• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Slashdot "Open Ports Create Backdoors In Millions of Smartphones"

Search This thread

simpz

Member
Dec 30, 2014
28
7
Slashdot is running a story about how lots of Android apps listen on ports for incoming connections.

https://it.slashdot.org/story/17/04/28/2343222/open-ports-create-backdoors-in-millions-of-smartphones

I was quite surprised by this as I thought virtually all Android apps would be outbound only and wouldn't need to create a listening socket, unless a genuine server (SSH/FTP/HTTP etc). But I ran an "netstat -apn | grep -i listen " on my phone, and to my surprise my mobile provider VoIP app is listening on a port (again I thought it would be outbound only). And worse I can happily connect to it from my WiFi.

I added iptables rules to block inbound connections but allow outbound unrestricted. The VoIP app seems happy enough.
But also surprised (for me this is LineageOS, but I assume common to all androids), that the default iptables rules don't block inbound connections, with an API allowing apps to request inbound on specific ports or something.

My iptables rules are below (covering v6 too):
Code:
iptables -A INPUT  -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j DROP 
ip6tables -A INPUT  -p icmp -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -j DROP
 
  • Like
Reactions: Juan_Largearm

simpz

Member
Dec 30, 2014
28
7
I had a further look at one of the apps I have listening. I picked the popular Plex client app. Here is the netstat output (it also listens on a number of loopback ports but no big deal there):


tcp6 0 0 :::44411 :::* LISTEN 13084/com.plexapp.android

So listens on IPv4 and IPv6. Telneting to this port and it seems to have some sort of webserver listening on this:

Escape character is '^]'.
get /

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain; charset=UTF-8
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1209600

Failure: 500 Internal Server Error
Connection closed by foreign host.


Not sure why a client app like this needs to listen really.
 

simpz

Member
Dec 30, 2014
28
7
I have slightly modified my iptables rules to allow IPv6 SLAAC to work properly and to allow SSH (as an example allowed incoming service) in from my local IP addresses (and IPv6 local ULA addresses) on WiFi.

Code:
#!/system/bin/sh

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 33791 -j ACCEPT
iptables  -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP 

ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT  -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -p udp --dport 33791 -j ACCEPT
ip6tables  -A INPUT -s fda1:12B0:97A1::/64 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -j DROP
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Slashdot is running a story about how lots of Android apps listen on ports for incoming connections.

    https://it.slashdot.org/story/17/04/28/2343222/open-ports-create-backdoors-in-millions-of-smartphones

    I was quite surprised by this as I thought virtually all Android apps would be outbound only and wouldn't need to create a listening socket, unless a genuine server (SSH/FTP/HTTP etc). But I ran an "netstat -apn | grep -i listen " on my phone, and to my surprise my mobile provider VoIP app is listening on a port (again I thought it would be outbound only). And worse I can happily connect to it from my WiFi.

    I added iptables rules to block inbound connections but allow outbound unrestricted. The VoIP app seems happy enough.
    But also surprised (for me this is LineageOS, but I assume common to all androids), that the default iptables rules don't block inbound connections, with an API allowing apps to request inbound on specific ports or something.

    My iptables rules are below (covering v6 too):
    Code:
    iptables -A INPUT  -p icmp -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -j DROP 
    ip6tables -A INPUT  -p icmp -j ACCEPT
    ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A INPUT -j DROP