Many mobile apps leaving ports open, warn university researchers

The old adage that less is more is true when it comes to mobile devices: The less you have on them the more secure you are.

That’s why it’s important for any security awareness program to not just warn employees of the dangers of downloading applications from sources other than the Google or Apple app stores, which try hard to ensure — with varying degrees of success — apps don’t come with malware.

However, the stores can’t ensure the apps are safely coded. That’s just as important, as a recently published University of Michigan study into poorly-designed Android apps that leave ports open shows. Open ports are a known problem on enterprise networks, which is why administrators make every effort to close them. But employees can add anything to their mobile devices and then connect to the network, leading to potential serious enterprise security problems.

More importantly, however, the study illustrates how app developers still haven’t learned how to safely code their creations.

To find out how many apps in the Google Play store have this vulnerability university researchers created a scanning tool which analyzed over 100,000 Android apps and found 410 vulnerable ones, with a total of 956 potential exploits. Some of these apps had 10 to 50 million downloads on the official market; one is pre-installed on some devices.

To get an idea of how many of these apps might be nearby, researchers did a port scan on the UMichigan campus network and within two minutes found a number of mobile devices which were potentially using vulnerable apps.

“These vulnerabilities can be exploited to cause highly-severe damage such as remotely stealing contacts, photos, and even security credentials, and also performing sensitive actions such as malware installation and malicious code execution,” say the authors.

The  bugs were reported to app developers, some of whom acknowledged the report and therefore presumably are fixing their code.

The researchers created several videos showing how an attack might work. This example uses the app WiFi File Transfer. The app doesn’t open port by default — users need to toggle a button to start the service, which admittedly will largely reducing the attack window. However, the researchers note, the on-device malware can spy on the port status by monitoring the proc file, and send exploitation traffic as soon as user opens the port. User’s photos on the SD card are then silently stolen by the app that doesn’t have READ_EXTERNAL_STORAGE permission and uploaded to the attacker server. This attack generally applies to many vulnerable open port apps identified and described in the research paper.

Other videos done by the researchers showing potential exploits can be found here.

The Hacker News notes there are some limitations to a possible exploit. “A port opened by an application can not be exploited until a vulnerability exists in the application, like improper authentication, remote code execution or buffer overflow flaws. Besides this, an attacker must have the IP address of the vulnerable device, exposed over the Internet. But getting a list of vulnerable devices is not a big deal today, where anyone can buy a cheap cloud service to scan the whole Internet within few hours.”

Still, infosec pros need to do two things: In an enterprise they must impress upon employees how important it is to have as few as possible apps on a mobile device that will connect to the organization’s network. And those in software development shops have to redouble their efforts to ensure coders are following best practices.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now