A recent study found 956 potential exploits in Android apps that could allow data extraction, malware installs, and remote device control. Some of the affected apps have tens of millions of installs.
A University of Michigan study found 410 Android apps in the Google Play store with open ports. Those 410 apps can be exploited in 956 different ways. While that may not seem like a lot of affected software, the downloads speak otherwise: Several are popular apps with between 10 and 50 million downloads. One even comes pre-installed on several devices.
Security professionals are no stranger to open ports, and both their legitimate and nefarious uses. Opening ports allows software to reach beyond the corporate firewall, and vice-versa, but also leaves exploitable gaps in security. Those with malicious intent and the proper skills can use open ports to wreak havoc on a network.
The University of Michigan team built a program called OPAnalyzer, described as "a static analysis tool which can effectively identify and characterize vulnerable open port usage in Android applications," which it used to find open ports. The researchers then manually tested 57 apps to confirm what they suspected: Those open ports are a security nightmare.
The five vectors of attack on open Android app ports
All of those open ports don't mean much if you don't know what they're used for and how that use can be exploited. The research team found that 99% of traffic on reachable open Android app ports was being used for the following five reasons.
- Data sharing: These ports are used to read data on a local device and transfer it to a remote host (i.e., Google Drive). Some 60% of data sharing ports require no client authentication.
- Proxy: These ports are used to forward remote input requests to other destinations. Generally used to generate targeted ads, proxy ports can also be used for reflecting DDOS attacks and stealing cached web data like passwords.
- Remote execution: Used to trigger actions on devices, like sending push notifications and logging into computers with a smartphone, many remote execution ports are sensitive to remote execution beyond the scope of the app.
- VoIP: Answering VoIP calls requires an open port listening for SIP invitations. These ports could be used to spoof caller ID, making phishing attempts that much more believable.
SEE:BYOD (bring-your-own-device) policy (Tech Pro Research)
Exploits require more than just an open port
Open ports aren't necessarily a way into a network: They exist to fulfill specific purposes for specific software, and aren't a problem until a vulnerability in an app is discovered. Even with vulnerabilities, the risk is still minimal, as The Hacker News reports: "Smartphones connected to the Internet via wireless network behind a router are less impacted by this issue, because in that case, attackers would need to be on the same wireless network as the victim."
On a small business network that may not be a problem, but add public Wi-Fi or large user bases into the mix and your risk has just skyrocketed, as the research team found when they scanned a subnet of their local network. It only took them two minutes to find "40 hosts identified to be mobile devices open [on] such ports."
If any part of your network is less than completely locked down, the average Android device could be the key a hacker needs to undermine all of your security practices.
What you should do
The report didn't list any of the vulnerable apps, and with good reason: 50% of those discovered have more than 500,000 downloads. Like it or not there's probably at least one or two people on the average enterprise network with a problem app installed.
If you're an Android developer, or have a few working alongside you, now is the perfect time to implement good coding practices. It's also a good idea to have code reviewed by other programmers to ensure nothing is overlooked.
SEE: Android Security Bulletin April 2017: What you need to know (TechRepublic)
Infosec professionals have a whole other list of problems stemming from vulnerable apps that are already installed. Take control of your network by making sure you:
- Enforce strong BYOD policies. If you can verify that an app is a problem, block devices with it installed from accessing the network.
- Make use of your firewall. It's not always easy to keep device software tightly controlled. When that's not possible, close ports on your firewall to prevent apps from communicating.
- Reinforce good security habits. Make sure you remind users of the risks their devices carry, and sponsor regular reviews of best practices. That includes minimizing the number of apps installed on company-certified BYOD devices.
The three big takeaways for TechRepublic readers:
- Researchers at the University of Michigan found 410 apps that contained 956 open port vulnerabilities. These open ports could be used to steal device information, launch attacks, and install malware.
- Open ports aren't enough on their own to make an app vulnerable: Exploits have to be discovered in problem apps as well. Regardless, any wide, publically available network is sure to have security holes that could be exploited.
- Android developers need to be sure they're only using the ports they absolutely need. Those that are used need to be secured properly. Security teams need to force BYOD devices to conform to certain software standards, unnecessarily open firewall ports need to be closed, and employees need to be briefed on good device security practices.
- Easy ways to make your Android device more secure (TechRepublic)
- Android security: Google's May update hits bugs with critical patches for Nexus, Pixel (ZDNet)
- 10 do's and don'ts for securing your Android device (TechRepublic)
- Android security report: Google aims to clean up 'unwanted software' in 2017 (ZDNet)
- Most Android users running outdated security patches: report (CNET)