Back in 2009, anynone with a Nokia could have a personal website running on their own phone. Sadly this amazing piece of tech was never widely adopted. Today’s phone are far more powerful than those Nokias both in performance and battery backup and still we don’t see anyone running a server on their phone. Why?
I think this was never implemented on phones because there’s no incentive for large corporations to work on something like this.
You don’t need root to run on port 80, though. And on Ubuntu you can run a server on port 80 as well as long as the software is set up right. It’s the easiest way (and the way the “just disable SELinux” guides often recommend) but there are much better mechanisms for that.
Even if you start nginx as root under normal circumstances, nginx will drop privileges and switch to another user ID exactly because of the root user risks. Nobody wants to run web servers as root, and nobody wants Android to just add root capabilities to the standard config.
All you need is to either
CAP_NET_BIND_SERVICE=+epon the web server or to alternet.ipv4.ip_unprivileged_port_start(just set it to 0 in your system image and ports will just work). The kernel can do this dynamically, like it handles most sandboxing and permissions. The sysctl config is a setting you can just change and one Google could fix with just a single line of code.Well, yeah, but Nginx will still need to run on some kind of port. 80 and 443 for standard web browsers. http/3 can work on any port, but support is still in beta for most web servers and leaves out a ton of clients.
I don’t use NAT for most of my services to be honest. I have about four billion IPv6 addresses available, and nginx reverse proxies work just fine for legacy IPv4 stuff.
“Just compile your own Android” isn’t the solution you may think it is. Custom ROMs are a massive pain. Unlocking the bootloader to install it will do all kinds of weird things. Things like “wiping all data” for one, and sometimes also clearing the DRM keys, breaking streaming apps on the device forever. On some Samsung phone unlocking the bootloader will disable the camera firmware, breaking most camera features until the bootloader is locked again.
I wouldn’t want to reduce security by allowing privileged ports as any user, or running modified operating systems that have lessened security baked-in. This security principle is in place for good reasons, and they should remain in place.
If you are exposing your LAN to your Internet connection, you’re doing something wrong. If you are not, but are using a firewall that doesn’t support NAT, then I don’t trust your firewall. If your firewall supports NAT, and you’re attempting to subvert Linux security measures instead of using it, then you’re doing something wrong.
I’m not sure what the security benefits of privileged ports is. Any user can run RDP, OpenVPN/Wireguard, LDAP, and a bunch of other protocols on their standard ports, but thank god they can’t run FTP or HTTP servers! IMAP servers sure are dangerous, but SIP servers should be available to any user for security purposes of course. KDE Connect will open fifty ports for SSH servers, but the important thing is that none of those ports is 22 so all is well.
macOS abolished them a while ago and I don’t believe macs and iPhones are getting hacked left, right, and center. The security benefit is there for systems shared by many users, preventing a standard user from impersonating operating system services. There are a few shared hosts with terminal access that still need these protections, but my phone doesn’t.
As for the firewall: if you have NAT enabled on a consumer router, your firewall is essentially open the moment any device on your network runs external code, i.e. any app. Some consumer hardware can even be tricked by regular WebRTC/HTTP traffic, though that’s harder to pull off; those mechanisms only allow incoming traffic to any local port of an attacker’s choosing, not to any port on any device in your network. Thank NAT ALGs and NAT slipstreaming for that; it’s as if UPnP never went away!
I suppose you could run your own NAT without any ALGs and just not use protocols like passive FTP or SIP, but that would require a custom setup like an OpenWRT router or something of that nature.