Android opens a few well-known ports

Google will allow Android apps to use a dozen well-known ports (smaller than 1024). This opens up new possibilities for popular Android devices, especially in local networks. Specifically, with the next update of the Google Play System, Android apps will gain access to these nine TCP ports if needed: 20 and 21 (typically used for FTP), 22 (SSH/SFTP), 23 (Telnet), 80 (HTTP), 443 (HTTPS), 445 (SMB), as well as the two ports regularly used for networked printers, 515 (LPD) and 631 (IPP).

In addition, there are three UDP ports: 319/320 (typically used for time synchronization via PTP) and 443 (for the QUIC-based web protocol HTTP/3). This is according to a notice published on the public Android bug tracker over the weekend. Users of TFTP (UDP port 69) or Doom fans (classic port 666), for example, will have no luck.

Up to now, Google has generally blocked ports below 1024 on its Android versions. Only if such Android implementations are rooted can the administrator make the so-called well-known ports accessible. This may weaken certain IT security measures.

A bit of Glasnost

For many years, developers in the Android bug tracker have been requesting that the restriction be lifted. However, Google has repeatedly classified this as "intentional behavior" and rejected the request ("Won't Fix"). In October 2021, a Googler surprised with the "explanation" that "raw sockets are a constant source of kernel exploits," which is why the improvement could not be considered. However, no one had asked for raw sockets (OSI layer 2 or 3), but merely for access for unprivileged apps on layer 4.

Google also dismissed at least the third attempt about four years ago with "Won't Fix." But last week, a possibly German developer discovered that applications in the Developer Preview on Android 17 gained access to UDP ports 319 and 320.

Following this, Google managed to partially open up, also for older Androids. The fundamental approach of blocking well-known ports remains in place. Such orthodoxy must apparently be maintained. At least the use of the twelve aforementioned ports will be enabled.

Technically, Google is implementing the new port whitelist using eBPF (extended Berkeley Packet Filter). This is done in the APEX module responsible for data connections, including tethering, in Android Mainline. Such modules can be updated via Google Play updates and do not require an update of the entire operating system. In the future, the company could therefore relatively easily provide additional well-known ports if it so desires.

Prerequisites and Comparison

The prerequisites for the new port access are at least Android 13 (API version 33 and higher) and at least Linux kernel 5.15. This means users are only on the safe side with systems that were newly delivered with Google's Android 14. Mobile phones that were newly delivered with Google's Android 13 could use kernel 5.10 or 5.15, so not all of them are included. Devices that came onto the market with older Android versions and were later upgraded to younger versions of the operating system may even run with even older kernel versions.

For the Android variants Android Auto, TV, and Wear, the improvement may take longer to arrive. This also applies to Android Go; this is an Android variant optimized for less powerful phones and mobile networks.

The restriction of low ports is also common in other Linux systems. However, it is usually easy for administrators there to allow applications access if needed. This was not the case for MacOS, but since version 10.14, non-privileged applications can also connect to well-known ports via the wildcard address 0.0.0.0. The non-Linux-based operating systems iOS and Windows are unfamiliar with the strict port number-based blocking.

(ds)