Mobile applications that open ports on Android smartphones are opening those phones to remote hacking, claims a team of researchers from the University of Michigan.
Open ports are a well-known threat vector on servers, where administrators deploy security software with the primary purpose of shutting down or alerting the owner every time an unauthorized port is opened, or someone tries to connect to it.
The last place you’d expect to have problems with open ports is your smartphone, mainly because server and mobile operating systems have very few in common.
In reality, the Android OS, which was based on an early version of the Linux kernel, has inherited the same problem.
Research inspired by 2015 Baidu SDK flaw
Research on the mobile open port problem started after researchers read a Trend Micro report from 2015 about a vulnerability in the Baidu SDK, which opened a port on user devices, providing an attacker with a way to access the phone of a user who installed an app that used the Baidu SDK. That particular vulnerability affected over 100 million smartphones, but Baidu moved quickly to release an update.
Interested in assessing what other mobile applications open ports on users’ devices, the research team got to work. The first step was to create a tool they later named OPAnalyzer.
They initially used this tool to scan over 100,000 Android applications and classify 99% of the apps into five distinct app families, based on how they used and what ports they opened. The categories were: data sharing, proxy, remote execution, VoIP call, and PhoneGap (apps based on the PhoneGap framework code signature).
In a second stage, researchers used the same OPAnalyzer tool to carry out extensive usage tests. They effort unearthed 410 vulnerable applications and 956 potential exploitation vectors.
Of these 410 apps, there were many that had between 10 and 50 million downloads on the official Google Play Store and even an app that came pre-installed on an OEMs smartphones.
Open ports are wormholes to various phone features
“The vulnerabilities in these apps are generally inherited from the various usage of the open port, which exposes the unprotected sensitive functionalities of the apps to anyone from anywhere that can reach the open port,” researchers said.
Basically, the research team is saying that anyone who knows where to look, could identify apps that open ports, which in turn grant access to various phone features, such as photos, contacts, the camera, and more.
To prove their point, the research team has recorded three demos where they used an app’s open ports to steal photos with on-device malware (first video), steal photos via a network attack (second video), or force the user’s device to send an SMS to a premium service (third video). They didn’t use special exploits, but only the connection to a device’s network ports.
Traditional solutions to protect an open port from Internet attackers are through firewall, which monitors and controls incoming and outgoing traffic based on predetermined security policies. However, the firewall solution suffers from usability in the mobile context, since it is hard for individual users to configure suitable firewall rules for each app installed on the device, and coordinate both app functionality and security assurance. Moreover, in the physical proximity use scenario, since users can initiate connections from arbitrary hosts, it is hard to configure rules
Nonetheless, protecting against the problem of apps opening ports on smartphones is trivial, researchers say. In their research paper, they propose different mitigation solutions for several exploitation scenarios.
The paper detailing the team’s work is entitled Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications, and was presented Wednesday, April 26, at the 2nd IEEE European Symposium on Security and Privacy that took place this week in Paris, France.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.