How to Secure Your Android's Wi-Fi

By Eric Geier

May 23, 2012

Android has a built-in VPN but if that's not available you can set up a SSH Tunnel and SSH server that will work no matter where you are.

Using insecure Wi-Fi networks from your smartphone or tablet poses similar security risks as when connecting from PCs and laptops. If the Wi-Fi connection isn’t encrypted like most public hotspots then any eavesdroppers nearby can intercept and see all your Wi-Fi traffic. This includes capturing passwords or hijacking logins to unencrypted sites (possibly Facebook, Twitter, and Web-based email) and services (perhaps POP3 or IMAP email and FTP connections).

Capturing passwords just got a lot easier

Capturing passwords from the airwaves has gotten a whole lot easier recently with the release of new tools, such as the Firefox add-on Firesheep and the Android apps FaceNiff and DroidSheep. With a few clicks of the mouse or taps on a phone, anyone can now hijack your logins to many unencrypted non-SSL sites.

To protect your Wi-Fi traffic when browsing and using the Web on your Android smartphone or tablet, you need to encrypt it. Like with computers, you can connect to a VPN or SSH server to encrypt all your Internet traffic.

Secure your traffic via a VPN connection

Android has a built-in VPN client, supporting PPTP, L2TP, and IPSec with pre-shared key or certificates. But not all cellular service providers or manufacturers include it on their devices. To check if you have the VPN client, tap Home > Menu and touch Settings > Wireless & Networks, and then see if there’s an option for VPN settings. If so, you can connect to the VPN server at work or home, or signup with a third-party hosting company. You could even setup your own free server with Windows, UltraVPN, OpenVPN.

Secure your traffic via a SSH connection

If the VPN client isn’t included on your Android device, you could possibly use the SSH Tunnel app for connecting to an SSH server. However, it requires a rooted device. But rooting is now usually quick and easy with programs like SuperOneClick and Unrevoked.

SSH Tunnel also lets you bypass filters and geographic restrictions, which is great for using in places like China. In most cases, SSH servers are setup on servers and networking components to offer secure remote administration. For security reasons, you should probably use an SSH server that’s specifically setup for securing public network access instead. You could purchase a Web hosting package that includes SSH access or even setup your own SSH server with freeSSHd or SSHWindows.

Setting up a freeSSHd server and SSH Tunnel

Since you likely don’t already have an SSH server dedicated to securing your traffic on insecure networks, we’ll discuss setting up freeSSHd for this purpose. We’ll first setup up the server and test the SSH connection from the Android on the same Wi-Fi network, and then we’ll prepare your network for SSH connections outside your network so you can use it when out and about.

First, download and install freeSSHd onto a Windows PC. During the install, freeSSHd will prompt you asking to create the private keys for use with the encryption; go ahead and create them. It will also ask about running the program as a system service, which is probably what you want to do.

Once installed, an icon for freeSSHd should appear in the system tray, in the lower right corner of Windows. Click that icon to bring up the settings dialog. If you don’t see it, open the program from the Start Menu.

You can define the login credentials by adding a user in freeSSHd. Select the Users tab and click Add. For Authorization, select Password stored as SHA1 hash, and make sure you check the Tunneling option on the bottom.

Then to start the SSH server, select the Server Status Tab, and click the link to start the SSH server.

Now go to your Android device and open the SSH Tunnel app. For the Host, enter the local IP address of the Windows PC you installed the freeSSHd server onto. For the User and Password, enter the credentials you created in freeSSHd. Then make sure you enable the Use Socks Proxy and Global Proxy options. When you’re ready, tap the Tunnel Switch option on top to attempt to connect.

Server key not cached alert

The first time connecting you’ll get an alert about the server key not being cached. Check to make sure the key displayed matches the one that was automatically setup on the freeSSHd server. On the freeSSHd settings dialog, select the SSH tab and refer to the RSA key value. If it matches, accept the alert in the SSH Tunnel app to cache the key. Then tap the Tunnel Switch option on top to attempt to connect again.

If everything works on your local network, now you can set it up to work remotely. If your Internet connection (at the location where the freeSSHd server is) is assigned a dynamic or changing IP address, then you can sign up for a dynamic DNS service, like DynDNS. This gives you a hostname that always points to your Internet connection’s current IP address, once you setup your router to update the dynamic DNS service.

Before connecting to your server when away, you must configure your router to forward the SSH traffic to the PC where you’ve installed freeSSHd. Login to your router’s Web-based control panel and find the virtual server or port forwarding settings. Then enter to Forward Port 22 to the IP address of the computer hosting freeSSHd. That way any incoming SSH traffic from the Internet will be forwarded onto the PC with the server.

Finally, you can go back to the SSH Tunnel app to change the Host from the local IP to your dynamic DNS hostname, or the Internet connection’s static IP.

Eric Geier is the founder of NoWiresSecurity, which helps businesses easily protect their Wi-Fi networks with the Enterprise mode of WPA/WPA2 security. He is also a freelance tech writer. Become a Twitter follower or use the RSS feed to keep up with his writings.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.