Hello!!

I can't understand how the facesniff, which is an Android application, can open
an interface e.g. WIFI and realise sniffing -
network monitoring without being run as root or having system priviledges. To do so,
an Android application should be
signed with the platform's key : http://stackoverflow.com/questions/6...s-root-android

How is this possible?? I am really wondering about that. Some time ago I tried to port
jNetPcap, so as to use it in an Android application for monitoring the WIFI. I successfully
ported it but I couldn't read the list of Android interfaces from its API and realise web
monitoring.. (see here for details: http://stackoverflow.com/questions/5...alldevs-method,
http://jnetpcap.com/node/792)

I am really wondering how faceniff faces this problem??
e.g. Shark for Android runs an instance of libpcap in the background and derives the
appropriate information from the pcap traces..

What faceniff do to get the information it wants, e.g. the web sessions?? I am
really curious about that.. Any ideas?

It does run as root. Also its not all "android". It has C in it as well. I don't fully understand it all but its not all Java (the android version. I forget what it is called but it begins with a D) and it does run as root which may help your problem.

Hope that help
GingerPaul

Gui is written in Java, but the engine is compiled C code which is executed by root. That's why it can do a lot of things to the OS (ARP Spoof, PCAP etc etc)

Thank you guys! I think it follows the classical approach as the Shark for Android does!

Hey GingerPaul,

you mean that there is a permission attribute in Android manifest that let you run an
Android Application as root??

This will help me for sure! If you know something about it, please tell me..

Thank you!

Sorry, that was me not adding enough punctuation.
"I forget what it is called but it begins with a D" - Its called Dalvik and it is a Java VM. That's the GUI. And the application runs a Binary with root permissions, is what I was trying to say.

Once again sorry for my lag of passion for the English language
GingerPaul

Ok, I know that the Java virtual machine that Android uses (I mean the Dalvik) is
different from the default Java virtual machine, but I don't understand what you mean
by saying "that's the GUI"... The person who wrote faceniff modified also the Android's
Dalvik?? and how is it possible? I know that you can't modify the Dalvik or force it
to adapt another behavior without using an attack by exploiting some vulnerability that
Android OS has, as for example with the "rageAgainstTheCage" attack..

I think it will be very interesting the source code of faceniff.. Hope someday to see it!

I'm starting to get confused.

The Android app (Dalvik VM) first gets root (so its now "admin"), it then executes a binary file like ponury said. Its that binary file that is doing all the work. The rest of the files is for the GUI.

So; Android app-> loads GUI -> Asks for root -> shows user the menu. -> User hits button -> Launches the binary file -> binary does all the work -> binary sends information back to android app -> the app shows the user via Toast and adds it to the list -> user clicks list item -> browser loads -> binary handles the http request and sends the set-cookie headers then forwards them to the real domain -> jobs a good one. -> browser has stolen a session.

I think that's about right.

Rename the apk to .zip and then extract it all. Go to ./assets/ and you'll see that there is a binary file as prove.

Hope that helps
GingerPaul

Thank you!

Yes, now I have understood the functionality of faceniff!