Skip to content

Port open on device

Port open on device

Description

The application has started servers listening on localhost. Access to the open port is not restricted to other applications on the phone, which may be exploited to perform unauthorized actions.

Drive-by attacks using the browser and DNS rebinding are forms of exploitation techniques that can be used to access the open ports remotely.

Recommendation

Before creating a local server for your application, consider the following:

  • Avoid exposing sensitive files over the local server.
  • Implement some form of authentication and/or authorization.
  • Consider alternative implementations rather than using a local server.
  • Avoid listening on 0.0.0.0 or 0::0 to prevent other users on the network from accessing the server.

Standards

  • OWASP_MASVS_L1:
    • MSTG_NETWORK_1
    • MSTG_NETWORK_2
  • OWASP_MASVS_L2:
    • MSTG_NETWORK_1
    • MSTG_NETWORK_2
  • PCI_STANDARDS:
    • REQ_1_2
    • REQ_2_2
    • REQ_6_2
    • REQ_6_3
    • REQ_11_3
  • OWASP_MASVS_v2_1:
    • MASVS_NETWORK_1
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5