Help Security in Android apps

[kondziorek]

Hello,
I am Conrad, I am new user of this forum.

I was wondering, if anybody would hack accounts on Android apps. I mean for example we are logged on ebay or Facebook app, and we simply quit to home screen, without logging out, and also disconnect from network and again turn on network.

-To the point, Is it technically possible if anybody would hack our sesion, when we logged?

-Of course we're using WiFi in home with WPA2, not public hotspot.

-But what if we use card SIM network, is that secure?

 

[Hadron]

Welcome to the forum

It's probably easier for a random civilian to hack your home wifi than the cellular connection, though the spooks did successfully lobby to keep the security weaker than it was originally intended to be. It's certainly safer than a public hotspot.

Insofar as I understand your question, I can't see how the phone is any more vulnerable than a home PC using WiFi. Probably less so than many PCs. You are more likely to get the account hacked than the phone itself would be my feeling.

The qualification I would add is that if you download apps from dodgy sites, trust apps that ask for permissions which are way in excess of what they need to do their actual job, then you are increasing the chances of your phone being hacked considerably (same as if you download random apps on a PC because a pop-up ad told you to, or clicked on unknown attachments in random emails, you are making things easy for the people who want to hack your PC - except that unlike Windows malware, android malware relies entirely on tricking you into installing it as an app, and can't propagate itself just because you opened an email or similar).

 

[kondziorek]

If I understand properly, public Hotspot are the most dangerous.

But Is it technically possible to hack WPA2 ?
If yes , I would apply Mac filtering, and set netmask rightly to connected PC's.
Is it any way to protect network and router from spooks?

The result for me is that:
-no downloading apps from unknown source. Only from Google Play.
-visit only trusted sites

What would you use for money transfer in bank app? The most safe for that would be Card SIM, I think.

BTW Is it possible to overhear packages from remote location?
For example, the spooker is in another country, he isn't connected into my router.

Tell me if you understand my English, because it isn't my native language

 

[Slug]

Is it technically possible to hack WPA2 ?

Yes, given enough time and processing power.

If yes , I would apply Mac filtering, and set netmask rightly to connected PC's.
Is it any way to protect network and router from spooks?

Whitelisting MAC addresses and using the strongest key possible, together with hiding the SSID, should protect from all but the most determined intrusion attempts. It's a matter of risk assessment... are you, or your data, worth the time/effort required to obtain it? The answer for most people is "no".

 

[kondziorek]

I see.
But is it possible to overhear packages, my session from remote location? for example the spooker is in another country, not connected into my local router.

 

[Slug]

is it possible to overhear packages, my session from remote location? for example the spooker is in another country, not connected into my local router.

In theory yes, but even that unlikely incidence can be avoided by using a secure VPN service.

 

[funkylogik]

And your English is perfect

 

[kondziorek]

So we can close the topic.

BTW I'm polish, I've learnt English for 7 years
I need more practice

 

[kondziorek]

I 've got one more question
Is that secure? , when we quit from Facebook or another app to home screen without logging out

 

[funkylogik]

Depends if someone gets their hands on your phone lol

 

[chanchan05]

I 've got one more question
Is that secure? , when we quit from Facebook or another app to home screen without logging out

I don't logout from Facebook, but my phone is PIN locked and I don't lend it to anyone. So that's the best option if you plan on not logging out. Or lock the apps you want secured.

 

[funkylogik]

Yup I've started using this app https://play.google.com/store/apps/details?id=com.domobile.applock in combination with this one https://play.google.com/store/apps/details?id=com.domobile.applock
To protect vulnerable apps (although I don't care who "frapes" me so I keep fb unlocked)

Apps work really well imo but haven't tested uninstalling them in safe mode yet....

 

[kondziorek]

I also have got pin.
But in technically way, When I plugged into WiFi or 3G, is it possible to take over my session when I quit to home screen without logging out?

 

[funkylogik]

I guess so if you're a good hacker, it would be possible..
But nothing to really worry about
(who is really gonna be interested in your fb status or PMs with "that girl"?)

 

[Hadron]

If your phone is thoroughly and completely compromised, maybe. But if it's that thoroughly owned then they'd have no need to "take over" your session when you put the app into the background as they could access your accounts any time they wanted.

 

[kondziorek]

How does situation look like in bank apps? Is it any risk when I immediately leave the app without logging out, Is there in app any system that after few seconds log out automatically?

I also add my phone is clean and free of any android malware.

But in web browser on android, on Facebook, is it possible to take over session? As you know my phone and wifi is secured

 

[chanchan05]

Yes of course it's theoretically possible. It has nothing to do with Android. Once the information is sent, it leaves the security of the device and is up for grabs. Think of it as throwing a ball, and the receiver is your bank and your data/session is the ball. No matter how much you protect the ball, once you throw it to give it to the bank, it's vulnerable. Nothing you can do can change that. Of course though there are securities on that ball to make it so that if anybody tries to catch it, they can't do anything with it. Plus the level of difficulty to do that is way way up. Plus they'd have to be targetting you specifically. They can't randomly pick out your data out of the mess out there.

 

[Hadron]

I personally would sign out of a bank app after use, if I had one on my phone. Indeed I'd hope it would time out fairly quickly when not in use - you should be able to test that yourself easily enough (since its unlikely we have the same bank, any test I did wouldn't tell you whether your bank did the same, so running your own test us the best bet).

That's not because I'd be afraid of someone "taking over" the session on my phone, but because phones can be lost or stolen and I would not want a banking app to still be signed in if that happened.

 

[Slug]

How does situation look like in bank apps? Is it any risk when I immediately leave the app without logging out, Is there in app any system that after few seconds log out automatically?

That would be up to the banking app. which should be using secure protocols to begin with. I would expect such an app to automatically log-out any session that was inactive for (say) 10mins, but then I'm too old-fashioned to actually use my bank's app. If I did need to access my account(s) from the phone I'd use a VPN connection to be doubly sure.

 

[kondziorek]

Ok, I've found ZenMate vpn app on Google Play, is it worth to install and use it with bank app or another one?

 

[Slug]

Ok, I've found ZenMate vpn app on Google Play, is it worth to install and use it with bank app or another one?

Try it and see?

Personally I use VPN Unlimited and would recommend it for its ease-of-use alone.

 

[kondziorek]

Ok, I'll testing them.
We can close the topic

 

[Slug]

We can close the topic

Topics remain open on AF so that discussion can continue.

 

[kondziorek]

If had any questions, I 'd ask

 

[Slug]

If had any questions, I 'd ask

Other people may want advice though, or to share their own experience. AF is a collective resource.