Tom's Blog

BubbleUPNP serves your files by default

2017-06-08: The developers have been in contact to mention that improving this is on their roadmap.

Suppose you want to use your phone as a remote control to stream Big Buck Bunny from your media server to your TV. DLNA is the set of standards that make this work.

BubbleUPNP is a popular DLNA remote control client on Android. I installed it, and it works well. But wait…

It’s insecure by default

Today I noticed that it also starts a DLNA server on your phone that serve’s all media on your phone, and advertises it on WAN. This means your phone’s video/audio/image files are available to any DLNA client on your local network.

Ouch! So strangers on the tube, colleagues at work, and even my partner can see the photos on my phone?! The app has to be open, but that tends to happen sometimes.

Here’s what I could see from another UPNP device on the same network:

But can it actually access a file?

It can! (Sorry.)

Workarounds…

Workaround A: Remove the “Storage” permission?

Android supports permissions, so I can remove the app’s permission to access my files, right?!

Oh wait, now the app refuses to start.

Workaround B: Don’t advertise server on LAN

Go to: ‘Settings -> Local and Cloud -> Advertise on LAN’. Uncheck.

Who knew? I hope that persists across reinstalls, lest I forget.

Workaround C: Find an alternative that is secure by default, and doesn’t require Storage permission

If you find one that works, let me know!

Conclusion

BubbleUPNP assumes all clients on the same network are trusted. This offers convenience, but isn’t true for many of the networks I connect to.

Or maybe stop taking dick pics?

I emailed the developers with this information on 4th June, suggesting they fix the defaults, and that I’d be posting this on 7th June. They did not respond.

blog comments powered by Disqus