Android & Pineapple Avoidance

[teff]

I would be interested to know if this would work?

I have an android phone and tablet, I already run openvpn over ssl on both to force traffic through my home "server" (its a eeepc 701 running debian) but this takes a few seconds to reconnect on a connection change.

I use juice defender to manage my wifi on both devices, and although I could disable its control over wifi I wanted to have to do minimal connection management.

So I did some research and it seems androids gives highest priority to the most recently created wifi profile. I created a new profile with a random SSID that shouldn't exist in the wild and then created a tasker profile that triggers when it connects, pops up an alert and disables wifi.

Should this trigger as expected?

Profile
  Pineapple
    Wifi Connected "SSID=randomssid" > Launch task Pineapple

Task
  Pineapple
    # Set the local variable wific to the output of the system variabl wifi info (SSID, MAC, Channel, Speed of the currently connected network) 
    Variable Set > %wific = %WIFII

    Wifi Net > Disconnect
    Vibrate
    Notify "PINEAPPLE DETECTED!"

    # Write the current date, time, location (from gsm network) and output of wifi info (when disconnected from wireless it will have the info for all AP's in range)
    Write File > pineapple.txt >>
       =================
       %DATE - %TIME
       %LOCN
       %WIFII

    # Turn the wifi off here because the popup blocks task from continuing.
    Wifi Off

    # popup a custom scene and pass wific to it (my scene has a dismiss button and a enable wifi just in case)
    Popup > Text1=%wific

[digininja]

No idea if the actual script works but the concept seems pretty good. I've not used tasker, I'm guessing it is just a simple scripting app, if so the only problem I could see is how often it runs, too often and it will drain your battery quickly and may (not sure) disconnect you from your existing connection to try for the new random one. Not often enough and you could be connected for a while before you notice. It also only takes fractions of a second for automated scripts to notice the network connection is up and call home, if any of those have clear text credentials in them they may slip out before your script detects what is going on.

A very good attempt, better than anything else I've seen but maybe not perfect and I can't think of a usable perfect solution if you want to be able to use open wifi.

[teff]

No idea if the actual script works but the concept seems pretty good. I've not used tasker, I'm guessing it is just a simple scripting app, if so the only problem I could see is how often it runs, too often and it will drain your battery quickly and may (not sure) disconnect you from your existing connection to try for the new random one. Not often enough and you could be connected for a while before you notice. It also only takes fractions of a second for automated scripts to notice the network connection is up and call home, if any of those have clear text credentials in them they may slip out before your script detects what is going on.

A very good attempt, better than anything else I've seen but maybe not perfect and I can't think of a usable perfect solution if you want to be able to use open wifi.

Tasker is pretty efficient for most things and I'm pretty sure that the "wifi connected" trigger is from a system intent, so triggers pretty much instantaneously and should not be polling in between. Script definitely works and triggers, I temporarily added the open test network to my router and hardly had chance to look before it went off, I just wasn't sure if this would work well against a pineapple or similar device :)

I've also been pretty careful about the apps I have installed and I am pretty certain the ones that do have internet access are at least using SSL by default. I've wondered lately how possible it would be to modify a rom so that it can restrict a specified group of apps to only use the a certain network adapter. "Insecure" apps could only be allowed connections through the OpenVPN tun adapter then.

I think that if the pineapple were not to respond to the first attempt to connect by a client then it should completely negate this, its likely most people have more than one wireless profile and with android especially it will just kick through to the next most recently added profile and try to connect on that instead, but I presume this would screw up deauth attacks.

I think I can get round this though by having Tasker check the SSID and MAC against a text file and trigger if it doesn't have the AP on file or the MAC is different then disable until the user has validated it is a valid AP that can be added to the file. I could add location data in too, but it is not helpful for the "BT Openzone" or "BT Fon" networks where they exists all over the place and certainly would be a pain if you connect to anything portable you carry around.

[digininja]

If it is event based then it should work OK. I was going to suggest recording MAC against SSID but as you say, that isn't practical if you are using common public hotspots like Openzone or Starbucks.

[teff]

edit: arse, it doesnt append a new line character when it does a write line. actually I was using ';' where I should have had ','. Should work now

edit2: also the scene doesn't update when the button is pressed, not sure why.

edit3: fixed the scene updating by calling show scene instead of pop up dialog.

I think I have something fairly functional, though a native app might be more appropriate:

Profile:
    Pineapple:
        Wifi Connected: * > Launch Task: Pineapple

Tasks:
    Pineapple:
        # Clear the global %SSIDMAC
        Variable Clear %SSIDMAC
        # Launch task to fetch the SSID and MAC of the connected AP
        Task: getSSIDMAC
        # Launch task to check whether SSID and MAC exist in the database 
        # and if they match known combination. Return %isdb, 
        # 1 = AP exists, 0 = AP doesnot exist
        Task: CheckSSIDDB return %isdb
        # if the AP does not exist
        If %isdb <> 1
            # turn off wifi
            WiFi Set Off
            # notify user
            Vibrate
            Notify "Pineapple or Unknown AP!"
            # log to file
            Append file Pineapple.txt >>
                ====================
                %DATE - %TIME
                %LOCN
                %wific
                ----------------
                %WIFII
            # popup the Pineapple scene to allow the user 
            # to add it if safe. (blocks continuation of task
            # until the user closes the scene)
            Show Scene Pineapple scene > Show as Activity or Dialog
            # Destroy the scene
            Destroy Scene Pineapple
        End If

    getSSIDMAC
        Variable Set %wific To %WIFII
        # split %wific at all instances of "<<<" 
        # produces %wific1, %wific2
        Variable split %wific splitter "<<<"
        # set %ssid to everything after "<<<"
        Variable Set %ssid to %wific2
        # split %ssid at "Mac:"
        Variable split %ssid splitter "Mac:"
        # split with no splitter to clean up the 
        # whitespace %ssid12 contains just the ssid
        Variable split %ssid1
        # set %mac to everything after "Mac:"
        Variable Set %mac To %ssid2
        # split at "IP"
        Variable split %mac splitter "IP"
        # split again to clear whitespace, mac will be in %mac12
        Variable split %mac1
        # set the global %SSIDMAC to ssid,mac
        Variable Set %SSIDMAC to %ssid12,%mac12

    CheckSSIDDB
        # create counter
        Variable set %linen = 1
        # set label loop 
        label Loop:
        # read line number %linen in to variable %line
        Read Line %linen from file ssid.txt to %line
        # if %line == "EOF" the AP does not exist
        if %line == EOF return 0
        # split %line at ',' to give %line1 = SSID and %line2 = MAC
        Variable Split %line splitter ';' 
        # split %SSIDMAC at ',' to give %SSIDMAC1 = SSID 
        # and %SSIDMAC2 = MAC
        Variable Split %SSIDMAC splitter ','
        # do the SSID match?
        if %line1 == %SSIDMAC1:
            # if so then do the the MAC's match? Return 1 if they do
            if %line2 == %SSIDMAC2 return 1
        End If
        # if there is no match increment the counter
        Variable Set %linen = %linen + 1
        # and loop to the next line
        Goto label Loop

Scene
    Pineapple:
        -----------------------------------
         Pineapple or unknown AP Detected!    Text Box
        -----------------------------------
                     %SSIDMAC                 Text Box

        -----------------------------------

            file:\\/mnt/sdcard/ssid.txt       WebView

        -----------------------------------
                 _______________
                |   Enable AP   |             Button
                |_______________|
        -----------------------------------

    Button:
       Write line %SSIDMAC to end of ssid.txt
       Enable Wifi
       Refresh Webview
       Update Text1: AP Added!
       Hide button

Edited March 21, 2012 by teff

[teff]

If anyone wants the source files from Tasker I will happily attach them.

[shadowmmm]

yes pls.appreciate the time and effort everybodys does on this site.

[teff]

Will do, though still having issues with it, think there is a bit of an issue with file locking from the dialog popup. If the network is approved the wireless is enabled and it connects to the network again, this causes the pineapple task to rerun but still detect an unknown network.

Edited April 2, 2012 by teff

[barry99705]

Easiest way is to turn off wifi! :P Honestly, you actually use public wifi?