Confused by (in)security of Android app BubbleUPNP

In the firewall world I am accustomed to always turn off DLNA and UPNP. Easy too, since I have never had a use case for them being activated.

Now though, I am venturing closer to such a use case, but I find myself incapable of assessing the risks involved.

My home LAN is all closed down to the internet. Nothing open from the outside. The few IOT devices I have are all forbidden by pfSense rules to reach out to the internet apart from to places I trust. Case in point: a Raspberry Pi running MoodeAudio music linux distro. It serves music to my hifi from my NAS and also streams a few selected internet radio stations.

I also use Qobuz music streaming service, until now casting from their native Android app to a Chromecast Audio device. However, the chromecast does not do gapless, and as a fan of opera that bugs me A LOT. Qobuz, just like Tidal, does not have a Connect feature.

So I read a lot of people on reddit stream Qobuz content with an app called BubbleUPNP for DLNA/Chromecast from Bubblesoft. I give it my Qobuz credentials and use that Android app to browse the music offered on Qobuz and initiate playback, but it is the actual Raspberry Pi that contacts the Qobuz servers and fetch the music files. I have limited it’s access to an IP-range that seems to work. The Raspberry Pi runs a “UPNP client for MPD” that makes it act like a “media renderer”. It does not run any server.

But I don’t know what all this entails with regards to my phone? Is the app a security risk on my phone, now with access to my LAN? In the apps settings, a local media server is enabled with a default network name, but other settings are greyed out and require installation of a UPNP media server app, also from Bubblesoft. I can do what I want without that extra app, but that “local media server” is still also enabled in settings in order to be able to stream cloud media to my LAN.

I just can’t wrap my head around all this. Do I have a dangerous server or service running on my phone? Is it a security risk?

I have tried probing my phone with GRC ShieldsUP with the WIFI turned on and off - wifi is completely stealth, but on the mobile network there are plenty of open ports reported, but I don’t know if they are on my phone or some proxy device in the middle belonging to my carrier.

I would so like to have that gapless playback, but not at the price of running servers/services on my phone using “stay away from”-protocols.

Sorry, this became a long-winded question, but I would really appreciate feedback. Perhaps it could even be a topic for a video @LTS_Tom ? I see this BubbleUPNP being recommended in many articles and perhaps it is a blind spot in terms of security, with many people not realizing they open themselves up for attack (including me?).

Never heard of BubbleUPnP or used it, nor do I have time to investigate it.