U-M Researchers Expose Open Port Vulnerabilities on Android Apps

Most security experts are aware of “wormhole” apps, popular Android apps with open ports that allow an attacker to remotely exploit a mobile device, but a new study from the University of Michigan (U-M) found that more Android apps are vulnerable to security breaches than previously thought.

Researchers at the Electrical Engineering and Computer Science (EECS) department conducted a study and identified 410 apps in the Google Play store that have open ports “with dangerous insecurities and 956 potential exploits in total,” the research report said. One of the apps comes pre-installed on several Android devices.

For the study, the U-M team designed OPAnalyzer, a static analysis tool that can identify and characterize vulnerable open port usage in Android apps. The researchers used the tool to examine more than 100,000 Android apps and found that 99 percent of mobile usage of open ports takes place for the following five reasons:

  • Data Sharing: A usage path through which data from a device is sent to the remote host. The researchers found that HTTP is the most commonly used protocol for data sharing. Nearly 60 percent of data sharing paths do not require any client authentication.
  • Proxy: A path used to forward remote input requests to other destinations. Commonly used for advertising and content filtering, a proxy path can lead to DDoS attacks.
  • Remote execution: Used to trigger specific actions, such as sending an SMS message. Many app developers have left “backdoors” for this path type.
  • VoIP: Used in apps to listen on incoming call requests, VoIP paths can be used to spoof caller IDs — making phishing attempts more achievable.
  • PhoneGap: Paths on apps developed by Gap/Cordova, which serve JavaScript requests from the client and handle API calls. However, the U-M researchers determined these are mostly secured.

Using the tool, the U-M team found that affected apps have tens of millions of downloads, naming Wifi File Transfer, AirDroidPhonePal and other popular apps to avoid.

Traditional solutions to protect an open port from online threats call for firewalls, but “the firewall solution suffers from usability in the mobile context,” according to the report. In other words, it can be difficult for individual users to configure suitable firewall rules on top of everything else.

Read the full report here.

About the Author

Sri Ravipati is Web producer for THE Journal and Campus Technology. She can be reached at [email protected].

Featured

  • From Fire TV to Signage Stick: University of Utah's Digital Signage Evolution

    Jake Sorensen, who oversees sponsorship and advertising and Student Media in Auxiliary Business Development at the University of Utah, has navigated the digital signage landscape for nearly 15 years. He was managing hundreds of devices on campus that were incompatible with digital signage requirements and needed a solution that was reliable and lowered labor costs. The Amazon Signage Stick, specifically engineered for digital signage applications, gave him the stability and design functionality the University of Utah needed, along with the assurance of long-term support.

  • person typing on a touch screen schedule plan calendar

    2025 Tech Tactics in Education Conference Agenda Announced

    Registration is free for this fully virtual May 7 event, focused on "Thriving in the Age of AI" in K-12 and higher education.

  • abstract composition with metallic gears, glowing AI symbols, futuristic bar graphs, interconnected networking nodes, a floating open book, and a graduation cap, set against a neutral gradient background

    AI in Higher Education: Overcoming Challenges and Building the 'Competent Institution'

    Artificial intelligence and the efficiency gains that come with it have the potential to change the current trajectory of many institutions at risk. But the key is to start now.

  • consultant and educator sitting at a modern desk with a laptop and tablet, surrounded by abstract icons of online learning in a bright, minimalist setting

    Quality Matters Launches Advisory and Consulting Service

    A new service from Quality Matters, the nonprofit focused on quality assurance in online and innovative digital teaching and learning environments, is designed to help colleges and universities develop a sustainable online learning strategy.