FOR HACKERS, SCANNING for an open “port”—a responsive, potentially vulnerable internet connection on a would-be victim’s machine—has long been one of the most basic ways to gain a foothold in a target company or agency. As it turns out, thanks to a few popular but rarely studied apps, plenty of smartphones have open ports, too. And those little-considered connections can just as easily give hackers access to tens of millions of Android devices.
A group of researchers from the University of Michigan identified hundreds of applications in Google Play that perform an unexpected trick: By essentially turning a phone into a server, they allow the owner to connect to that phone directly from their PC, just as they would to a web site or another internet service. But dozens of these apps leave open insecure ports on those smartphones. That could allow attackers to steal data, including contacts or photos, or even to install malware.
“Android has inherited this open port functionality from traditional computers, and many applications use open ports in a way that poses vulnerabilities,” says Yunhan Jia, one of the Michigan researchers who reported their findings at the IEEE European Symposium on Security and Privacy. “If one of these vulnerable open port apps is installed, your phone can be fully taken control of by attackers.”
Port of Call
To determine the full scope of the port problem, the Michigan researchers built a software tool they call OPAnalyzer (for Open Port Analyzer) that they used to scan the code of around 100,000 popular apps in the Google Play app store.
They found that 1,632 applications created open ports on smartphones, mostly intended to allow users to connect to them from PCs to send text messages, transfer files, or use the phone as a proxy to connect to the rest of the internet. Of those, they identified 410 as potentially having no protection or only weak protection—such as a hardcoded password that can be derived from the code and used by any hacker—meant to control who can access those open ports. And of that subset, they manually analyzed 57 that they confirmed left ports open and exploitable by any hacker on the same local Wi-Fi network, another app on the same device (even one with restricted privileges), or more disturbing, a script that runs in the victim’s browser when they merely visit a website.
Aside from those four apps, the researchers’ full paperdetails analyses of half a dozen others—several of which are mostly popular in the Chinese market—that are also vulnerable to varying degrees to open port attacks. More than half the 1,632 apps that create open ports on phones have more than 500,000 downloads, the researchers found.
To test just how widespread the most vulnerable apps might be, they at one point even scanned their local university network and immediately found devices with open, potentially hackable ports. “That so many developers have made this mistake is already an alarming sign,” says UC Riverside’s Qian. “There will be other apps they haven’t looked at, or that other people build in the future that will have the same problem.”
The notion that smartphone apps can open ports and leave them vulnerable has come to light before: In late 2015, the Chinese company Baidu revealed that a software development kit it had developed left open ports on devices where it was installed. Other major Chinese businesses, including Tencent and Qihoo, had already adopted the code, affecting more than 100 million users in total. After Baidu’s admission of the vulnerability the vulnerable apps all released security fixes.
Clearly, though, the problem of open ports in mobile devices persists. And the Michigan researchers suggest that fixing it will require developers to think twice before they open a gaping entry point in your device for remote hackers. “The user can do nothing. Google can do nothing,” says Jia. “The developer has to learn to use open ports correctly.”
Of course, there actually is one thing you can do: Uninstall the vulnerable apps like Wifi File Transfer that the researchers name. You may lose the convenience of moving files to and from your mobile device at will. But you’ll lock out the unwelcome guests who’d use that convenient backdoor, too.