Back in 2009, anynone with a Nokia could have a personal website running on their own phone. Sadly this amazing piece of tech was never widely adopted. Today’s phone are far more powerful than those Nokias both in performance and battery backup and still we don’t see anyone running a server on their phone. Why?
I think this was never implemented on phones because there’s no incentive for large corporations to work on something like this.
The reason you can’t host as port 80 on unmodified Android isn’t because “Google won’t let you.” Android is open source. You can do what you want with it. Android runs on Linux, and ports 0-1023 are privileged ports that can only be used as root.
Unmodified Android does not allow userland apps to run as root for very good reasons, so you don’t have access to these ports. That’s all there is to it. If you attempted to do the same thing on Ubuntu, you would also not be able to use port 80 without root.
However, this is a naive approach to hosting a website. Production web stacks, when hosted on a machine, typically use a least-privileged model where not only ports are banned, but most file access is, too.
Most dynamic web stacks won’t host on port 80 directly. Most will serve either a socket connection or host multiple ports on threads, i.e. ports 3000 to 3007. These connections would then be proxied via something like Nginx to serve as a load balancer, and Nginx can also manage SSL for you, too.
If Nginx is started as root, it can host on port 80. If not, serve on port 8080 and use NAT to redirect it to port 80 with your firewall. You are using a firewall for publicly-hosted content, right?
It’s also not practical. Why would I want outside people connecting to my phone constantly? Security risk? Battery drain? Inconsistent IP Address? Just host it somewhere designed for hosting lol
The other issue is phones would not typically have a public IP without ipv6. You are also unlikely to have a static (consistent) IP address.
I don’t think it’s a great idea to host a website on cellular data. If I had to serve something with a mobile device, I’d use USB networking, or a USB to Ethernet adapter.
You don’t need root to run on port 80, though. And on Ubuntu you can run a server on port 80 as well as long as the software is set up right. It’s the easiest way (and the way the “just disable SELinux” guides often recommend) but there are much better mechanisms for that.
Even if you start nginx as root under normal circumstances, nginx will drop privileges and switch to another user ID exactly because of the root user risks. Nobody wants to run web servers as root, and nobody wants Android to just add root capabilities to the standard config.
All you need is to either
CAP_NET_BIND_SERVICE=+ep
on the web server or to alternet.ipv4.ip_unprivileged_port_start
(just set it to 0 in your system image and ports will just work). The kernel can do this dynamically, like it handles most sandboxing and permissions. The sysctl config is a setting you can just change and one Google could fix with just a single line of code.Well, yeah, but Nginx will still need to run on some kind of port. 80 and 443 for standard web browsers. http/3 can work on any port, but support is still in beta for most web servers and leaves out a ton of clients.
I don’t use NAT for most of my services to be honest. I have about four billion IPv6 addresses available, and nginx reverse proxies work just fine for legacy IPv4 stuff.
“Just compile your own Android” isn’t the solution you may think it is. Custom ROMs are a massive pain. Unlocking the bootloader to install it will do all kinds of weird things. Things like “wiping all data” for one, and sometimes also clearing the DRM keys, breaking streaming apps on the device forever. On some Samsung phone unlocking the bootloader will disable the camera firmware, breaking most camera features until the bootloader is locked again.
I wouldn’t want to reduce security by allowing privileged ports as any user, or running modified operating systems that have lessened security baked-in. This security principle is in place for good reasons, and they should remain in place.
If you are exposing your LAN to your Internet connection, you’re doing something wrong. If you are not, but are using a firewall that doesn’t support NAT, then I don’t trust your firewall. If your firewall supports NAT, and you’re attempting to subvert Linux security measures instead of using it, then you’re doing something wrong.
I’m not sure what the security benefits of privileged ports is. Any user can run RDP, OpenVPN/Wireguard, LDAP, and a bunch of other protocols on their standard ports, but thank god they can’t run FTP or HTTP servers! IMAP servers sure are dangerous, but SIP servers should be available to any user for security purposes of course. KDE Connect will open fifty ports for SSH servers, but the important thing is that none of those ports is 22 so all is well.
macOS abolished them a while ago and I don’t believe macs and iPhones are getting hacked left, right, and center. The security benefit is there for systems shared by many users, preventing a standard user from impersonating operating system services. There are a few shared hosts with terminal access that still need these protections, but my phone doesn’t.
As for the firewall: if you have NAT enabled on a consumer router, your firewall is essentially open the moment any device on your network runs external code, i.e. any app. Some consumer hardware can even be tricked by regular WebRTC/HTTP traffic, though that’s harder to pull off; those mechanisms only allow incoming traffic to any local port of an attacker’s choosing, not to any port on any device in your network. Thank NAT ALGs and NAT slipstreaming for that; it’s as if UPnP never went away!
I suppose you could run your own NAT without any ALGs and just not use protocols like passive FTP or SIP, but that would require a custom setup like an OpenWRT router or something of that nature.