How can users detect dangerous open ports in mobile apps?

University of Michigan researchers discovered that a number of Android apps in the Google Play Store essentially turn smartphones into servers and, as a result, expose the smartphones with insecure, open ports. How do these apps perform that transition, and how can users detect and remediate any insecure ports on their devices?

Ports on a computer are communication endpoints where data enters and leaves the computer. Network administrators have to know which ports are open -- or listening -- on their servers in order to set firewall rules to control who can and can't access them.

Scanning for open ports is often the first step an attacker takes when looking for unprotected entry points to gain a foothold in devices on the internet. There is no way to stop someone from port scanning internet-connected devices, and tools like Nmap can scan for open ports and discover what services are listening on those ports.

Incorrectly opened or poorly protected ports have been at the heart of many major attacks, such as the TCP SYN flooding and the Conficker worm. While servers and desktops use firewalls and authentication controls to protect against such attacks, they are harder to deploy on mobile devices while still preserving usability. For example, users find it hard to configure suitable firewall rules for each app they install, and since users can initiate connections from arbitrary hosts, it is hard to configure rules in advance.

In 2015, Trend Micro found the software development kit (SDK) Moplus -- created by Chinese internet services company Baidu, used by thousands of Android applications and downloaded by over 100 million users -- opened an HTTP server on devices where affected apps were installed. As the server didn't use authentication and accepted requests from anyone on the internet, an attacker could execute predefined commands that were implemented in the SDK to extract and modify sensitive information, upload files, make phone calls, display bogus messages and install apps.

To better understand the potential risk of open ports in the smartphone ecosystem, researchers from the University of Michigan built OPAnalyzer -- Open Port Analyzer -- a software tool they used to scan and analyze the open port usage of around 100,000 popular apps in the Google Play app store. They found that 1,632 applications created open ports on smartphones, and 410 of those had weak protection or none at all.

After manually analyzing 57 of those apps, one of which was downloaded 10 million times, they found a variety of attack vectors, such as open ports exploitable by a hacker on the same local Wi-Fi network, another app on the same device and a script that runs in the victim's browser when they visit a compromised website.

The report, "Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications," explains how open ports on mobile devices can lead to information leakage, abuse of text message services, denial of service and privileged execution.

Many of the apps that enable users to connect to their device from a PC to send text messages, transfer files or use the phone as a proxy to connect to the rest of the internet leave open, insecure ports and fail to implement proper client authentication. These apps essentially turn the phone into a server. As an attacker can scan for open ports from anywhere, they are completely open to remote exploitation.

Poor coding and implementation practices are at the heart of the problem. Developers have to learn to use open ports correctly and to verify incoming connections. Unfortunately, it is difficult for individual users to check which ports are open on their Android device, due to various security restrictions, so tools such as OS Monitor for Android no longer work.

Users should check that they are not using any of the apps mentioned in the report and consider whether they can do without third-party apps that connect their mobile devices to other devices, as they may well open up a convenient backdoor to would-be attackers.

Even if an app has been downloaded thousands of times and has a high rating, look for those where users have said vendor responses have been prompt and helpful. The University of Michigan researchers found many developers behind the vulnerable apps they discovered failed to respond when told about their use of exploitable ports.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)