Scribd
Upload
159 views21 pages

Android Open Ports Scan PDF

1) The document proposes the first open port analysis pipeline for Android applications to discover, diagnose, and assess the security of open ports. 2) Using crowdsourcing, the pipeline discovered open ports in many popular apps and built-in apps, as well as open ports introduced by third-party SDKs. 3) Security assessments identified vulnerabilities in popular apps, demonstrated denial of service attacks, and measured real network connectivity of devices to determine potential exposure to remote attacks using open ports.

Uploaded by

Ram
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
159 views21 pages

Android Open Ports Scan PDF

1) The document proposes the first open port analysis pipeline for Android applications to discover, diagnose, and assess the security of open ports. 2) Using crowdsourcing, the pipeline discovered open ports in many popular apps and built-in apps, as well as open ports introduced by third-party SDKs. 3) Security assessments identified vulnerabilities in popular apps, demonstrated denial of service attacks, and measured real network connectivity of devices to determine potential exposure to remote attacks using open ports.

Uploaded by

Ram
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Understanding+Open+Ports+in+Android+

Applications:+Discovery,+Diagnosis,+and+
Security+Assessment
Daoyuan Wu1,*Debin Gao1,*Rocky*K.*C.*Chang2,*
En He3,*Eric*K.*T.*Cheng2,*and*Robert*H.*Deng1
1 2 3
China Electronic
Technology Cyber
Security Co., Ltd.
http://127.0.0.1:1234
Open&port //filename

Inject&dangerous&
commands
2
The$First$Step:$Discovering$Open$Ports$in$Apps

In;lab'Dynamic'
Static'Analysis
Analysis

OPAnalyzer [EuroS&P’17]'
Cannot'mimic'real'user' Crowdsourcing
Issues:& inputs'to'driven'apps
Discovery
dynamic'code'loading,'
Leverage'users’'interaction'
complex'implicit'flows,' Difficult'to'recognize with'their'smartphones'to'
and'code'obfuscation. random'port'numbers monitor'open'ports
3
NetMon:(On*device Open(Port(Monitoring

Available(on(Google(Play(since(October(2016
https://play.google.com/store/apps/details?id=com.netmon 4
Port%Monitoring%Mechanism
$"cat"/proc/net/tcp6"""""""""(accessible"also"on"the"latest"Android"8"and"9)
sl local_address remote_address st tx_queue
/proc/net/tcp rx_queue tr5tm6>when5retrnsmt uid
0:"0000000000000000FFFF00000100007F:9AE0
|tcp6|udp|udp6 00000000000000000000000000000000:000050A 00000000:000000005
00:00000000500000000510156
1:"0000000000000000FFFF00000100007F:EC225
00000000000000000000000000000000:000050A500000000:000000005
00:00000000500000000510272
2:"0000000000000000FFFF00002600040A:E8EA5

p ! p
0000000000000000FFFF00006B72662F:01BB506500000000:000000005
03:00001279500000000555550
3:"0000000000000000FFFF00002600040A:84B05
0000000000000000FFFF00005FC2D9AC:01BB508500000000:000000015
00:00000000500000000510015

Periodically analyze5proc5with5minimal5overhead
5
Server%side)Open%Port)Analytic)Engine
UID App Type IP Port Time App Type IP Port
U1 Netflix UDP4 0.0.0.0 1900 T1 Netflix TCP4 0.0.0.0 9080
U1 Netflix UDP4 0.0.0.0 39798 T1 Netflix UDP4 0.0.0.0 1900
U2 Netflix UDP4 0.0.0.0 1900 T2
U2 Netflix UDP4 0.0.0.0 32799 T2
……
Ux Netflix TCP4 0.0.0.0 9080 Tx App Type IP Port
Uy Netflix TCP4 0.0.0.0 9080 Ty Netflix UDP4 0.0.0.0 Random

Raw port “Intelligent” Per-app


monitoring records engine open ports

6
Server%side)Open%Port)Analytic)Engine

7
Server%side)Open%Port)Analytic)Engine

8
Server%side)Open%Port)Analytic)Engine

9
Crowdsourced*Open*Port*Results
• The$ten'month$data: • The$effectiveness: • The$pervasiveness:
• 3,293$user$phones$from$ • Discovered$2,284$apps$ • Correlated$with$
136$different$countries with$TCP$open$ports,$ top$3,216$apps
• 26%$are$from$US,$while$ vs.$1,632$apps$detected$ from$Google$Play,$
diverse$for$others in$state'of'the'art$ 492$of$them$are$
research$[EuroS&P’17]. with$open$ports.
• 40M$port$monitoring$
• In$a$controlled$set$of$
records: apps$with$TCP$open$ • Pervasiveness:
• 2,778$open'port$apps ports,$25.1%$of$them$use$ 15.3%.
• And$their$4,954$open$ dynamic$or$obfuscated$
ports codes$for$open$ports.

10
Open%Ports%in%925%Popular%Apps

11
Open%Ports%in%755%Built1in%Apps
More'than'half'of'these'built2in'
apps'contain UDP'open'port'68.

One'quarter'(175'apps,'23.2%)'
have'TCP/UDP'port'5060'open.

41'Samsung'and'16'LG'models'
modify'some'Android'AOSP'apps'
to'introduce'port'5060.
• TCP'port'6000'in'Xiaomi Browser
• UDP'port'19529'in'LG’s'18'apps
12
While&crowdsourcing&is&effective&in&
discovering&open&ports,
it&does&not&reveal&the&code6level&information&
for&more&in6depth&understanding&or&
diagnosis.
Open%Port%Diagnosis%via%Static%Analysis

SDK?

2 Insecure
parameters?

14
Diagnosis(I:(Open.Port(SDKs
• Out$of$the$1,520$open0port$apps:
• 61.8%$are$solely$due$to$SDKs;
Facebook$SDK$is$the$major$contributor.
• 13$open0port$SDKs$detected:

15
Diagnosis(II:(Insecure(API(Usages
Did%not%set%the%IP%addr
param%or%set%it%“null”.

611%open%ports% 164%ports%from%
581%apps%whose%
from%390%apps% 120%apps%
open%ports%are%
(67.1%)%adopted% (20.7%) set%their%
not%introduced%
“convenient”% port%number%
by%SDKs
API%usages param random

20.7%&(120/581)&open1port&apps&adopt&convenient&but&insecure API&
usages.

16
In#the#last#phase#of#our#pipeline,#
we#perform#three#novel#
security#assessments#of#open#ports.
Vulnerability,Patterns,Identified,in,Open,Ports

Terminate+on-going+ Crash+Instagram+by+
sessions+by+sending+ sending+just+a+HTTP+
two+UDP+packets request

Some+open+ports+are+used+as+ Send+a+HTTP+URL+request+pointing+to+a+large+file,+
an(analytics(interface(for+their+ to+maliciously+inflate(victim(apps’(cellular(data(
companion+websites. usage in+the+background.

18
Denial'of'Service.Attack.Evaluation.

19
Inter&device+Connectivity+Measurement
Remote$open?port$attacks$require$the$victim$
device$to$be$connected$(intra? or$inter?network).$

6,391$network$scan$traces

224$cellular$ 2,181$WiFi
networks$ networks
111$(49.6%) 1,823$(83.6%)
Allow$intra?network connectivity$(in$the$same$network)
23$cellular 10$WiFi
Allow$inter?network connectivity$due$to$using$public$IP
20
Conclusion)&)Takeaway
• We#proposed#the#first#open.port#analysis#pipeline.
• We#found#open#ports#in#many#popular#and#built.in#apps,#and#also#in#SDKs.
• We#performed#comprehensive#security#assessments:
• Vulnerabilities#in#popular#apps,#DoS#experiments,#real#connectivity#measurement.

Contact:#Daoyuan Wu#
[email protected]
21

You might also like