Open Ports Create Backdoors In Millions of Smartphones (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Open Ports Create Backdoors In Millions of Smartphones (bleepingcomputer.com)

Posted by BeauHD on Friday April 28, 2017 @01:25PM from the be-afraid-be-very-afraid dept.

An anonymous reader writes: "Mobile applications that open ports on Android smartphones are opening those devices to remote hacking, claims a team of researchers from the University of Michigan," reports Bleeping Computer. Researchers say they've identified 410 popular mobile apps that open ports on people's smartphones. They claim that an attacker could connect to these ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more. This access could be leveraged to steal photos, contacts, or execute commands on the target's phone. Researchers recorded various demos to prove their attacks. Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones. "Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK," reports Bleeping Computer. "That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update. The paper detailing the team's work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France."

122 comments

Min score:

Reason:

Sort:

I read that as Open Doors for Bob Marley by Anonymous Coward · 2017-04-28 13:29 · Score: 0

Now I feel like smoking a bowl. Who are Bob and Mallory, is that like Alice and Bob?
1. Re: I read that as Open Doors for Bob Marley by mnemotronic · 2017-04-29 02:24 · Score: 1
  
  Dos bowlos. Bobbin malwarey? Bop in male wary? Bah. Been Mallory? Maybe "Bob and Mallory" is an anagram for "anal dorm lobby"?
  
  --
  The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
2. Re: I read that as Open Doors for Bob Marley by Anonymous Coward · 2017-04-29 05:02 · Score: 0
  
  Mobile phones are computers. They have all the upsides and downsides. News at 11.
List of Problematic Apps? by SmilingBoy · 2017-04-28 13:36 · Score: 3, Informative

Is there a list of the problematic apps that they found? Their paper - which can be found here: http://web.eecs.umich.edu/~jac... - lists a few example, but it would be useful to know the full list.
1. Re:List of Problematic Apps? by nyet · 2017-04-28 14:36 · Score: 2
  
  This is exactly what netstat -l is good for.
  https://play.google.com/store/...
  Granted, if it is a transient listen(), netstat -l won't catch it (e.g. something is required to trigger the listen), but long lived, persistent listen()s will show up.
2. Re:List of Problematic Apps? by Anonymous Coward · 2017-04-28 19:28 · Score: 0
  
  I disable permissions and network access for all of my apps and then enable only the very minimum required for the apps to do what I want.
  I also don't store contact information in my phone.
3. Re: List of Problematic Apps? by Anonymous Coward · 2017-04-29 00:53 · Score: 0
  
  How do you know netstatplus is not on the list?
4. Re: List of Problematic Apps? by jouassou · 2017-04-29 02:56 · Score: 3, Interesting
  
  I also don't store contact information in my phone.
  So your phone doesn't know your phone number? Your email? Your Gmail / Facebook / WhatsApp account? Your mom's phone number? Your colleagues email addresses? Login cookies for any websites such as Amazon or EBay? WiFi password for your home network, which can be geographically located thanks to Google's positioning system? Text messages where someone casually mentions your name? If you answered yes to any of the above, a sufficiently determined attacker can probably figure out who you are. If you answered no to everything, why do you have a smartphone in the first place?
5. Re: List of Problematic Apps? by sumdumass · 2017-04-29 08:23 · Score: 1
  
  Presumably, you would know because it would be listed in the open ports. I suppose it could filter it's own results though.
  You could just install a terminal app and run the built in netstat command? I like termux but choose whatever. You should be able to pipe the output into a text document that you can move to a computer with a full screen to inspect. The thing about using a native OS command in a terminal window instead of a utility app to run the command is that it will not or will be unlikely to be able to censor out its own vulnerabilities (open ports). This is especially true if you vary the command and look for discrepancies like using the -lt switch or -tp or -ac and watching for changed information over time.
6. Re: List of Problematic Apps? by Anonymous Coward · 2017-04-29 09:22 · Score: 0
  
  ... Facebook / WhatsApp account?
  Your colleagues email addresses? Login cookies for any websites such as Amazon or EBay?
  
  Correct, I do not use my smart phone for those activities.
  
  ... why do you have a smartphone in the first place?
  
  Because my 7 year-old phone, which has a standby duration of 7 days and more functionality than a budget Android 'smart' phone, can't view MMS images.
7. Re: List of Problematic Apps? by AK+Marc · 2017-04-29 17:51 · Score: 1
  
  Your wording indicates that you have a secure Android phone, and you don't use it. I think you are trolling.
  
  --
  Learn to love Alaska
Open ports by 110010001000 · 2017-04-28 13:46 · Score: 0

Open ports by themselves don't constitute a security risk. How do you think computers communicate? Magic? "Security researcher" is the new term for failed CS majors.
1. Re: Open ports by Anonymous Coward · 2017-04-28 13:52 · Score: 0
  
  Thats the goddamn truth. Open ports? Who gives a fuck? It's what is behind that port that matters
2. Re:Open ports by nyet · 2017-04-28 14:36 · Score: 4, Informative
  
  Can you suggest a reason why a smartphone application should listen on a port without you knowing it?
3. Re:Open ports by FrankHaynes · 2017-04-28 14:51 · Score: 1
  
  I don't need to know what ports have been opened by an app, as long as it works. It's what the app does with that connection that is of interest.
  I'd be more concerned with the app reporting back to HQ with whatever data they mine from your use of it.
  
  --
  slashdot: A failed experiment.
4. Re:Open ports by Anonymous Coward · 2017-04-28 14:53 · Score: 0
  
  "Security researcher" is the new term for failed CS majors.
  Unemployed is the eternal term for smug pricks.
5. Re: Open ports by Anonymous Coward · 2017-04-28 14:53 · Score: 1
  
  Because you're going to get really tired of being notified real fast.
6. Re: Open ports by K.+S.+Kyosuke · 2017-04-28 15:09 · Score: 1
  
  Because it's essential for its operation, for example?
  
  --
  Ezekiel 23:20
7. Re: Open ports by nyet · 2017-04-28 17:24 · Score: 1
  
  Why should an app call listen()? For what operation?
8. Re: Open ports by Zero__Kelvin · 2017-04-28 17:24 · Score: 0
  
  Can you suggest a way for apps to communicate without open ports? If you are going to be smug you should probably have a fundamental understanding of the technology you criticize.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
9. Re:Open ports by nyet · 2017-04-28 17:24 · Score: 1
  
  Once more, for what reason should an app call listen()? Be specific.
10. Re:Open ports by nyet · 2017-04-28 17:40 · Score: 4, Informative
  
  BTW that is absolutely false. While an already open (and active) point to point connection is relatively hard to compromise, an application that is listen()ing on a port can be compelled to accept data from any source, at will, and repeatedly.
  This makes buffer overflow (or other remote exploits) attacks trivial to both test and execute successfully.
11. Re: Open ports by nyet · 2017-04-28 17:43 · Score: 1
  
  There is a difference between calling listen() and connect().
12. Re:Open ports by Anonymous Coward · 2017-04-28 19:16 · Score: 0
  
  Persistant little bugger, are you. To be able to spy on when when its master asks, duh.
13. Re: Open ports by Barabul · 2017-04-28 19:47 · Score: 1
  
  It depends on what the app does. It may be essential for the service it provides. 2 examples I use frequently - SSH Server and XServer XSDL.
14. Re: Open ports by nyet · 2017-04-28 20:24 · Score: 1
  
  We're not talking about server apps like sshd.. Obviously that would listen on 22. We're talking about random apps that call listen without your knowledge.
15. Re:Open ports by Anonymous Coward · 2017-04-28 21:48 · Score: 0
  
  The file explorer I use have a built-in FTP server that I can start with the push of a button.
  I don't need to know specifically what ports it opens for the actual data transfer, only what port it opens for the control stream.
16. Re: Open ports by Anonymous Coward · 2017-04-28 21:54 · Score: 0
  
  Oh, so we are just going to list random apps that open ports for their functions until we get to one that you think could do without it?
  A smartphone is a communication device and any app that allows direct communication between two smarthpones will need to use listen()
  Some apps avoid it by connecting to a central server and routing all the traffic through a point where a third party can listen in on it.
17. Re:Open ports by Anonymous Coward · 2017-04-28 21:59 · Score: 0
  
  To accept an incoming connection? That is what the call does, so I guess that is why you would use it...
  For example:
  FTP client with active mode, FTP/HTTP server, NAT checking tool (either standalone, or as part of a communication stack used by an app), ...
18. Re:Open ports by 110010001000 · 2017-04-28 23:22 · Score: 1
  
  Who said anything about "you knowing it"? You run closed source software, that is what you get. You don't know what an app is doing? My comment said nothing about that.
19. Re:Open ports by 110010001000 · 2017-04-28 23:26 · Score: 1
  
  If I wrote an app that allowed you to transfer photos to the phone via a socket, how would the photos get transferred? Magic? Most server type process needs ports. Open ports aren't the problem. Closed source is.
20. Re:Open ports by gweihir · 2017-04-28 23:31 · Score: 1
  
  Actually, given that most software (except some carefully hardened server software) is insecure, an open port is very much a risk if it connects to an app.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
21. Re:Open ports by gweihir · 2017-04-28 23:35 · Score: 2
  
  Indeed. Methinks some people here do not understand the difference between a listening port and a port used in an active connection.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
22. Re: Open ports by 110010001000 · 2017-04-28 23:37 · Score: 1
  
  One endpoint is calling listen(). Are you saying calling listen() is a security risk? That makes no sense. You have dozens of ports "open" on the computer you use every day. A mobile phone normally doesn't have a public IP anyway, and is behind a carrier NAT usually. I think you guys are confusing "open ports" with "closed source". Open ports are fine. The Internet is full of them. That is how things communicate. The problem is you don't know what these "apps" are doing.
23. Re:Open ports by 110010001000 · 2017-04-28 23:39 · Score: 1
  
  Really? You do realize your computer has dozens of "open ports" right now, right? How do you think computers communicate? Magic? Open ports are not by themselves a security risk.
24. Re: Open ports by 110010001000 · 2017-04-28 23:42 · Score: 1
  
  Any "app" you download can do ANYTHING THEY WANT without your knowledge. If you cared about security you wouldnt use them.
25. Re:Open ports by 110010001000 · 2017-04-28 23:46 · Score: 0
  
  I've written more client server software than you have. Once you install a closed source "app" on your phone it can do whatever it wants. "Open ports" by themselves don't consititte a security risk. That is (mostly) how computers communicate.
26. Re:Open ports by Kokuyo · 2017-04-28 23:49 · Score: 3, Informative
  
  Well, if my flashlight app wants to open a listening port on the network, that in and of itself seems fishy to me. Furthermore, the more services are listening for connections, the higher the chance that one of them is badly coded and will allow an attacker to get access to my data.
27. Re: Open ports by K.+S.+Kyosuke · 2017-04-28 23:54 · Score: 0
  
  Uh...for communicating with a peer? Just saying... Unless modern computers are capable of telepathy somehow.
  
  --
  Ezekiel 23:20
28. Re:Open ports by 110010001000 · 2017-04-28 23:57 · Score: 1
  
  Why is that more fishy then it connecting to a server in China and sending all your data there? What is the difference? You are installing a closed source app. It could be doing anything. If you were concerned about your data, why would you install a flashlight app from a random person?
29. Re:Open ports by drinkypoo · 2017-04-29 00:19 · Score: 2
  
  Open ports are not by themselves a security risk.
  Not by themselves, but there's no such thing as an open port by itself. We're obviously talking about listening, so we need not discuss ports opened outward, although there are definitely ways to compromise an application in reverse, so opening a TCP connection outward is an opportunity for an incoming attack, if you connect to a host which is malicious (whether inherently, or because it has been compromised.) But at minimum, listening ports provide an opportunity to attack the networking stack of the device, and the application (or daemon, etc etc.) which opened the port. So yes, open ports absolutely do increase your security risk. If there are zero open ports on the device, then the only parts of the networking subsystem with which you interface are the network interface and its driver, which means there's less opportunity to exploit a vulnerability.
  Saying open ports are not a security risk is like saying that open windows are not a security risk. What? Of course they are.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
30. Re:Open ports by Anonymous Coward · 2017-04-29 01:26 · Score: 0
  
  Because the app is a web server? Or a game server for some 2-4 person game the kids play on their phones? (Even traditional games ported to phones make things easier, as you don't have to pick up pieces/cards afterwards. No missing dice problem. Also, you're not necessarily limited by a limited count of pieces.)
31. Re: Open ports by BronsCon · 2017-04-29 04:37 · Score: 1
  
  If nobody calls listen(), what do you connect() to?
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
32. Re:Open ports by Anonymous Coward · 2017-04-29 05:20 · Score: 1
  
  "Security researcher" is the new term for failed CS majors.
  The paper linked from the /. story explains how they analyzed the apps to check the vulnerability of the open ports. The paper is perfectly aware that open ports themselves are not necessarily dangerous, but emphasizes that roughly half of the smartphone apps that open ports do not secure them against attacks.
  If "security researcher" is the new term for failed CS majors, what is the new term for people who criticize a paper without reading it?
33. Re:Open ports by gweihir · 2017-04-29 07:40 · Score: 1
  
  I doubt that very much. If you actually had written any such software in any real sense, you would not write such nonsense. And incidentally, you have no idea how much networked software I have written.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
34. Re:Open ports by sumdumass · 2017-04-29 08:29 · Score: 1
  
  Probably the same reason why an app to connect to your blood pressure machine via blue tooth to retrieve readings needs access to your images, contacts, email, and account information. If you can figure that out, let me know too. But my best guess would be to update or change the advertising and track you (and the ads displayed) should you disable internet access for the app itself (say a card game that only needs internet for advertising).
35. Re: Open ports by Zero__Kelvin · 2017-04-29 12:26 · Score: 1
  
  Thank you for making it clear to anyone who might have a doubt that you literally don't understand how networking works in case anyone thought I was being too hard on you.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
36. Re:Open ports by nyet · 2017-04-29 17:40 · Score: 1
  
  I would not hire you for any networking job.
37. Re:Open ports by nyet · 2017-04-29 17:41 · Score: 1
  
  Did you actually read my post?
38. Re:Open ports by AK+Marc · 2017-04-29 17:57 · Score: 1
  
  None. Though that doesn't address the issue that there has to be a vulnerability to exploit. If there's no vulnerability, more open ports don't decrease security.
  
  And you've illogically assumed that N+1 is always worse than N. By that reasoning, as we know windows are less secure than walls, no building should have more than one window. Everyone can share it. Any more than that must be, by nyet's definition, insecure.
  
  --
  Learn to love Alaska
39. Re:Open ports by AK+Marc · 2017-04-29 18:11 · Score: 1
  
  You don't need an open port listening to scrape all your data and send it away. So why do the open ports matter more than the general security?
  
  --
  Learn to love Alaska
40. Re: Open ports by AK+Marc · 2017-04-29 18:51 · Score: 1
  
  Why do you pretend P2P doesn't exist? I guess every P2P app should be blocked because you can't think of a good reason for P2P to exist.
  
  How would you have IoT? Every device calling to a paid central server that can lock you out of your house/garage if you give them a bad review? Or a secure P2P communication so your devices can talk to each other without using ransomware, I mean central server?
  
  --
  Learn to love Alaska
41. Re:Open ports by nyet · 2017-04-29 19:55 · Score: 1
  
  You use connect(), not listen()/accept()
42. Re: Open ports by nyet · 2017-04-29 19:57 · Score: 1
  
  listen() is fundamentally more dangerous than connect().
43. Re: Open ports by Anonymous Coward · 2017-04-29 21:21 · Score: 0
  
  i highly doubt there is anyone on this site who thinks that. we do all think you are a below-average moron who spits out 1-liner kid-level offensive playground shit, who sits in a basement with a linux install and some perl scripts, and pretends to know something but is actually very inexperienced and wrong. your on-liners never have anything to back up your ridiculous statements or make a point.
  the one who doesn't understand much is you. there is very little reason for any app I install on the phone to act as a server. if it needs to talk to something, it should talk to its central server to connect peers. you know - how skype works behind a firewall. you're not being hard on him. you are, to reuse a great example, a kid who has shit his pants yelling at passers-by that it smells. more importantly, you're dumb in combination with overcompensation for low self esteem - likely from being quite unattractive. this means you'll never change, and just become more and more entertaining for everyone around you. like a clown who doesn't know he is a clown. how was your daily porn today? by the way - have you been outside or grubhub left by the door again?
44. Re:Open ports by CanadianRealist · 2017-04-30 03:25 · Score: 2
  
  Sure, the app maker may scrape all your data and send it to their server. How is it in any way better to then leave a port open so that anyone can try and compromise your device and grab a copy for themselves?
45. Re:Open ports by CanadianRealist · 2017-04-30 03:48 · Score: 1
  
  what is the new term for people who criticize a paper without reading it?
  Do we really need a new term? Can't we just keep calling them Slashdotters?
46. Re:Open ports by Anonymous Coward · 2017-04-30 06:38 · Score: 0
  
  Open ports by themselves don't constitute a security risk.
  
  Some what true. When you open a port in at listening state you have an attack vector. No ports listening no attack vector.
  
  How do you think computers communicate? Magic?
  Servers "listen", clients call out to "connect". The client then only accepts call backs from the source IP address it call to in the begining. Please go and study SYN and ACK packets.
  
  "Security researcher" is the new term for failed CS majors.
  Again the CS major has shown maybe he can write code but he has no clue how the "system" that it runs on works.
  I have yet to meet a CS major straight out of collage that can configure and harden a server or properly set up a network with more than one sub-net.
  So sure open a port on your client device and have it in a listening state and I might bust your app wide open with something as simple as a little ncat foo. I do it all the time.
  I love arrogent asshole CS majors like yourself you make my job so much easier.
  Signed
  One of those Security Reseachers.
47. Re:Open ports by AK+Marc · 2017-05-01 10:49 · Score: 1
  
  With no apps installed, there'll be open ports. So it's up to you to prove that one more open port will greatly diminish the security of the device. And zero open ports still allows an malicious app to send everything to a central server, so the issue of "malicious apps" indicates they wouldn't need (or want) open ports.
  
  --
  Learn to love Alaska
Linux to the rescue.. by Anonymous Coward · 2017-04-28 13:48 · Score: 0

Oh wait..
Little Snitch by amiga3D · 2017-04-28 13:50 · Score: 1

How about a port of "little snitch" to android phones. I've got it on my Macs and I love it.
1. Re:Little Snitch by Anonymous Coward · 2017-04-28 14:44 · Score: 1
  
  How about a port of "little snitch" to android phones. I've got it on my Macs and I love it.
  Sounds like something that would require you to have administrator privileges to your phone. The powers that be (Google, Apple, Samsung etc.) have decided that this is an "insecure" configuration ("insecure" meaning it would allow you to be able to control your own damn phone)...
No mention of Apple or iOS by divide+overflow · 2017-04-28 13:55 · Score: 2

I searched the PDF of the paper and found no mention of either Apple or iOS, but Android and Java are mentioned multiple times.
1. Re: No mention of Apple or iOS by Anonymous Coward · 2017-04-28 13:59 · Score: 0
  
  There's an open port creating a backdoor in your search.
2. Re:No mention of Apple or iOS by Anonymous Coward · 2017-04-28 17:42 · Score: 0
  
  Because Android is the insecure one.
3. Re: No mention of Apple or iOS by Anonymous Coward · 2017-04-28 19:17 · Score: 0
  
  Bahaha pwnd
ES File Explorer by drinkypoo · 2017-04-28 14:12 · Score: 5, Informative

ES File Explorer is apparently the poster child.
I am now using Solid Explorer which is just as good in all the other ways

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
1. Re:ES File Explorer by Anonymous Coward · 2017-04-28 18:23 · Score: 1
  
  ES has been a spying piece of shit for a couple years now.
Dangerous comment by SuperKendall · 2017-04-28 15:31 · Score: 1

Open ports by themselves don't constitute a security risk.
This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.
If a port is opened on an Android device, that 100% means that an app opened it for some reason, which means that 100% there is for some period of time going to be a service running that receives on that port. Maybe the user deletes the app but why would they? Most people wouldn't bother. Many probably do not even know HOW.
So that means that ALL of the most vulnerable people are at risk, which you casually dismiss because an open port "means nothing", the way an orange glow and smoke pouring from a house "means nothing" until the external edifice is reduced to ashes...
I mean, a separate comment I saw pointed out that android users really should use netstat of the phone. Good grief.
This is why I cannot in good conscious do anything except steer every non-technical user away from Android.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re: Dangerous comment by Anonymous Coward · 2017-04-28 15:47 · Score: 0
  
  I mean, I agree that android phones are utter shit and everyone should have an iPhone but lol
  u are hand waving a bunch of dumb shit like "app opens a port and then the app is gone but the port is still open and then u get hacked!!!!"
  dude ur a goddamn idiot and do not understand anything about how phone services work and you sure as fuck don't understand security and you are definitively not qualified to talk the exploitation kill chain
2. Re: Dangerous comment by Zero__Kelvin · 2017-04-28 17:28 · Score: 1, Insightful
  
  This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.
  I wholeheartedly agree. Your comment is sad, stupid, and indicative of incompetence.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re:Dangerous comment by 110010001000 · 2017-04-28 23:33 · Score: 1
  
  What? That makes no sense. What is the difference between an open port on an Android device and the dozens that are open on your personal computer? Nothing. An Android device is just a computer. Really, people are stupid.
  
  "If a port is opened on an Android device, that 100% means that an app opened it for some reason"
  
  Really? Genius. You must be a "security researcher".
4. Re:Dangerous comment by gweihir · 2017-04-28 23:34 · Score: 1
  
  I fully agree. Even on servers, one of the first things you do in a hardening-review is to scan for open ports and then evaluate the security of the software that opens each port. An App is likely to be horribly insecure and one has to ask what business _client_ software has opening listening ports in the first place.
  Of course, all that requires a bit of actual security knowledge. There are far too many wannabes that think they understand IT security. Probably the reason so much software is insecure.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:Dangerous comment by 110010001000 · 2017-04-28 23:45 · Score: 1
  
  "evaluate the security of the software that opens each port"
  
  Unless you are running open source you aren't evaluating anything. An "app" can do WHATEVER IT WANTS. Any closed source software can. Who cares about "open ports"? You don't know what the software is doing. It could steal all your information and connect() to a server in China. And you care about "open ports"?
6. Re:Dangerous comment by swb · 2017-04-28 23:50 · Score: 2
  
  I wonder if a possible explanation is just sloppy coding by app programmers, cutting and pasting huge swaths of code, libraries, etc, that they don't understand to get one function.
  Even the *programmer* doesn't know what ports they're cut-and-pasted code is opening.
7. Re:Dangerous comment by 110010001000 · 2017-04-28 23:55 · Score: 1
  
  Possibly. A rogue app would just open a connection to china anyway and send your data that way. It wouldn't listen for incoming connections since phones are mostly behind carrier NAT. Worrying about open ports is silly. You don't know what the hell the app is doing.
8. Re:Dangerous comment by Ol+Olsoc · 2017-04-29 02:15 · Score: 1
  
  Open ports by themselves don't constitute a security risk.
  This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.
  So I wasn't the only person who read that as absolute assholery. An open port is always a security risk.
  Almost as big a risk as someone declaring it isn't a risk.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
9. Re: Dangerous comment by Ol+Olsoc · 2017-04-29 02:18 · Score: 1
  
  This comment is sadly the kind of horrifically dangerous and stupid comment that permeates the Android technical community.
  I wholeheartedly agree. Your comment is sad, stupid, and indicative of incompetence.
  Meh, howbow you explain how open ports are not a security risk instead of calling anyone who you disagree with "stupid".
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
10. Re: Dangerous comment by Anonymous Coward · 2017-04-29 05:08 · Score: 0
  
  I don't think you get it. Close the ports and that company in china won't have an always open connection to YOUR phone.
11. Re:Dangerous comment by gweihir · 2017-04-29 07:36 · Score: 1
  
  You really have no clue how this works. You are only heaping more egg on your face.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
12. Re: Dangerous comment by gweihir · 2017-04-29 07:37 · Score: 1
  
  And that is just the point. The other one is that because your phone does not have a static IP address, there is actually no sane reason to have a listening port open.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
13. Re: Dangerous comment by sumdumass · 2017-04-29 08:42 · Score: 1
  
  open ports are necessary for communication. Open ports are ideal for phones. Apps that open ports are expecting communications of some sort and as long as they are updated and not full of bugs, it is not a problem.
  In a server environment when the entire role of the system is to act as a server, you close all unneeded open ports not pertaining to that role because what is important is what is listening on the open port. When you have something not needed listening, you are not only chewing up resources the system could be using to serve should the need arise, but allow attack vectors that are not monitored as closely as the processes critical to the serving and it is easier to overlook security flaws. However, this is a different situation than what is essentially a multi purpose desktop computer where you install software and expect it to do different things at different times. If what you install needs a port open, it isn't a bad thing unless what you install is insecure or malicious.... That is where the problem is- not the open port.
14. Re: Dangerous comment by CanadianRealist · 2017-04-30 03:41 · Score: 1
  
  when the entire role of the system is to act as a server, you close all unneeded open ports not pertaining to that role
  
  When you have something not needed listening [ ... ] allow attack vectors that are not monitored as closely
  
  what you install needs a port open, it isn't a bad thing unless what you install is insecure or malicious
  So on a dedicated server there's really no need to close unneeded ports. Simply don't install anything insecure or malicious on your server and everything will be fine.
15. Re: Dangerous comment by Ol+Olsoc · 2017-05-01 12:14 · Score: 1
  
  open ports are necessary for communication. Open ports are ideal for phones. Apps that open ports are expecting communications of some sort and as long as they are updated and not full of bugs, it is not a problem.
  that "as long as" comment is what makes all the difference in the world.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
16. Re: Dangerous comment by Ol+Olsoc · 2017-05-01 12:20 · Score: 1
  
  Simply don't install anything insecure or malicious on your server and everything will be fine.
  And never never ever get a virus or malware. It'll be okay. As long as everything is on the up and up, you'll have no problems.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
17. Re: Dangerous comment by sumdumass · 2017-05-07 05:56 · Score: 1
  
  If you are willing to monitor all the software that uses those ports for security bugs, access attempts and so on and ensure that they are legitimate and safe, then no, there is no need to bother closing unneeded ports. At the same time, if they are not needed, then why have them open in the first place and make your life a lot harder? Best practices would dictate closing the unneeded ports simply because of how resource consuming and the effort needed to keep up with them.
ETHICAL HACKING? by Anonymous Coward · 2017-04-28 15:34 · Score: 0

No mention o. extending functionality of these insecure apps, or rooting a device to fix it's security?
For those that dont trust KingO or whichever, we are scammed out of administrative access by the manufacturer! These arent phones goddamnit!! These are still computers and Apple and all the rest should be sued royally for my insecure Handtop computer!
Backdoors on millions of devices by dknj · 2017-04-28 15:51 · Score: 4, Interesting

How many people root their Android device? Has anyone looked into SuperSU and how the simple su binary works? Nope.
The su binary that is passed around for all rooted Android distros has no source. It is maintained by a random person with financial motivation to not be conservative with your privacy or security.
I don't think Android users really care about backdoors to be honest
1. Re:Backdoors on millions of devices by nnull · 2017-04-28 18:06 · Score: 1
  
  The problem is worse than that. Almost every damn ROM wants to include it. The more I use an Android device, the more I hate it. If it's not Samsung wanting to spy on me, it's some asshole that does when I want to root my phone. Switching to an Iphone just seems like the same problems exist there. Thing makes me feel like I'm using Windows 98 with all these applications that don't ever want to close and run in the background now, applications that seemingly seem innocent but probably are not.
2. Re:Backdoors on millions of devices by Anonymous Coward · 2017-04-28 18:17 · Score: 0
  
  https://www.xda-developers.com/the-importance-of-open-source-in-root/
  https://forum.xda-developers.com/android/software-hacking/wip-selinux-capable-superuser-t3216394
firewall by MrKaos · 2017-04-28 15:54 · Score: 3, Insightful

Of course the problem can be reduced if we were allowed to control a root level firewall on our android or iphone devices.
But of course we are paying for phones so someone else can use them to suck data and use it to spy or advertise to me in a really creepy way. Pretty damn frustrating.

--
My ism, it's full of beliefs.
1. Re:firewall by Anonymous Coward · 2017-04-28 16:11 · Score: 0
  
  Great, it's 2004 all over again. During the three years between Windows XP RTM and SP2, I had frequent debates with idiots who couldn't comprehend why personal firewalls were fucking stupid. Just close the fucking ports, I would say, you don't need a fucking firewall. What did Microsoft do instead? Windows Firewall. The idiots rejoiced.
  August 25, 2004 was the day I decided I absolutely hate all of you fucking motherfuckers. Shove a firewall up your ass and fucking die.
2. Re:firewall by Anonymous Coward · 2017-04-28 17:14 · Score: 0
  
  We love you too big boy! How about a kiss! Come here, you know you want to! ;-) :-D *smooch*
3. Re:firewall by Anonymous Coward · 2017-04-28 17:20 · Score: 0
  
  *kick you in the face*
4. Re:firewall by MrKaos · 2017-04-28 20:24 · Score: 2
  
  I had frequent debates with idiots who couldn't comprehend why personal firewalls were fucking stupid.
  It's hard to understand why if you don't explain yourself.
  
  Just close the fucking ports
  Should have told them to pull out the ethernet cable, hey why not just drop network support altogether.
  But maybe you have something to offer, so why don't you enlighten me?
  
  --
  My ism, it's full of beliefs.
5. Re:firewall by gweihir · 2017-04-28 23:36 · Score: 1
  
  One of the reasons I do not trust smartphones. Unless I have root and can configure what I damn well please, it is an insecure device under control of an untrusted 3rd party.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
6. Re:firewall by Anonymous Coward · 2017-04-29 00:12 · Score: 0
  
  In Soviet Windows 10, the root level firewall is controlled by Apps! I have used already so much time to closing those opened incoming ports that a separate firewall box would have been worth it.
7. Re:firewall by drinkypoo · 2017-04-29 00:21 · Score: 1
  
  Of course the problem can be reduced if we were allowed to control a root level firewall on our android or iphone devices.
  On Android, DroidWall, AutoProxy and others use iptables. IOW, you can control a root level firewall on your Android devices. I doubt you can do it on iOS, but I wouldn't know because I don't actually care.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
8. Re:firewall by MrKaos · 2017-04-29 03:28 · Score: 1
  
  On Android, DroidWall, AutoProxy and others use iptables.
  I'll check those out, thanks!
  
  --
  My ism, it's full of beliefs.
Re: Open pors by Anonymous Coward · 2017-04-28 16:49 · Score: 0

Spot on. The Os should report this stuff in a simple settings app and allow you to shut the door.
Slashdot is at risk! by moshiko · 2017-04-28 20:15 · Score: 1

The slashdot web server listens on port 80, that's a huge security risk!
Run home and wrap tin foil on your heads everyone!

--
I love burekas in the morning
1. Re:Slashdot is at risk! by jon3k · 2017-04-29 01:45 · Score: 1
  
  What webserver are you running on your phone? Were you aware?
  
  Minimizing this like it's a non-issue is insane . The fact that apps can open random ports, which may then will inevitably be susceptible to remote attacks, is horrifying. You think IoT devices were bad, wait until the few hundred million phones with dozens or hundreds of apps installed get turned into botnets.
  
  I'm all for asking questions like, "what apps?" Did you install an FTP server? Well obviously it opens a port. But isn't anyone concerned that these apps have the ability to open ports? How is this monitored, controlled and approved from Android devices?
Sounds like Bullshit by allo · 2017-04-28 20:18 · Score: 0

As if your carrier gives you a "real ip" with open ports. You're with tens of other people behind the same ip with NAT, there is nothing, which can reach ports on your phone.
1. Re:Sounds like Bullshit by Mojo66 · 2017-04-28 22:08 · Score: 1
  
  How about using Starbuck's W-LAN?
2. Re:Sounds like Bullshit by allo · 2017-04-28 22:41 · Score: 1
  
  Do they assign every customer an own ip with open port? I do not think so ... I guess you're just getting a LAN IP and NAT to the internet again.
  With IPv6 it gets interesting again ...
3. Re:Sounds like Bullshit by afxgrin · 2017-04-28 23:50 · Score: 1
  
  There i'd be more concerned they didn't enable wireless isolation on their router.
I can't believe people aren't running a firewall by Anonymous Coward · 2017-04-28 20:35 · Score: 0

First off if a device isn't root-able - DONT BUY IT you only have yourself be blame!
The very first thing I do is install a firewall GUI, there are couple on f-droid...
I may let an app through to grab an initial blob of data, but after that if it doesn't work without a connection it gets uninstalled
anything that needs internet like an email client I select an open source version, so there is at least eye balls keeping the app honest...
time and time again the "safety" of the walled garden has proven to be a dangerous illusion, why should anyone be surprised that app stores are a very real and obvious security issue.
The one android device I don't have a firewall on is my phone - stripped down without google frame work (that alone double battery life) and the bare minimum of apps I need to be - well a phone...
Security by spiritwave · 2017-04-28 22:25 · Score: 1

Security? Meh.
Yes, I'm being sarcastic, if unclear.

--
Sines of Impending Sines
Android and apps: redux by hughbar · 2017-04-29 00:30 · Score: 2

This was my most recent comment on Android and 'apps': https://slashdot.org/comments..... With this, I see no reason to change my mind. There's some reason we close all the ports we can and create solid firewall rules, isn't there?

I'm going to try this next: https://jolla.com/about/ but I'm not at all convinced that it's better.

--
On y va, qui mal y pense!
Re: I can't believe people aren't running a firewa by simpz · 2017-04-29 01:50 · Score: 1

I've not seen a good iptables app on f-droid. The ones I've seen seem to allow you to block all network activity for an app, I'd like to block inbound connections but allow outbound.
What a brilliant inside-the-box idea! Firewalls! by Brannon · 2017-04-29 03:18 · Score: 1

Then maybe we can load up 3 layers of anti-virus software. And also just accept that your phone is going to get hacked every several months, so you should learn how to wipe it clean and start over. Or pay someone at Best Buy to do it for you. This is exactly the strategy that lead to Windows becoming a cesspool of malware during the early 2000s--let's totally replicate it with all the computers we keep in our pockets. You know, the ones that have our payment info and all of our contacts.
Did you notice that the article didn't note any security problems at all with iOS applications opening ports? I wonder why...
Read Original Quote by SuperKendall · 2017-04-29 07:22 · Score: 1

What is the difference between an open port on an Android device and the dozens that are open on your personal computer? Nothing.
That is absolutely correct, and we all know that personal computers are rife with security flaws.
Part of that is because services are sitting at a number of different open ports, every service that is doing so increases the chances of a successful attack vector being present on your system,
So now we bring forward this same, known to be failed and dangerous, security model to the phone? Remember the original comment was talking about how open ports "are not dangerous" - with the implication that nothing is necessarily behind those open ports. But just like the PC we all know today, if something opened those ports that almost certainly means there is a service sitting there, listening, possibly vulnerable...
Or would you like to ignore decades of failed PC security?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
App is not gone by SuperKendall · 2017-04-29 08:15 · Score: 1

u are hand waving a bunch of dumb shit like "app opens a port and then the app is gone
There's the exact problem though. Why do you THINK the app is gone?
If the app has permission to open a port that means it had permission to have a long-running service sitting on that port.
Why else would it open the port if it were not going to do just that?
Most non-technical users rarely if ever delete apps...
I mean, I agree that android phones are utter shit
They aren't at all, they work really well.. it's just that they ALSO bring the same security risk as any PC to a group of users who by and large have no technical ability to understand, or deal with the risk they are taking on. Sp it propagates the decades of horrible security flaws the PC world has enjoyed, like bank account being compromised, or identities stolen.
It bullshit to claim that is OK, that it's not really a problem when it is a massive problem that affects the people who can least afford to deal with it.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:App is not gone by AK+Marc · 2017-04-29 18:59 · Score: 1
  
  If the app has permission to open a port that means it had permission to have a long-running service sitting on that port.
  Nope. That's not how it works. An app installed with permission to open a port can't open that port until you run the app. That alone proves you wrong. Also, the app will shut the port when the app is closed.
  
  With mobile data, the "cheapest" bandwidth solution for a chat app is to open a server connection when the app is opened, then, if the phone is reverse-reachable, close all connections. When a message comes in, the server sends it to the phone. The other way is to leave a connection open permanently. This uses more resources and data than an open port. Most don't do this because the NAT used blocks everything. And if that's the case, your complaint about open ports being a security risk seems unfounded.
  
  --
  Learn to love Alaska
2. Re:App is not gone by SuperKendall · 2017-04-30 05:51 · Score: 1
  
  Nope. That's not how it works. An app installed with permission to open a port can't open that port until you run the app. That alone proves you wrong.
  That proves you either cannot read, nor think. The original post is complaining about an OPEN PORT you doofus, which means the app HAS BEEN RUN. I'm not saying anything about the app before it is run, I am talking about where there is OPEN PORT there is a security risk.
  Also, the app will shut the port when the app is closed.
  What is really funny here is that it just goes even further to prove what I was saying, that an open port on Android is a security risk. What you are saying is that that there cannot be an open port without an app behind it which means 100% of the time an open port on Android is a security risk.
  Which is what I said.
  So thanks for the support, even if you don't understand why it went that way.
  The other way is to leave a connection open permanently. This uses more resources and data than an open port.
  Innocent question - why would a malicious app care about using more resources and data?
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
3. Re:App is not gone by AK+Marc · 2017-05-01 10:45 · Score: 1
  
  If the app has permission to open a port that means it had permission to have a long-running service sitting on that port.
  Nope. That's not how it works. An app installed with permission to open a port can't open that port until you run the app. That alone proves you wrong.
  That proves you either cannot read, nor think. The original post is complaining about an OPEN PORT you doofus, which means the app HAS BEEN RUN.
  The port can't be open unless the app is running. You said " it had permission to have a long-running service sitting on that port." That statement is wrong.
  
  "What I explicitly said isn't what I meant"
  Fuck you. I don't have time for liars. You were lying then or you are lying now. An app can't open a port unless it's running.
  
  What you are saying is that that there cannot be an open port without an app behind it which means 100% of the time an open port on Android is a security risk.
  You are presuming that all apps are malicious. You say any open port must point to an app (incorrect). I never said you can't have an open port withou an app behind it. I said that if an app opens a port, it can't do so while the app is closed. THe rest is more of your lies.
  
  When you have to lie to make a point, you know, deep down, that you are wrong, but you'll lie about that too.
  
  Innocent question - why would a malicious app care about using more resources and data?
  They wouldn't. So a malicious app wouldn't have any inbound ports open. Only innocent apps would bother with open inbound ports. So you've proven yourself wrong again. But you are too emotionally invested in winning every argument on the Internet, that you'll lie about that too. The malicious apps may worry about open ports, so they don't get detected, so they'll not be detected in these scans. So the scan will only find "safe" ports. But you don't understand this, or understand and lie about understanding it. Either way, you are ineducable.
  
  --
  Learn to love Alaska
All cells come pre-infected, not just smart phones by Anonymous Coward · 2017-04-29 09:55 · Score: 0

There is this thing called the modem in a cellular device and it's remotely updatable and under the telecommunications providers control (and probably of any telecommunications provider or rogue network). It unfortunately has access to the rest of a devices memory and can pretty much do whatever it wants. No amount of encryption will protect you as the device is pre-compromised out of the box and it can't be fixed short of someone designing a phone that separates the modem from the rest of the phone.
It's all good to shoot for fixing bugs and poor app designs, but it's hardly an issue compared to the bigger underlying issue. And we haven't even begun to talk about the fact that cell phones are by design tracking devices and wouldn't work otherwise. The telecommunications providers have to know where to route signals so they need to know roughly where your device is.
I would love to have a communications device that implemented TCIP over radio. Then let me send/receive messages without being tracked up to the point I leave the town I live in and where I'm not sending a message. It's certainly possible. I have two way radios that a group of a few dozen people I associate with use in my town which has a population of 30,000 people. There is a repeater and I can get a signal reliably everywhere. I wouldn't really need to carry my smart phone with me if we had radio that could communicate small messages to a central point with internet access. The main thing I use my smart phone for is voice/text/telegram/riot and paying for goods with crypto currencies (mainly Bitcoin currently as that is the most widely accepted crypto currency in my town/state at the local brick and mortar store level).
OPAnalyzer by Anonymous Coward · 2017-04-29 15:20 · Score: 0

Am I the only one that can find next to zero information on this application? The only thing I found was OLE Property Analyzer and that only has one dead sourceforge search result.