Local Server
Generally, Android would not have an app that has an active service (listener) running on it. However, it is possible that an app is running its own web server in order to serve up content by a reverse proxy. This is rare, but does happen. During a penetration testing engagment, you should look to see if the app accepts incoming connections.
Determining if the app is running as a server, check the ports that the device is listening on before the app is launched and then again after.
% adb shell
% su
sunfish:/ # netstat -an | grep -iw listen
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:27042 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:43131 :::* LISTEN
tcp6 0 0 :::40967 :::* LISTEN
Run the same command after starting up the iOS app:
sunfish:/ # netstat -an | grep -iw listen
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:27042 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::8080 :::* LISTEN
tcp6 0 0 ::ffff:127.0.0.1:43131 :::* LISTEN
tcp6 0 0 :::40967 :::* LISTEN
We can see from the output after starting the app that there are two new entries (one for TCPv4 & one for TCPv6) running on port 8080.
We can also see that the service listening on port 8080 is bound to all interfaces on the device, as evident by the listening address of 0.0.0.0:
0.0.0.0.8080
Essentially, anyone on the same network as the device - either Wi-Fi or Cellular - would be able to craft a request to send to the device (app) which would be accepted.
While there is a very good chance this port is from our app (since it showed up after starting it), let's validate that to make sure:
sunfish:/ # netstat -an -p tcp | grep -w 8080
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1367/http-alt
tcp6 0 0 :::8080 :::* LISTEN 1367/http-alt
From the output, we can see that the service is listed as http-alt and the process ID is 1367 (which we will say is the name of our app).
Next, place the app in the background and see if the listening port goes away or if it is still persistent on the device. You will want to understand how the app behaves and the exposure of that port.
For good measure, let's run an nmap scan on it to verify that it accepts the requests. In the example below, 192.168.0.179 is the IP address of the device on a Wi-Fi network.
% sudo nmap -sS -p8080 192.168.0.179
Starting Nmap 7.93 ( https://nmap.org ) at 2022-09-11 15:38 EDT
Nmap scan report for 192.168.0.179
Host is up (0.081s latency).
PORT STATE SERVICE
8080/tcp open http-proxy
MAC Address: B2:27:89:70:89:89 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
Once we are confident that the app we are testing is the source of the listening port, take a look at the libraries that the app is using to see if you can determine which package is implementing this behavior.
Typically, these will be in the lib directory for the app on the device.
Common Ports
| TCP Port | Service |
|---|---|
| 22 | sshd |
| 27042 | frida-server |
| 40807 | com.google.android.apps.youtube.music |
| 41515 | frida-server (IPv6) |