Open Ports Create Backdoors In Millions of Smartphones (bleepingcomputer.com) 122
An anonymous reader writes: "Mobile applications that open ports on Android smartphones are opening those devices to remote hacking, claims a team of researchers from the University of Michigan," reports Bleeping Computer. Researchers say they've identified 410 popular mobile apps that open ports on people's smartphones. They claim that an attacker could connect to these ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more. This access could be leveraged to steal photos, contacts, or execute commands on the target's phone. Researchers recorded various demos to prove their attacks. Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones. "Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK," reports Bleeping Computer. "That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update. The paper detailing the team's work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France."
Re: I read that as Open Doors for Bob Marley (Score:2)
List of Problematic Apps? (Score:4, Informative)
ES File Explorer (Score:5, Informative)
ES File Explorer is apparently the poster child.
I am now using Solid Explorer which is just as good in all the other ways
Re: (Score:1)
ES has been a spying piece of shit for a couple years now.
Re: (Score:3)
This is exactly what netstat -l is good for.
https://play.google.com/store/... [google.com]
Granted, if it is a transient listen(), netstat -l won't catch it (e.g. something is required to trigger the listen), but long lived, persistent listen()s will show up.
Re: (Score:2)
Presumably, you would know because it would be listed in the open ports. I suppose it could filter it's own results though.
You could just install a terminal app and run the built in netstat command? I like termux but choose whatever. You should be able to pipe the output into a text document that you can move to a computer with a full screen to inspect. The thing about using a native OS command in a terminal window instead of a utility app to run the command is that it will not or will be unlikely to be abl
Comment removed (Score:4, Interesting)
Re: (Score:2)
Open ports (Score:1)
Re:Open ports (Score:5, Informative)
Can you suggest a reason why a smartphone application should listen on a port without you knowing it?
Re: (Score:2)
I don't need to know what ports have been opened by an app, as long as it works. It's what the app does with that connection that is of interest.
I'd be more concerned with the app reporting back to HQ with whatever data they mine from your use of it.
Re: (Score:2)
Once more, for what reason should an app call listen()? Be specific.
Re: (Score:2)
Re: (Score:2)
You use connect(), not listen()/accept()
Re: (Score:2)
And you've illogically assumed that N+1 is always worse than N. By that reasoning, as we know windows are less secure than walls, no building should have more than one window. Everyone can share it. Any more than that must be, by nyet's definition, insecure.
Re:Open ports (Score:4, Informative)
Well, if my flashlight app wants to open a listening port on the network, that in and of itself seems fishy to me. Furthermore, the more services are listening for connections, the higher the chance that one of them is badly coded and will allow an attacker to get access to my data.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: Open ports (Score:1)
Because you're going to get really tired of being notified real fast.
Re: Open ports (Score:2)
Re: (Score:2)
Why should an app call listen()? For what operation?
Re: (Score:2)
It depends on what the app does. It may be essential for the service it provides. 2 examples I use frequently - SSH Server and XServer XSDL.
Re: (Score:2)
We're not talking about server apps like sshd.. Obviously that would listen on 22. We're talking about random apps that call listen without your knowledge.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
How would you have IoT? Every device calling to a paid central server that can lock you out of your house/garage if you give them a bad review? Or a secure P2P communication so your devices can talk to each other without using ransomware, I mean central server?
Re: (Score:2)
There is a difference between calling listen() and connect().
Re: (Score:2)
Re: (Score:2)
Re: Open ports (Score:1)
Re: (Score:2)
listen() is fundamentally more dangerous than connect().
Re: (Score:2)
Re: (Score:2)
Probably the same reason why an app to connect to your blood pressure machine via blue tooth to retrieve readings needs access to your images, contacts, email, and account information. If you can figure that out, let me know too. But my best guess would be to update or change the advertising and track you (and the ads displayed) should you disable internet access for the app itself (say a card game that only needs internet for advertising).
Dangerous comment (Score:2)
Open ports by themselves don't constitute a security risk.
This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.
If a port is opened on an Android device, that 100% means that an app opened it for some reason, which means that 100% there is for some period of time going to be a service running that receives on that port. Maybe the user deletes the app but why would they? Most people wouldn't bother. Many probably do not even know HOW.
So
App is not gone (Score:2)
u are hand waving a bunch of dumb shit like "app opens a port and then the app is gone
There's the exact problem though. Why do you THINK the app is gone?
If the app has permission to open a port that means it had permission to have a long-running service sitting on that port.
Why else would it open the port if it were not going to do just that?
Most non-technical users rarely if ever delete apps...
I mean, I agree that android phones are utter shit
They aren't at all, they work really well.. it's just that they
Re: (Score:2)
If the app has permission to open a port that means it had permission to have a long-running service sitting on that port.
Nope. That's not how it works. An app installed with permission to open a port can't open that port until you run the app. That alone proves you wrong. Also, the app will shut the port when the app is closed.
With mobile data, the "cheapest" bandwidth solution for a chat app is to open a server connection when the app is opened, then, if the phone is reverse-reachable, close all connections. When a message comes in, the server sends it to the phone. The other way is to leave a connection open permanen
Re: (Score:2)
Nope. That's not how it works. An app installed with permission to open a port can't open that port until you run the app. That alone proves you wrong.
That proves you either cannot read, nor think. The original post is complaining about an OPEN PORT you doofus, which means the app HAS BEEN RUN. I'm not saying anything about the app before it is run, I am talking about where there is OPEN PORT there is a security risk.
Also, the app will shut the port when the app is closed.
What is really funny here is tha
Re: (Score:2)
If the app has permission to open a port that means it had permission to have a long-running service sitting on that port.
Nope. That's not how it works. An app installed with permission to open a port can't open that port until you run the app. That alone proves you wrong.
That proves you either cannot read, nor think. The original post is complaining about an OPEN PORT you doofus, which means the app HAS BEEN RUN.
The port can't be open unless the app is running. You said " it had permission to have a long-running service sitting on that port." That statement is wrong.
"What I explicitly said isn't what I meant"
Fuck you. I don't have time for liars. You were lying then or you are lying now. An app can't open a port unless it's running.
What you are saying is that that there cannot be an open port without an app behind it which means 100% of the time an open port on Android is a security risk.
You are presuming that all apps are malicious. You say any open port must point to an app (incorrect). I never said you can't have an open port withou an app behind it. I said
Re: Dangerous comment (Score:1, Insightful)
I wholeheartedly agree. Your comment is sad, stupid, and indicative of incompetence.
Re: (Score:2)
I wholeheartedly agree. Your comment is sad, stupid, and indicative of incompetence.
Meh, howbow you explain how open ports are not a security risk instead of calling anyone who you disagree with "stupid".
Re: (Score:2)
open ports are necessary for communication. Open ports are ideal for phones. Apps that open ports are expecting communications of some sort and as long as they are updated and not full of bugs, it is not a problem.
In a server environment when the entire role of the system is to act as a server, you close all unneeded open ports not pertaining to that role because what is important is what is listening on the open port. When you have something not needed listening, you are not only chewing up resources the s
Re: (Score:2)
So on a dedicated server there's really no need to close unneeded ports. Simply don't install anything insecure or malicious on your server and everything will be fine.
Re: (Score:2)
Simply don't install anything insecure or malicious on your server and everything will be fine.
And never never ever get a virus or malware. It'll be okay. As long as everything is on the up and up, you'll have no problems.
Re: (Score:2)
If you are willing to monitor all the software that uses those ports for security bugs, access attempts and so on and ensure that they are legitimate and safe, then no, there is no need to bother closing unneeded ports. At the same time, if they are not needed, then why have them open in the first place and make your life a lot harder? Best practices would dictate closing the unneeded ports simply because of how resource consuming and the effort needed to keep up with them.
Re: (Score:2)
open ports are necessary for communication. Open ports are ideal for phones. Apps that open ports are expecting communications of some sort and as long as they are updated and not full of bugs, it is not a problem.
that "as long as" comment is what makes all the difference in the world.
Re: (Score:2)
"If a port is opened on an Android device, that 100% means that an app opened it for some reason"
Really? Genius. You must be a "security researcher".
Read Original Quote (Score:2)
What is the difference between an open port on an Android device and the dozens that are open on your personal computer? Nothing.
That is absolutely correct, and we all know that personal computers are rife with security flaws.
Part of that is because services are sitting at a number of different open ports, every service that is doing so increases the chances of a successful attack vector being present on your system,
So now we bring forward this same, known to be failed and dangerous, security model to the p
Re: (Score:2)
I fully agree. Even on servers, one of the first things you do in a hardening-review is to scan for open ports and then evaluate the security of the software that opens each port. An App is likely to be horribly insecure and one has to ask what business _client_ software has opening listening ports in the first place.
Of course, all that requires a bit of actual security knowledge. There are far too many wannabes that think they understand IT security. Probably the reason so much software is insecure.
Re: (Score:2)
Unless you are running open source you aren't evaluating anything. An "app" can do WHATEVER IT WANTS. Any closed source software can. Who cares about "open ports"? You don't know what the software is doing. It could steal all your information and connect() to a server in China. And you care about "open ports"?
Re: (Score:2)
You really have no clue how this works. You are only heaping more egg on your face.
Re: (Score:2)
And that is just the point. The other one is that because your phone does not have a static IP address, there is actually no sane reason to have a listening port open.
Re: (Score:3)
I wonder if a possible explanation is just sloppy coding by app programmers, cutting and pasting huge swaths of code, libraries, etc, that they don't understand to get one function.
Even the *programmer* doesn't know what ports they're cut-and-pasted code is opening.
Re: (Score:2)
Re: (Score:2)
Open ports by themselves don't constitute a security risk.
This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.
So I wasn't the only person who read that as absolute assholery. An open port is always a security risk.
Almost as big a risk as someone declaring it isn't a risk.
Re:Open ports (Score:5, Informative)
BTW that is absolutely false. While an already open (and active) point to point connection is relatively hard to compromise, an application that is listen()ing on a port can be compelled to accept data from any source, at will, and repeatedly.
This makes buffer overflow (or other remote exploits) attacks trivial to both test and execute successfully.
Re: (Score:3)
Indeed. Methinks some people here do not understand the difference between a listening port and a port used in an active connection.
Re: (Score:1)
Re: (Score:2)
I doubt that very much. If you actually had written any such software in any real sense, you would not write such nonsense. And incidentally, you have no idea how much networked software I have written.
Re: (Score:2)
Did you actually read my post?
Re: (Score:2)
Re: (Score:3)
Open ports are not by themselves a security risk.
Not by themselves, but there's no such thing as an open port by itself. We're obviously talking about listening, so we need not discuss ports opened outward, although there are definitely ways to compromise an application in reverse, so opening a TCP connection outward is an opportunity for an incoming attack, if you connect to a host which is malicious (whether inherently, or because it has been compromised.) But at minimum, listening ports provide an opportunity to attack the networking stack of the devic
Re: (Score:2)
I would not hire you for any networking job.
Re: (Score:2)
Actually, given that most software (except some carefully hardened server software) is insecure, an open port is very much a risk if it connects to an app.
Re: (Score:1)
"Security researcher" is the new term for failed CS majors.
The paper linked from the /. story explains how they analyzed the apps to check the vulnerability of the open ports. The paper is perfectly aware that open ports themselves are not necessarily dangerous, but emphasizes that roughly half of the smartphone apps that open ports do not secure them against attacks.
If "security researcher" is the new term for failed CS majors, what is the new term for people who criticize a paper without reading it?
Re: (Score:2)
Do we really need a new term? Can't we just keep calling them Slashdotters?
Little Snitch (Score:2)
How about a port of "little snitch" to android phones. I've got it on my Macs and I love it.
Re: (Score:1)
How about a port of "little snitch" to android phones. I've got it on my Macs and I love it.
Sounds like something that would require you to have administrator privileges to your phone. The powers that be (Google, Apple, Samsung etc.) have decided that this is an "insecure" configuration ("insecure" meaning it would allow you to be able to control your own damn phone)...
No mention of Apple or iOS (Score:3)
Backdoors on millions of devices (Score:5, Interesting)
How many people root their Android device? Has anyone looked into SuperSU and how the simple su binary works? Nope.
The su binary that is passed around for all rooted Android distros has no source. It is maintained by a random person with financial motivation to not be conservative with your privacy or security.
I don't think Android users really care about backdoors to be honest
Re: (Score:2)
firewall (Score:4, Insightful)
Of course the problem can be reduced if we were allowed to control a root level firewall on our android or iphone devices.
But of course we are paying for phones so someone else can use them to suck data and use it to spy or advertise to me in a really creepy way. Pretty damn frustrating.
Re: (Score:3)
I had frequent debates with idiots who couldn't comprehend why personal firewalls were fucking stupid.
It's hard to understand why if you don't explain yourself.
Just close the fucking ports
Should have told them to pull out the ethernet cable, hey why not just drop network support altogether.
But maybe you have something to offer, so why don't you enlighten me?
Re: (Score:2)
One of the reasons I do not trust smartphones. Unless I have root and can configure what I damn well please, it is an insecure device under control of an untrusted 3rd party.
Re: (Score:2)
Of course the problem can be reduced if we were allowed to control a root level firewall on our android or iphone devices.
On Android, DroidWall, AutoProxy and others use iptables. IOW, you can control a root level firewall on your Android devices. I doubt you can do it on iOS, but I wouldn't know because I don't actually care.
Re: (Score:2)
On Android, DroidWall, AutoProxy and others use iptables.
I'll check those out, thanks!
What a brilliant inside-the-box idea! Firewalls! (Score:2)
Then maybe we can load up 3 layers of anti-virus software. And also just accept that your phone is going to get hacked every several months, so you should learn how to wipe it clean and start over. Or pay someone at Best Buy to do it for you. This is exactly the strategy that lead to Windows becoming a cesspool of malware during the early 2000s--let's totally replicate it with all the computers we keep in our pockets. You know, the ones that have our payment info and all of our contacts.
Did you notice that
Slashdot is at risk! (Score:1)
The slashdot web server listens on port 80, that's a huge security risk!
Run home and wrap tin foil on your heads everyone!
Re: (Score:2)
Minimizing this like it's a non-issue is insane . The fact that apps can open random ports, which may then will inevitably be susceptible to remote attacks, is horrifying. You think IoT devices were bad, wait until the few hundred million phones with dozens or hundreds of apps installed get turned into botnets.
I'm all for asking questions like, "what apps?" Did you install an FTP server? Well obviously it opens a port. But isn't anyo
Sounds like Bullshit (Score:1)
As if your carrier gives you a "real ip" with open ports. You're with tens of other people behind the same ip with NAT, there is nothing, which can reach ports on your phone.
Re: (Score:2)
Re: (Score:2)
Do they assign every customer an own ip with open port? I do not think so ... I guess you're just getting a LAN IP and NAT to the internet again. ...
With IPv6 it gets interesting again
Re: (Score:2)
There i'd be more concerned they didn't enable wireless isolation on their router.
Security (Score:1)
Security? Meh.
Yes, I'm being sarcastic, if unclear.
Android and apps: redux (Score:3)
I'm going to try this next: https://jolla.com/about/ [jolla.com] but I'm not at all convinced that it's better.
Re: I can't believe people aren't running a firewa (Score:2)
I've not seen a good iptables app on f-droid. The ones I've seen seem to allow you to block all network activity for an app, I'd like to block inbound connections but allow outbound.