Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Android Security Cellphones Operating Systems Privacy Linux Technology

Open Ports Create Backdoors In Millions of Smartphones (bleepingcomputer.com) 122

An anonymous reader writes: "Mobile applications that open ports on Android smartphones are opening those devices to remote hacking, claims a team of researchers from the University of Michigan," reports Bleeping Computer. Researchers say they've identified 410 popular mobile apps that open ports on people's smartphones. They claim that an attacker could connect to these ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more. This access could be leveraged to steal photos, contacts, or execute commands on the target's phone. Researchers recorded various demos to prove their attacks. Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones. "Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK," reports Bleeping Computer. "That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update. The paper detailing the team's work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France."
This discussion has been archived. No new comments can be posted.

Open Ports Create Backdoors In Millions of Smartphones

Comments Filter:
  • by SmilingBoy ( 686281 ) on Friday April 28, 2017 @08:36PM (#54323115)
    Is there a list of the problematic apps that they found? Their paper - which can be found here: http://web.eecs.umich.edu/~jac... [umich.edu] - lists a few example, but it would be useful to know the full list.
    • ES File Explorer (Score:5, Informative)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Friday April 28, 2017 @09:12PM (#54323235) Homepage Journal

      ES File Explorer is apparently the poster child.

      I am now using Solid Explorer which is just as good in all the other ways

      • by Anonymous Coward

        ES has been a spying piece of shit for a couple years now.

    • by nyet ( 19118 )

      This is exactly what netstat -l is good for.

      https://play.google.com/store/... [google.com]

      Granted, if it is a transient listen(), netstat -l won't catch it (e.g. something is required to trigger the listen), but long lived, persistent listen()s will show up.

  • Open ports by themselves don't constitute a security risk. How do you think computers communicate? Magic? "Security researcher" is the new term for failed CS majors.
    • Re:Open ports (Score:5, Informative)

      by nyet ( 19118 ) on Friday April 28, 2017 @09:36PM (#54323299) Homepage

      Can you suggest a reason why a smartphone application should listen on a port without you knowing it?

      • I don't need to know what ports have been opened by an app, as long as it works. It's what the app does with that connection that is of interest.

        I'd be more concerned with the app reporting back to HQ with whatever data they mine from your use of it.

        • by nyet ( 19118 )

          Once more, for what reason should an app call listen()? Be specific.

          • If I wrote an app that allowed you to transfer photos to the phone via a socket, how would the photos get transferred? Magic? Most server type process needs ports. Open ports aren't the problem. Closed source is.
          • by AK Marc ( 707885 )
            None. Though that doesn't address the issue that there has to be a vulnerability to exploit. If there's no vulnerability, more open ports don't decrease security.

            And you've illogically assumed that N+1 is always worse than N. By that reasoning, as we know windows are less secure than walls, no building should have more than one window. Everyone can share it. Any more than that must be, by nyet's definition, insecure.
        • Re:Open ports (Score:4, Informative)

          by Kokuyo ( 549451 ) on Saturday April 29, 2017 @06:49AM (#54324549) Journal

          Well, if my flashlight app wants to open a listening port on the network, that in and of itself seems fishy to me. Furthermore, the more services are listening for connections, the higher the chance that one of them is badly coded and will allow an attacker to get access to my data.

          • Why is that more fishy then it connecting to a server in China and sending all your data there? What is the difference? You are installing a closed source app. It could be doing anything. If you were concerned about your data, why would you install a flashlight app from a random person?
          • by AK Marc ( 707885 )
            You don't need an open port listening to scrape all your data and send it away. So why do the open ports matter more than the general security?
            • Sure, the app maker may scrape all your data and send it to their server. How is it in any way better to then leave a port open so that anyone can try and compromise your device and grab a copy for themselves?
              • by AK Marc ( 707885 )
                With no apps installed, there'll be open ports. So it's up to you to prove that one more open port will greatly diminish the security of the device. And zero open ports still allows an malicious app to send everything to a central server, so the issue of "malicious apps" indicates they wouldn't need (or want) open ports.
      • by Anonymous Coward

        Because you're going to get really tired of being notified real fast.

      • Because it's essential for its operation, for example?
        • by nyet ( 19118 )

          Why should an app call listen()? For what operation?

          • It depends on what the app does. It may be essential for the service it provides. 2 examples I use frequently - SSH Server and XServer XSDL.

            • by nyet ( 19118 )

              We're not talking about server apps like sshd.. Obviously that would listen on 22. We're talking about random apps that call listen without your knowledge.

              • Any "app" you download can do ANYTHING THEY WANT without your knowledge. If you cared about security you wouldnt use them.
          • Uh...for communicating with a peer? Just saying... Unless modern computers are capable of telepathy somehow.
          • by AK Marc ( 707885 )
            Why do you pretend P2P doesn't exist? I guess every P2P app should be blocked because you can't think of a good reason for P2P to exist.

            How would you have IoT? Every device calling to a paid central server that can lock you out of your house/garage if you give them a bad review? Or a secure P2P communication so your devices can talk to each other without using ransomware, I mean central server?
      • Who said anything about "you knowing it"? You run closed source software, that is what you get. You don't know what an app is doing? My comment said nothing about that.
      • Probably the same reason why an app to connect to your blood pressure machine via blue tooth to retrieve readings needs access to your images, contacts, email, and account information. If you can figure that out, let me know too. But my best guess would be to update or change the advertising and track you (and the ads displayed) should you disable internet access for the app itself (say a card game that only needs internet for advertising).

    • Open ports by themselves don't constitute a security risk.

      This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.

      If a port is opened on an Android device, that 100% means that an app opened it for some reason, which means that 100% there is for some period of time going to be a service running that receives on that port. Maybe the user deletes the app but why would they? Most people wouldn't bother. Many probably do not even know HOW.

      So

      • This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.

        I wholeheartedly agree. Your comment is sad, stupid, and indicative of incompetence.

        • This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.

          I wholeheartedly agree. Your comment is sad, stupid, and indicative of incompetence.

          Meh, howbow you explain how open ports are not a security risk instead of calling anyone who you disagree with "stupid".

          • open ports are necessary for communication. Open ports are ideal for phones. Apps that open ports are expecting communications of some sort and as long as they are updated and not full of bugs, it is not a problem.

            In a server environment when the entire role of the system is to act as a server, you close all unneeded open ports not pertaining to that role because what is important is what is listening on the open port. When you have something not needed listening, you are not only chewing up resources the s

            • when the entire role of the system is to act as a server, you close all unneeded open ports not pertaining to that role

              When you have something not needed listening [ ... ] allow attack vectors that are not monitored as closely

              what you install needs a port open, it isn't a bad thing unless what you install is insecure or malicious

              So on a dedicated server there's really no need to close unneeded ports. Simply don't install anything insecure or malicious on your server and everything will be fine.

              • Simply don't install anything insecure or malicious on your server and everything will be fine.

                And never never ever get a virus or malware. It'll be okay. As long as everything is on the up and up, you'll have no problems.

              • If you are willing to monitor all the software that uses those ports for security bugs, access attempts and so on and ensure that they are legitimate and safe, then no, there is no need to bother closing unneeded ports. At the same time, if they are not needed, then why have them open in the first place and make your life a lot harder? Best practices would dictate closing the unneeded ports simply because of how resource consuming and the effort needed to keep up with them.

            • open ports are necessary for communication. Open ports are ideal for phones. Apps that open ports are expecting communications of some sort and as long as they are updated and not full of bugs, it is not a problem.

              that "as long as" comment is what makes all the difference in the world.

      • What? That makes no sense. What is the difference between an open port on an Android device and the dozens that are open on your personal computer? Nothing. An Android device is just a computer. Really, people are stupid.

        "If a port is opened on an Android device, that 100% means that an app opened it for some reason"

        Really? Genius. You must be a "security researcher".
        • What is the difference between an open port on an Android device and the dozens that are open on your personal computer? Nothing.

          That is absolutely correct, and we all know that personal computers are rife with security flaws.

          Part of that is because services are sitting at a number of different open ports, every service that is doing so increases the chances of a successful attack vector being present on your system,

          So now we bring forward this same, known to be failed and dangerous, security model to the p

      • by gweihir ( 88907 )

        I fully agree. Even on servers, one of the first things you do in a hardening-review is to scan for open ports and then evaluate the security of the software that opens each port. An App is likely to be horribly insecure and one has to ask what business _client_ software has opening listening ports in the first place.

        Of course, all that requires a bit of actual security knowledge. There are far too many wannabes that think they understand IT security. Probably the reason so much software is insecure.

        • "evaluate the security of the software that opens each port"

          Unless you are running open source you aren't evaluating anything. An "app" can do WHATEVER IT WANTS. Any closed source software can. Who cares about "open ports"? You don't know what the software is doing. It could steal all your information and connect() to a server in China. And you care about "open ports"?
          • by gweihir ( 88907 )

            You really have no clue how this works. You are only heaping more egg on your face.

      • by swb ( 14022 )

        I wonder if a possible explanation is just sloppy coding by app programmers, cutting and pasting huge swaths of code, libraries, etc, that they don't understand to get one function.

        Even the *programmer* doesn't know what ports they're cut-and-pasted code is opening.

        • Possibly. A rogue app would just open a connection to china anyway and send your data that way. It wouldn't listen for incoming connections since phones are mostly behind carrier NAT. Worrying about open ports is silly. You don't know what the hell the app is doing.
      • Open ports by themselves don't constitute a security risk.

        This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.

        So I wasn't the only person who read that as absolute assholery. An open port is always a security risk.

        Almost as big a risk as someone declaring it isn't a risk.

    • Re:Open ports (Score:5, Informative)

      by nyet ( 19118 ) on Saturday April 29, 2017 @12:40AM (#54323853) Homepage

      BTW that is absolutely false. While an already open (and active) point to point connection is relatively hard to compromise, an application that is listen()ing on a port can be compelled to accept data from any source, at will, and repeatedly.

      This makes buffer overflow (or other remote exploits) attacks trivial to both test and execute successfully.

      • by gweihir ( 88907 )

        Indeed. Methinks some people here do not understand the difference between a listening port and a port used in an active connection.

        • I've written more client server software than you have. Once you install a closed source "app" on your phone it can do whatever it wants. "Open ports" by themselves don't consititte a security risk. That is (mostly) how computers communicate.
          • by gweihir ( 88907 )

            I doubt that very much. If you actually had written any such software in any real sense, you would not write such nonsense. And incidentally, you have no idea how much networked software I have written.

          • by nyet ( 19118 )

            Did you actually read my post?

      • Really? You do realize your computer has dozens of "open ports" right now, right? How do you think computers communicate? Magic? Open ports are not by themselves a security risk.
        • Open ports are not by themselves a security risk.

          Not by themselves, but there's no such thing as an open port by itself. We're obviously talking about listening, so we need not discuss ports opened outward, although there are definitely ways to compromise an application in reverse, so opening a TCP connection outward is an opportunity for an incoming attack, if you connect to a host which is malicious (whether inherently, or because it has been compromised.) But at minimum, listening ports provide an opportunity to attack the networking stack of the devic

        • by nyet ( 19118 )

          I would not hire you for any networking job.

    • by gweihir ( 88907 )

      Actually, given that most software (except some carefully hardened server software) is insecure, an open port is very much a risk if it connects to an app.

    • by Anonymous Coward

      "Security researcher" is the new term for failed CS majors.

      The paper linked from the /. story explains how they analyzed the apps to check the vulnerability of the open ports. The paper is perfectly aware that open ports themselves are not necessarily dangerous, but emphasizes that roughly half of the smartphone apps that open ports do not secure them against attacks.

      If "security researcher" is the new term for failed CS majors, what is the new term for people who criticize a paper without reading it?

      • what is the new term for people who criticize a paper without reading it?

        Do we really need a new term? Can't we just keep calling them Slashdotters?

  • How about a port of "little snitch" to android phones. I've got it on my Macs and I love it.

    • by Anonymous Coward

      How about a port of "little snitch" to android phones. I've got it on my Macs and I love it.

      Sounds like something that would require you to have administrator privileges to your phone. The powers that be (Google, Apple, Samsung etc.) have decided that this is an "insecure" configuration ("insecure" meaning it would allow you to be able to control your own damn phone)...

  • by divide overflow ( 599608 ) on Friday April 28, 2017 @08:55PM (#54323183)
    I searched the PDF of the paper and found no mention of either Apple or iOS, but Android and Java are mentioned multiple times.
  • by dknj ( 441802 ) on Friday April 28, 2017 @10:51PM (#54323585) Journal

    How many people root their Android device? Has anyone looked into SuperSU and how the simple su binary works? Nope.

    The su binary that is passed around for all rooted Android distros has no source. It is maintained by a random person with financial motivation to not be conservative with your privacy or security.

    I don't think Android users really care about backdoors to be honest

    • by nnull ( 1148259 )
      The problem is worse than that. Almost every damn ROM wants to include it. The more I use an Android device, the more I hate it. If it's not Samsung wanting to spy on me, it's some asshole that does when I want to root my phone. Switching to an Iphone just seems like the same problems exist there. Thing makes me feel like I'm using Windows 98 with all these applications that don't ever want to close and run in the background now, applications that seemingly seem innocent but probably are not.
  • firewall (Score:4, Insightful)

    by MrKaos ( 858439 ) on Friday April 28, 2017 @10:54PM (#54323591) Journal

    Of course the problem can be reduced if we were allowed to control a root level firewall on our android or iphone devices.

    But of course we are paying for phones so someone else can use them to suck data and use it to spy or advertise to me in a really creepy way. Pretty damn frustrating.

    • by gweihir ( 88907 )

      One of the reasons I do not trust smartphones. Unless I have root and can configure what I damn well please, it is an insecure device under control of an untrusted 3rd party.

    • Of course the problem can be reduced if we were allowed to control a root level firewall on our android or iphone devices.

      On Android, DroidWall, AutoProxy and others use iptables. IOW, you can control a root level firewall on your Android devices. I doubt you can do it on iOS, but I wouldn't know because I don't actually care.

      • by MrKaos ( 858439 )

        On Android, DroidWall, AutoProxy and others use iptables.

        I'll check those out, thanks!

    • Then maybe we can load up 3 layers of anti-virus software. And also just accept that your phone is going to get hacked every several months, so you should learn how to wipe it clean and start over. Or pay someone at Best Buy to do it for you. This is exactly the strategy that lead to Windows becoming a cesspool of malware during the early 2000s--let's totally replicate it with all the computers we keep in our pockets. You know, the ones that have our payment info and all of our contacts.

      Did you notice that

  • The slashdot web server listens on port 80, that's a huge security risk!
    Run home and wrap tin foil on your heads everyone!

    • by jon3k ( 691256 )
      What webserver are you running on your phone? Were you aware?

      Minimizing this like it's a non-issue is insane . The fact that apps can open random ports, which may then will inevitably be susceptible to remote attacks, is horrifying. You think IoT devices were bad, wait until the few hundred million phones with dozens or hundreds of apps installed get turned into botnets.

      I'm all for asking questions like, "what apps?" Did you install an FTP server? Well obviously it opens a port. But isn't anyo
  • As if your carrier gives you a "real ip" with open ports. You're with tens of other people behind the same ip with NAT, there is nothing, which can reach ports on your phone.

  • Security? Meh.

    Yes, I'm being sarcastic, if unclear.

  • by hughbar ( 579555 ) on Saturday April 29, 2017 @07:30AM (#54324633) Homepage
    This was my most recent comment on Android and 'apps': https://slashdot.org/comments.... [slashdot.org]. With this, I see no reason to change my mind. There's some reason we close all the ports we can and create solid firewall rules, isn't there?

    I'm going to try this next: https://jolla.com/about/ [jolla.com] but I'm not at all convinced that it's better.

No spitting on the Bus! Thank you, The Mgt.

Working...