare cases when app is started first time
- BUGFIX: Fixed rare FC when restarting service from Expert Perspective

1.4.1
- BUGFIX: If notification settings haven't been configured the notification icon disappeared if main activity was closed. Fixed
- OTHER: Improved error messages

1.4.0
- FEATURE: Notification icon can be hidden

1.3.0
- FEATURE: Wi-Fi can be automatically disabled on attack (optional). This is useful on non-rooted phones
- FEATURE: App can be brought to the front on attack (optional)
- OTHER: Improved compatibility with battery saving apps

1.2.0
- BUGFIX: Attack notification ringtone didn't honor phone volume on some devices. Fixed
- BUGFIX: Vibration didn't honor phone silent mode. Fixed and made it configurable
- FEATURE: All spoofing attempts are logged, including SSID, BSSID, Gateway IP, Gateway MAC, Attacker MAC, Attacker IP. Vendors are resolved and shown in detailed log view. Logs are cleaned automatically. Log size can be configured
- FEATURE: Expert perspective shows BSSID vendor as well as SSID
- FEATURE: On attack vibrate in a given pattern. Duration, repeats and gaps configurable

1.1.4
- BUGFIX: Fixed crash on ICS when Expert is selected
- BUGFIX: On ICS a wrong phone IP address was shown. Fixed
- BUGFIX: Fixed minor bugs
- FEATURE: Internal arp command included

1.1.2
- BUGFIX: Database cursor closing properly
- BUGFIX: If manually clearing gateway ARP entry fails, an error message appears
- BUGFIX: If manual countermeasures fail, an error message appears
- BUGFIX: BSSID mode attack detection precision improved
- FEATURE: Background image can be switched off to save RAM
- OTHER: OUI database performance improved
- OTHER: Unused permissions removed
- OTHER: Size of internal buffers reduced to conserve resources

1.1.1
- BUGFIX: Fixed wireless connection state handling
- BUGFIX: Fixed FC on wireless connection change
- BUGFIX: Fixed BSSID display in expert perspective

1.1.0
- FEATURE: IEEE 802.11 BSSID analysis. Detects the situation when a network is joined, which is already under attack.
- FEATURE: Three BSSID analysis levels. Light: Vendor compare. Deep: 5 octet compare. Extreme: Exact match.
- FEATURE: Expert perspective shows current BSSID.
- FEATURE: Home screen shows attack detection method.

1.0.0
- Initial public release.

MD5: WifiProtector-48.apk = 21bc43ba941a7f6bb75471e25e5dbd37
MD5: WifiProtector-46.apk = 5a2acdec7be1ea9faf1cfc3fb480d747
 

Attachments

  • screenshot_blue_240.jpg
    screenshot_blue_240.jpg
    21.4 KB · Views: 28,724
  • screenshot_red_240.jpg
    screenshot_red_240.jpg
    24.5 KB · Views: 29,841
  • screenshot_expert_240.jpg
    screenshot_expert_240.jpg
    21.6 KB · Views: 29,253
  • screenshot_settings1_240.jpg
    screenshot_settings1_240.jpg
    28.3 KB · Views: 25,821
  • screenshot_settings2_240.jpg
    screenshot_settings2_240.jpg
    31.6 KB · Views: 23,816
  • screenshot_settings3_240.jpg
    screenshot_settings3_240.jpg
    29.9 KB · Views: 22,825
  • WifiProtector-46.apk
    1.6 MB · Views: 70,179
  • WifiProtector-48.apk
    1.6 MB · Views: 117,484
Last edited:
  • Like
Reactions: Technical, mdfarazb2, martinsegura84 and 250 others
gurkedev

gurkedev

Senior Member
Nov 17, 2011
52
362
@Imjjames
One of the design goals was efficiency. Nonetheless the battery consumption is under your control by setting the Collection Interval.

With default value the consumption is about 1% on a Samsung Nexus S. You can reduce the consumption by increasing the Colletion Interval.
 
  • Like
Reactions: liontari, drsood, ChavitoArg and 5 others
ell3

ell3

Senior Member
Nov 4, 2011
52
27
Mu
Well done sir, now we have the first ARP-Watch on Android !!

I just tested against ettercap (pc) and it's working (running on Ideos stock rom):

When the network is clean and the pc starts spoofing, I get the alarm on phone correctly.
When the network is already under attack by the pc and I join in with the phone, I get no alarm as the app seems to flag the attacker as the legit router, and therefore when the attack stops, the app thinks that the real router is the attacker.

It happens that when I go to Expert and manually start-stop the service 3-4 times, the app stop responding or crashes, but then it respawns in a couple seconds ! Nice !!!

Let's just remember that this is effective against arp-based attacks, if someone is sniffing passively, this won't fire any alert and the sniffer can still capture your data.

Thanks for this app !
 
  • Like
Reactions: 1BadWolf, Teio, cgilstrap and 3 others
L

LJP1111

Senior Member
Jan 16, 2011
103
5
ell3 said:
Well done sir, now we have the first ARP-Watch on Android !!

I just tested against ettercap (pc) and it's working (running on Ideos stock rom):

When the network is clean and the pc starts spoofing, I get the alarm on phone correctly.
When the network is already under attack by the pc and I join in with the phone, I get no alarm as the app seems to flag the attacker as the legit router, and therefore when the attack stops, the app thinks that the real router is the attacker.

It happens that when I go to Expert and manually start-stop the service 3-4 times, the app stop responding or crashes, but then it respawns in a couple seconds ! Nice !!!

Let's just remember that this is effective against arp-based attacks, if someone is sniffing passively, this won't fire any alert and the sniffer can still capture your data.

Thanks for this app !
Click to expand...
Click to collapse

Thanks for taking the time to test this. Will be interesting to see what this is capable of doing and any limitations.

Thanks to the developer too!

Sent from my GT-I9100 using XDA App
 
ell3

ell3

Senior Member
Nov 4, 2011
52
27
Mu
@OP Maybe this could be handy for an update: before running the main watching activity, make an arping on the net and warn about possible problems.

Normal arping reply:
Code: 
00:16:01:AA:BB:CC at 192.168.0.1
00:18:4d:DD:EE:FF at 192.168.0.228
00:15:af:00:00:00 at 192.168.0.244

Arping reply when the net is under attack
Code: 
[B][COLOR="Red"]00:15:af:00:00:00[/COLOR][/B] at 192.168.0.1
[B][COLOR="Red"]00:15:af:00:00:00[/COLOR][/B] at 192.168.0.182
00:18:4d:DD:EE:FF at 192.168.0.228
[B][COLOR="red"]00:15:af:00:00:00[/COLOR][/B] at 192.168.0.244
same MAC on different machines... hmmm... suspicious, maybe the attacker is already in.

what do you think ?
 
  • Like
Reactions: zomgitsanoob
A

avgjoemomma

Senior Member
Jul 15, 2010
488
76
This is a great idea! Can you give us more details on what changes you make for rooted phones to be protected? I have implemented most of the sysctl tcp hardening techniques already and want to make sure they won't get overridden.
 
A

avgjoemomma

Senior Member
Jul 15, 2010
488
76
Hmm, the WiFi Protector app and service are taking up 20MB RAM. If you can optimize it a bit and cut the RAM usage to 5 or 10 you'll get more love :p
 
gurkedev

gurkedev

Senior Member
Nov 17, 2011
52
362
ell3 said:
When the network is already under attack by the pc and I join in with the phone, I get no alarm as the app seems to flag the attacker as the legit router, and therefore when the attack stops, the app thinks that the real router is the attacker.
Click to expand...
Click to collapse

It's true, when you join a network that is already under attack the app sees the attacker MAC as the MAC of the gateway. Although this will happen very rarely, there is a point on the roadmap to counteract this behaviour. Future version will build a local database of legit MAC-IP pairs of gateways in known networks. The database will be checked whenever you join a network. This way it is relatively easy to identify a network already under attack.

Update Nov 20 2011: Version 1.1.0 comes with IEEE 802.11 BSSID analysis and detects a network already under attack.
 
Last edited:
  • Like
Reactions: ridethisbike, Carnelain, jdstrydom and 2 others
gurkedev

gurkedev

Senior Member
Nov 17, 2011
52
362
ell3 said:
@OP Maybe this could be handy for an update: before running the main watching activity, make an arping on the net and warn about possible problems.
Click to expand...
Click to collapse

Inspecting the whole network is an idea that was discarded at an early stage. Doing so would require actively sending ARP who-has frames to the network (like arping or iproute2 does). The idea behind Wifi Protector is to defend a single device and not to produce load on the network in any way. However, the suggestion was noted. Thanks for that. Maybe - in the far future - the app can be extended to act as a network admin's troubleshooting tool...
 
  • Like
Reactions: ridethisbike, Carnelain, jdstrydom and 2 others
gurkedev

gurkedev

Senior Member
Nov 17, 2011
52
362
avgjoemomma said:
This is a great idea! Can you give us more details on what changes you make for rooted phones to be protected? I have implemented most of the sysctl tcp hardening techniques already and want to make sure they won't get overridden.
Click to expand...
Click to collapse

No need to worry, your TCP hardening on transport layer won't get overridden by code on data link layer. Wifi Protector does not modify any frames that reach your layer.
 
  • Like
Reactions: ridethisbike, Carnelain, aweaver33 and 1 other person
ell3

ell3

Senior Member
Nov 4, 2011
52
27
Mu
A

avgjoemomma

Senior Member
Jul 15, 2010
488
76
Great, thanks for the response :) So, can you details a bit about the countermeasures? I also have some iptables rules to help with SUNDAY and DDOS.
 
A

avgjoemomma

Senior Member
Jul 15, 2010
488
76
Oh and this might be a bit too nefarious but, would you be interested in adding a countermeasure? Once an attacker has been found you can pop up a nuke button that will either DDOS or SYN flood him :p
 
ell3

ell3

Senior Member
Nov 4, 2011
52
27
Mu
avgjoemomma said:
Oh and this might be a bit too nefarious but, would you be interested in adding a countermeasure? Once an attacker has been found you can pop up a nuke button that will either DDOS or SYN flood him :p
Click to expand...
Click to collapse

lol that would depend on OP's hat :) Detect - Protect - Prevent - Retailate!!
I don't think that would be much 'ethical', though it could be 'educative' .... i wonder how many specific kernel dos you could trigger remotely on a Android phone... hmmm that would be a good fuzzing
 
A

aweaver33

Senior Member
Apr 17, 2011
109
12
Palm Bay, FL
I find it somewhat disturbing that a network vandalism app receives much more positive feedback that a network defense app. Right now WifiKill, which costs $3, has over 300 thanks vs. 5 for your free app. I, for one, thank you for your efforts.
 
  • Like
Reactions: gurkedev
You must log in or register to reply here.

Similar threads

bponury
[APP] WifiKill - disable internet for network hoggers (Android 4.x)
Replies
3K
Views
3M
GoJo ^^
GoJo ^^
C
  • Locked
[APP]SuperOneClick v2.3.3 - Motorola Exploit Added!
Replies
7K
Views
16M
vanessaem
vanessaem
S
[APP][2.2+][ROOT][WiFi] Reaver-GUI for Android
Replies
2K
Views
2M
D
deverstator
R
  • Locked
[APP] z4root
Replies
3K
Views
7M
TRusselo
TRusselo
Z
[APP][2.2+] LBE Security Master 5.1.4722
Replies
3K
Views
2M
L
Labamba86

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 253
    gurkedev
    gurkedev
    Nov 15 2013 Version 1.4.5 released.

    This app is for those, who are tired of being kicked from the network by WifiKill. And for those, who are a little bit paranoid, because they know it's quite easy to read the Wi-Fi traffic with tools like DroidSheep, ettercap, FaceNiff, Cain & Abel and others. Such programs use the same technique to prevent you from accessing the network or to sniff your data. You can defend yourself with a single app.

    What is Wifi Protector?
    Wifi Protector is a Android security app specifically designed to detect and prevent ARP spoofing attacks against your phone in Wi-Fi networks.

    How does it work?
    Wifi Protector is continuously monitoring network related parameters. When abnormal behaviour is detected, an alert is triggered. The type of alert can be configured. Detection, basic protection and alert work on all phones. On rooted phones it is also possible to reconfigure the phone to make it immune against the attack.

    Get it!
    You can download the attached free version or get it for free from Google Play (mobile link).

    Comments, questions, bug reports are welcome.

    If you find the app useful please donate to this Bitcoin address: 19jqzdWFYTf5KZKnS6CJfG9vMX86ghysJQ



    FAQ

    Q: What is a MAC address?
    A: The Media Access Control address is a hardware address of a network interface. Every device in the (Wifi) network has a unique MAC address.

    Q: What is ARP?
    A: ARP stands for Address Resolution Protocol. When two devices want to communicate via Internet Protocol (IP) in a (Wifi) network they need to know each others MAC address. The ARP protocol is used to resolve the MAC address for a given IP address.

    Q: What is the ARP cache?
    A: The ARP cache is a temporary storage on your phone that holds pairs of IP and MAC addresses that belong together.

    Q: What is ARP cache poisoning?
    A: ARP cache poisoning is a method to inject false information into your phone's ARP cache by sending forged packets to the (Wifi) network.

    Q: What is DOS attack (Denial Of Service) through ARP cache poisoning?
    A: An attacker changes the ARP cache on your phone in a way that invalid MAC addresses are associated with certain IP addresses. Very popular is to inject a false MAC address for the default gateway of your phone. This is an effective way to prevent your phone from accessing the internet. The attack is very lightweight, so a single attacker can disturb large networks. With Wifi Protector on a rooted phone you are immune to this kind of attack.

    Q: What is MITM attack (Man In The Middle) through ARP cache poisoning?
    A: Like in DOS attacks an attacker changes the MAC address of your phone's default gateway in your phone's ARP cache. Instead of injecting an invalid MAC address he places the MAC address of his own device into the cache. If possible, he also poisons the ARP cache of the default gateway in the Wifi network and changes the MAC address associated with your phone's IP address in the gateway's ARP cache. If the default gateway is vulnerable, the attacker has established a full-routing MITM. He can now read and change everything you send and receive over the network, in some special cases even if you use encryption. If the default gateway is not vulnerable, the attacker has established a half-routing MITM. He can then read and change everything you send, but not the data you receive. With Wifi Protector on a rooted phone you are immune against half-routing and - to some extent - against full-routing MITM. In the full-routing MITM scenario Wifi Protector prevents the attacker to read and change everything you send, but not the data to receive. In any cases you get an alarm.


    Changelog

    Code: 
    1.4.5
- OTHER: Added ACCESS_SUPERUSER permission

1.4.4
- OTHER: Changed su handling which fixes issues with outdated su binaries

1.4.3
- BUGFIX: Notification icon no longer disappears when "Clear notification" button is pressed
- FEATURE: Added option to force start at boot, which is useful on devices that don't signal Wi-Fi start at boot
- OTHER: Added CHANGE_NETWORK_STATE permission, which is required on some Samsung tablets running Android 3.2 in order to disable Wi-Fi on attack

1.4.2
- BUGFIX: Fixed ANR on some devices that happened in rare cases when app is started first time
- BUGFIX: Fixed rare FC when restarting service from Expert Perspective

1.4.1
- BUGFIX: If notification settings haven't been configured the notification icon disappeared if main activity was closed. Fixed
- OTHER: Improved error messages

1.4.0
- FEATURE: Notification icon can be hidden

1.3.0
- FEATURE: Wi-Fi can be automatically disabled on attack (optional). This is useful on non-rooted phones
- FEATURE: App can be brought to the front on attack (optional)
- OTHER: Improved compatibility with battery saving apps

1.2.0
- BUGFIX: Attack notification ringtone didn't honor phone volume on some devices. Fixed
- BUGFIX: Vibration didn't honor phone silent mode. Fixed and made it configurable
- FEATURE: All spoofing attempts are logged, including SSID, BSSID, Gateway IP, Gateway MAC, Attacker MAC, Attacker IP. Vendors are resolved and shown in detailed log view. Logs are cleaned automatically. Log size can be configured
- FEATURE: Expert perspective shows BSSID vendor as well as SSID
- FEATURE: On attack vibrate in a given pattern. Duration, repeats and gaps configurable

1.1.4
- BUGFIX: Fixed crash on ICS when Expert is selected
- BUGFIX: On ICS a wrong phone IP address was shown. Fixed
- BUGFIX: Fixed minor bugs
- FEATURE: Internal arp command included

1.1.2
- BUGFIX: Database cursor closing properly
- BUGFIX: If manually clearing gateway ARP entry fails, an error message appears
- BUGFIX: If manual countermeasures fail, an error message appears
- BUGFIX: BSSID mode attack detection precision improved
- FEATURE: Background image can be switched off to save RAM
- OTHER: OUI database performance improved
- OTHER: Unused permissions removed
- OTHER: Size of internal buffers reduced to conserve resources

1.1.1
- BUGFIX: Fixed wireless connection state handling
- BUGFIX: Fixed FC on wireless connection change
- BUGFIX: Fixed BSSID display in expert perspective

1.1.0
- FEATURE: IEEE 802.11 BSSID analysis. Detects the situation when a network is joined, which is already under attack.
- FEATURE: Three BSSID analysis levels. Light: Vendor compare. Deep: 5 octet compare. Extreme: Exact match.
- FEATURE: Expert perspective shows current BSSID.
- FEATURE: Home screen shows attack detection method.

1.0.0
- Initial public release.

    MD5: WifiProtector-48.apk = 21bc43ba941a7f6bb75471e25e5dbd37
    MD5: WifiProtector-46.apk = 5a2acdec7be1ea9faf1cfc3fb480d747
    View
    15
    gurkedev
    gurkedev
    Version 1.4.5 has ACCESS_SUPERUSER permission. As usual your free copy is here.

    BTW: Today is Wifi Protector's 2nd birthday! Cheers!
    View
    8
    gurkedev
    gurkedev
    @Imjjames
    One of the design goals was efficiency. Nonetheless the battery consumption is under your control by setting the Collection Interval.

    With default value the consumption is about 1% on a Samsung Nexus S. You can reduce the consumption by increasing the Colletion Interval.
    View
    8
    gurkedev
    gurkedev
    Version 1.4.3 is ready and of course free for XDA users.

    Changes:

    • BUGFIX: Notification icon no longer disappears when "Clear notification" button is pressed
    • FEATURE: Added option to force start at boot, which is useful on devices that don't signal Wi-Fi start at boot
    • OTHER: Added CHANGE_NETWORK_STATE permission, which is required on some Samsung tablets running Android 3.2 in order to disable Wi-Fi on attack
    View
    7
    gurkedev
    gurkedev
    v1.2.0 released today.

    It fixes issues with phone silent mode and comes with a new logging feature. Please see changelog for details.
    View

New posts