- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or register to comment.
Why though? I see intermittent availability, battery drain and security being issues and I don’t see any up-sides.
also why would every person need a webpage? i can at least get social media where you can see other peoples pages or posts or whatever and comment on it or chat through the service. but that wont work if we all have different webpages.
One man’s “battery drain” is another man’s “built-in UPS.”
And it would be complicated to implement when you’re switching networks all the time.
Assuming you’re hosting on a cellular network, but actually to run a small site on a local network connected by wifi it would be an option. Not necessarily the best option, but doable and yeah the battery life could be useful for intermittent power situations.
I suppose I could be convinced, but my gut reaction is this is a bad idea. Most people aren’t security oriented, and would put themselves at risk with poorly updated websites that are an attack vector for bad actors… There’s a lot more at stake in regards to what personal data lives on your phone… the richest concentration of your PII.
Also, my battery life is already precious. And what if you’re out of cell range or the network is overloaded? Your site just stops working?
Even if your security oriented it seems many frown upon any self hosting whatsoever.
I wouldn’t expect anything like this proposal to be mandatory. I’d want it as something I could turn on if I felt I needed it.
If you give people this ability, most of the ones who use it are going to put themselves at risk.
Maybe you feel that’s their own problem. Sometimes you need to protect people from themselves. The phone vendors sure as hell don’t want to start seeing news stories of their devices getting hacked all the time.
And how do you feel about your site visitors not being able to hit your page when your local network is overloaded?
Having my phone not be able to do something I want it to do is my problem.
Sometimes you need to protect people from themselves.
That’s why you have it turned off by default.
And how do you feel about your site visitors not being able to hit your page when your local network is overloaded?
Compared to how it is right now, when I can’t run a site on my phone at all? It would be a significant improvement.
Having my phone not be able to do something I want it to do is my problem
I meant, it’s arguable that if people use this feature and expose themselves, that’s their own fault. I’m not sure what you thought I meant.
That’s why you have it turned off by default
It’s off by default, but still there for uneducated and unskilled people to turn on and leave themselves exposed.
… significant improvement
Vs just paying a few bucks for linode that’s got multiple 9s of uptime? It doesn’t seem worth it.
What’s the practical difference between listening on [::]:80 and POST-ing an encrypted bundle of JSON? For this to be a problem, you need to run internet connected code on the device already.
Also, nobody is forcing you to host a website on your phone! It’s just weird that you can’t do it if you want to.
Here’s what I’m imagining. The phone is listening on port 80, probably running some jacked up plug-in to play a favorite song. The user probably installs it and then forgets it’s there. The plug-in becomes severely out of date, running code with multiple zero day exploits. In the best case scenario it is running your battery down and using up your bandwidth, it’s commonly just unavailable because your metro area cell network is jammed so your visitors can’t access the site at all, and worst case it can be tricked into running local scripts that do nefarious things.
It’d be hard to forget about because persistent daemons require a persistent notification. Android also submits regular reminders about background apps if you’ve hidden the persistent notification.
This risk exists with all apps, though! Abandoned apps regularly get bought out and infected with adware or other malware. Anything user content facing has the risk to be exploited down the line.
I think people have become quite paranoid about open ports since the XP era where every machine hooked up to the internet would be infected within seconds. People still use Windows 7 as daily drivers and so far the risk is much lower than I ever expected at least.
You are commenting as if everyone who would turn this feature on would have the technical acumen to understand how any of it works.
And you are commenting as if this isn’t possible for malicious use already on any port above 1024. Unless you have a firewall installed, there’s a good chance an app on your phone has opened a port right this moment.
The only change I would need for Android is that a) the 70s UNIX privilege port legacy should be dropped and b) phones should have a special, popup based permission, like location access. The risks are all there already, if we’re going to be risking random adware serving up crapware and destroying your data connection, we might as well see the benefits as well.
We get it dude; you wanna run servers off of android.
Good thing the base is open source, you can go ahead and build that dream phone OS that doesn’t care about your personal security.
Nobody else wants to do this so I’m not sure why you’re arguing to hard for everyone to be able to do it. Why would I want to self host a website on a phone and expose myself to a million new attack vectors when there’s free hosting available en masse?
I run a server now for lots of local stuff and I still pay for a web server so my home isn’t constantly exposed to the internet at large. Why the fuck would anyone want to do that, IDK. it’s a fucking privacy nightmare.
The boat is already full of holes, so let’s poke more!
A cheap pi can host a website. And your phone can too. The reason not to do so is impracticality.
The reason you can’t host as port 80 on unmodified Android isn’t because “Google won’t let you.” Android is open source. You can do what you want with it. Android runs on Linux, and ports 0-1023 are privileged ports that can only be used as root.
Unmodified Android does not allow userland apps to run as root for very good reasons, so you don’t have access to these ports. That’s all there is to it. If you attempted to do the same thing on Ubuntu, you would also not be able to use port 80 without root.
However, this is a naive approach to hosting a website. Production web stacks, when hosted on a machine, typically use a least-privileged model where not only ports are banned, but most file access is, too.
Most dynamic web stacks won’t host on port 80 directly. Most will serve either a socket connection or host multiple ports on threads, i.e. ports 3000 to 3007. These connections would then be proxied via something like Nginx to serve as a load balancer, and Nginx can also manage SSL for you, too.
If Nginx is started as root, it can host on port 80. If not, serve on port 8080 and use NAT to redirect it to port 80 with your firewall. You are using a firewall for publicly-hosted content, right?
It’s also not practical. Why would I want outside people connecting to my phone constantly? Security risk? Battery drain? Inconsistent IP Address? Just host it somewhere designed for hosting lol
The other issue is phones would not typically have a public IP without ipv6. You are also unlikely to have a static (consistent) IP address.
I don’t think it’s a great idea to host a website on cellular data. If I had to serve something with a mobile device, I’d use USB networking, or a USB to Ethernet adapter.
You don’t need root to run on port 80, though. And on Ubuntu you can run a server on port 80 as well as long as the software is set up right. It’s the easiest way (and the way the “just disable SELinux” guides often recommend) but there are much better mechanisms for that.
Even if you start nginx as root under normal circumstances, nginx will drop privileges and switch to another user ID exactly because of the root user risks. Nobody wants to run web servers as root, and nobody wants Android to just add root capabilities to the standard config.
All you need is to either
CAP_NET_BIND_SERVICE=+epon the web server or to alternet.ipv4.ip_unprivileged_port_start(just set it to 0 in your system image and ports will just work). The kernel can do this dynamically, like it handles most sandboxing and permissions. The sysctl config is a setting you can just change and one Google could fix with just a single line of code.Most dynamic web stacks won’t host on port 80 directly. Most will serve either a socket connection or host multiple ports on threads, i.e. ports 3000 to 3007. These connections would then be proxied via something like Nginx to serve as a load balancer, and Nginx can also manage SSL for you, too.
Well, yeah, but Nginx will still need to run on some kind of port. 80 and 443 for standard web browsers. http/3 can work on any port, but support is still in beta for most web servers and leaves out a ton of clients.
If Nginx is started as root, it can host on port 80. If not, serve on port 8080 and use NAT to redirect it to port 80 with your firewall. You are using a firewall for publicly-hosted content, right?
I don’t use NAT for most of my services to be honest. I have about four billion IPv6 addresses available, and nginx reverse proxies work just fine for legacy IPv4 stuff.
“Just compile your own Android” isn’t the solution you may think it is. Custom ROMs are a massive pain. Unlocking the bootloader to install it will do all kinds of weird things. Things like “wiping all data” for one, and sometimes also clearing the DRM keys, breaking streaming apps on the device forever. On some Samsung phone unlocking the bootloader will disable the camera firmware, breaking most camera features until the bootloader is locked again.
I wouldn’t want to reduce security by allowing privileged ports as any user, or running modified operating systems that have lessened security baked-in. This security principle is in place for good reasons, and they should remain in place.
If you are exposing your LAN to your Internet connection, you’re doing something wrong. If you are not, but are using a firewall that doesn’t support NAT, then I don’t trust your firewall. If your firewall supports NAT, and you’re attempting to subvert Linux security measures instead of using it, then you’re doing something wrong.
I’m not sure what the security benefits of privileged ports is. Any user can run RDP, OpenVPN/Wireguard, LDAP, and a bunch of other protocols on their standard ports, but thank god they can’t run FTP or HTTP servers! IMAP servers sure are dangerous, but SIP servers should be available to any user for security purposes of course. KDE Connect will open fifty ports for SSH servers, but the important thing is that none of those ports is 22 so all is well.
macOS abolished them a while ago and I don’t believe macs and iPhones are getting hacked left, right, and center. The security benefit is there for systems shared by many users, preventing a standard user from impersonating operating system services. There are a few shared hosts with terminal access that still need these protections, but my phone doesn’t.
As for the firewall: if you have NAT enabled on a consumer router, your firewall is essentially open the moment any device on your network runs external code, i.e. any app. Some consumer hardware can even be tricked by regular WebRTC/HTTP traffic, though that’s harder to pull off; those mechanisms only allow incoming traffic to any local port of an attacker’s choosing, not to any port on any device in your network. Thank NAT ALGs and NAT slipstreaming for that; it’s as if UPnP never went away!
I suppose you could run your own NAT without any ALGs and just not use protocols like passive FTP or SIP, but that would require a custom setup like an OpenWRT router or something of that nature.
I just found ServeIt on fdroid. I tried it with a simple html website and it works on my phone. It does exactly what you ask.
Does it run on port 80?
On my non-jailbroken phone it doesn’t. The default port is 8888 and you can change it, but it doesn’t start if you specify 80. I don’t know if jailbreaking allows that.
I have to add that it shouldn’t matter much though. If anyone is around you, which would be the main use case, it provides you with a QR code that they can scan and view your website.
Yeah and if you really want it to be accessible from WAN, just forward port 80 on your router to the phone.
There’s not really anything stopping someone from writing the necessary code to make this work, but why do that when you can use an always-online, non-battery-powered computer as your web server?
Phones are more powerful than a Raspberry Pi, even has more RAM these days, come with a built in UPS, and have tons of hardware to access nearby devices. That’s pretty useful in tons of situations, like monitoring services, IoT servers, whatever you want.
The battery in a phone only functions as a UPS if it’s plugged in 24/7, in which case it isn’t usable as a phone.
An old phone plugged into a car or left on top of a cupboard is still a phone. It has Bluetooth capabilities, Google Assistant, GPS for use in cars, the list goes on. People use them as wall interfaces for IoT interfaces, so why can’t you just run Home Assistant on them directly?
Plus, phones provide cellular data and actual phone calls, something that’s very expensive to plug into a raspberry pi or comparable micro server.
I have a couple rooted Android 4 phones that I could use but they would be rather slow and have security vulnerabilities. Unless someone makes a custom ROM for the obscure models I have, these problems won’t go away.
from the linked article:
The reason I think this is needed is because a large percent of Internet users cannot afford hosting personal websites.
that isn’t really the case these days. there are a bunch of free options available–from companies large and small, non-profits and user groups, shared public servers, etc. you can’t run a large download server or a resource-hogging scripted application off something like that, but you won’t be doing those things off your phone and mobile data, either.
I’m not so sure. India isn’t known for its high spend on Amazon cloud fees. Billions of people are stuck behind mobile 4G with little spending money to actually host anything.
Free services exist, but they’re far less capable than just hosting a simple server on an old phone stuck to a charger in a cupboard somewhere. I’ve used shared hosting for ages and it’s just not great.
Data costs are a thing, but there are a lot of “unlimited 2G speed” subscriptions that provide opportunities for personal projects and services.
There are options, of course. Tor works well for hosting a service and it’s pretty secure too. Remembering the hostname and linking others is just a huge pain.
If you’re sticking an old device into a closet stuck to a charger, a phone is like the worst thing for that. Heck, even an old laptop running Linux would probably allow you to charge it, have an external HDD, and Ethernet at the same time, which already puts it miles ahead of a phone.
Android is open source, so if you really want to do this with an old device, you can build yourself a custom rom and do so. But there is no way that it’s a good play for Google to spend engineering time and resources to build something that is at best a poor replacement for countless existing solutions.
I think a root app that runs on Android 4 would work but the devs would have to implement modern standards (TLS 1.2) themselves, the performance would be bad and the phone will probably have known security vulnerabilities.
I don’t think it’s a good idea. Most people are not tech-oriented, which means it will be a huge security risk. And I want my smartphone to be a phone first and foremost. I want it to have a good battery life so that if I need to make an emergency call, I can rely on it.
I use a dumb phone for that, and due to my provider’s oversight, I get 1 MB for free a day on a prepaid card, enough for basic stuff like train timetables on Opera Mini (no email due to privacy concerns but I am frequently enough on Wi-Fi anyway). So I carry two phones: my smartphone has no SIM card and is used most of the time while my Nokia lasts a week while in standby.
So neither phone could work as a server, nor would most of anyone else’s given that everyone expects 100% uptime, which phones don’t really provide.However, how about using one of the three rooted Android 4.4 phones in my drawer? My home Wi-Fi, a USB charger and a root app that runs a remotely maintainable web server would make it a great website hosting option. Sadly, I don’t know any Java and few people develop for Android versions before 5, among other things because of its bring-your-own-TLS-1.2-implementation necessity.
I hope you do realise that this is already possible on mobile devices, it’s just not possible to use a few specific restricted ports.
The reason I think this is needed is because a large percent of Internet users cannot afford hosting personal websites.
A number of cloud providers offer an always-free tier.
https://github.com/cloudcommunity/Cloud-Free-Tier-Comparison
True, but those are either available in limited supply in any nearby location, only free for a short while or provide servers that are slower than a smartphone.
You can set up a VPN with port forwards to get around this problem, but that’s a waste of a server in some kind of data center when the phone itself would be perfectly capable anyway.
Things intended for local use, like Pihole also don’t work on cloud servers without getting banned for DNS abuse.
What are you talking about? GitHub pages is just one example of a web page host that’s free for everyone, super fast and reliable.
Even if you need to host something that has a backend, there are free options with significantly fewer downsides than hosting on your phone.
Cloud servers may be a bad solution for things like pinhole, but your phone would be dead in four hours if you were forcing it to stay awake to respond to every DNS request on your network.
If you’re talking about using your phone as a stationary server that you leave plugged in, isn’t that just an extremely overpriced raspberry pi with no free IO ports?
It’s an interesting idea, but it’s just so much worse than any other option that I can’t imagine anyone seriously wanting to do it.
Things intended for local use, like Pihole also don’t work on cloud servers without getting banned for DNS abuse.
Are you talking about running a public DNS resolver?
That’s a very different topic that wasn’t part of the original post as far as I can tell.
There have always been (and there always will be) countless solutions for hosting a website for free. Even ignoring the security implications, mobile networks are not designed to do what you want to do. Full stop. If you can’t find a cloud provider in 2023 that will host a free website that will meet your needs, you aren’t looking hard enough.
Mobile providers spend billions in CAPEX every single year to keep up with ever-increasing demand (spectrum, base stations, radios, antennas, etc.) and even then they can barely keep up in some areas.
Every device attached to a given cell shares the resources of that cell. And uplink bandwidth is specifically scarce. Don’t be a bad neighbor.
I’ve been using AWS Amplify for the past five years completely for free. You’d have to get a huge website to get to the point where they start charging
Why would anyone want this
A lot of people have old phones whose batteries are to degraded to be useful for much, those could be used as servers with much less problems then any other phone (no spotty connectivity, no changing mobile network ips, no cutting into the battery life of your phone)
There are a few guides out there on how you can replace the battery of many phones with a capacitor and just hook the device up directly to the wall. This is also a good idea for some devices attached directly to a moving power source (i.e. cheap tablets or old phones used as car navigation exclusively).
In some phones you can install PostmarketOS and get the full Linux experience (including docker/k8s if you really want to).
This might be possible using cloudflared: https://news.ycombinator.com/item?id=37086455#37101789
Of course, they are more than capable enough (if you remain connected to the network and don’t care about the battery drain).
However, society is so used to “THE CLOUD” that this seems backwards.
Theoretically: yes! You can install nginx through tmux and it takes about five minutes including the download.
Practically: not really. Phone operating systems are real weird about daemons, and Android for sure blocks ports below 1024 if you’re not root as if you’re some kind of 70s shared minicomputer.
This is like Apple not allowing you to have root access to your device. Today we’ve computers in our pockets that are more powerful than laptops from 10 years ago yet we can’t use them because they’re locked down. :(
No thanks. Linode let’s you setup a cheap server for $5 a month, my cellphone is 30$ a month with limited data, and my house is basically a faraday cage.
So just because it doesn’t make sense for you… it shouldn’t be allowed at all?
The end user experience for your website would be terrible and inconsistent, phones don’t have the kind of uptime and availability that you would need, and keeping them plugged in 24/7 in a closet doing computational tasks is a good way to end up with battery bulge and one spicy mini pillow.
There are too many nefarious purposes that could benefit from being able to serve public web services from your smartphone and no consumer benefits that average people would care about.
Fortunately it doesn’t matter what I want to allow and is up to the cellular service providers which have all kinds of stipulations about what constitutes as service abuse and using an inordinate amount of bandwidth is usually one of them.
So for security safety and service stability reasons, yeah, there is no legitimate reason why it SHOULD be allowed. Just spend the $5 monthly on the hardware and bandwidth instead of potentially making your neighbors cell data worse or setting your house on fire/ blowing up your closet just so you can have an unconventional web server.
The end user experience for your website would be terrible and inconsistent
The internet is a massive hodge-podge of different devices. There’s literally no difference in how it’s done now already. Walking through my datacenter I see 10th gen dells still in service.
phones don’t have the kind of uptime and availability that you would need
For homelab? or setting up a personal lemmy instance? It really depends on the purpose. And the premise from the OP has been “personal”.
keeping them plugged in 24/7 in a closet doing computational tasks is a good way to end up with battery bulge and one spicy mini pillow.
Many phones do “only charge to 80%” sort of setting. Negates this nearly completely.
Fortunately it doesn’t matter what I want to allow and is up to the cellular service providers which have all kinds of stipulations about what constitutes as service abuse and using an inordinate amount of bandwidth is usually one of them.
Phones can connect to other services you know… It’s not all about cellular. And many phone companies suppose home/business connections over their network.
So for security safety and service stability reasons, yeah, there is no legitimate reason why it SHOULD be allowed.
There’s tons of legitimate reasons… Such as I want to do what I want with my device.
