1

I have a condition that I am far away from my laptop that I use to work. All I have is my Android Samsung J2. Sometimes I need to work remotely on my server, checking some stuff like traffic data, logs, and such.

I try using putty on my Android. There are many ssh apps like putty for Android.

Is it possible for the ssh apps to get my ssh user and password? Could the developer of that app collect credentials?

schroeder
  • 123,438
  • 55
  • 284
  • 319
gagantous
  • 193
  • 12
  • What do you think would prevent them from doing this? – multithr3at3d May 21 '18 at 15:43
  • @multithr3at3d because, i think everything that i download an app which come from trustworthy app store like `play store` or `qooapp` are totally safe. No scam. No phising and such because i thought it had been filtered by the mod of google playstore, so yeah... – gagantous May 31 '18 at 12:25
  • really? That sounds like a rather harsh assumption. – multithr3at3d May 31 '18 at 14:44

1 Answers1

4

There are malicious applications in the Google Play Store. Extracting your SSH login data like the password or the private key is possible for a developer of a malicious Android application. Once the adversary is in possession of your password or key, he can connect to your server.

Back in 2013 attackers created a trojanized version of PuTTY to steal SSH credentials.

Thus, you should only use trustworthy applications for your SSH connections.

fgk
  • 176
  • 5
  • and could you give me some example which one is the trustworthy app ? – gagantous May 31 '18 at 12:23
  • @gagantous I have no experience with SSH clients on mobile devices whatsoever. But if I needed to choose an SSH client I would probably go with an open-source application like [ConnectBot](https://connectbot.org/). You should do your own research though. – fgk Jun 01 '18 at 07:49