Why is Xfinity removing basic router functionality from the router gateway? Especially in favor of an app that doesn't work!

For the affordability part, if you are renting a device for $14-16/month depending on your market, you'll hit break even pretty quickly. 

You will also benefit by not having to manage it with the least secure device you own -- a phone.  The point of a phone app is to glean personal information from your mobile device, including location information for targeted advertisements, or "other".   Remote control of critical infrastructure is a really, really bad idea in the first place.

Port forwarding in general is also problematic.  If you are going to expose a port to the world, you really need to be able to defend it.  Who needs access to the port?  Just you?  A friend?  Link two locations?  The easy solution there is running your own VPN server.  Wireguard and OpenVPN are open source and free.  Mobile apps that can connect to your server are free.   You can configure the server to only allow traffic to a single device, or specific devices on your network.  You completely control the access.

Why is this better?  Because to even talk to the open port, and determine if it is open, you need an encryption key or a hardware HMAC key, otherwise, it's not determined if the port is open or closed.  This makes you a poor target further intrusion attempts.  If you run another type of service and expose it directly to the world, the port will be exposed as "Open", and you'll get hammered with botnet traffic sooner or later.

Better, is if you have a dedicated firewall to go with your plain ole cheap cable modem.  Then you aren't dependent on closed source firmware with infrequent or non-existent security updates, and a limited security feature set that comes with a router.  You can do this easily with a junk or cheap  <$80 refurb PC. 

At the same time, it would be best to display a warning about doing these things in the gateway directly instead of forcing the use of a completely broken app. For that same $80 you mentioned, I could easily get a better router compared to Xfinity's. For that price, I could even get one by Netgear, the leader of this market. I secure my devices very well, including my phone. As for VPN's those could easily get pricey, more than what you're paying for internet in some cases. And no, if you're opening a port simply for a friend and not the world, then a VPN is not ideal. You'd primarily want it for the latter of the two, should you be host yourself. Basic functionality of a router should never be removed from the gateway. Could it be covered with warnings, sure thing, in fact, I'd recommend that. However, like this situation, Xfinity has presented a "No Win Scenario" by forcing the use of an app that does NOT work. No alternatives, just one little broken app. Not to mention it would not be fun to be the person who doesn't have a smartphone because they don't like smartphones...

Edit: Changed word choice of mod's edit (last sentence), though the context of it wasn't used in any inappropriate manner.

You get no argument from me.

They're going on 3 generations of hardware with the trend of removing user functionality of their rental equipment.  Nefarious purpose or just bad product management is unknown (locking DNS servers, configuration from a central location that doesn't work all the time,  with security you can't audit, etc), and a disturbing trend towards refusing to document anything.  Plus, it's costing you money every month for reduced functionality.   $168/year.  Maybe a few bucks more with local fees.  I don't expect them to change their business model anytime soon.

You mentioned port forwarding.   If you open a port with a port forward,  you've opened it to the world, not one person and it's easily found with a portscan.  The security depends on the service you've pointed the port forward too.  Some services are harder to protect than others.  In that arrangement, I'd isolate the box that is running the service from the rest of your gear.

3rd party paid VPN servers don't do what people think they do, and I wasn't talking about those.  They aren't helping you with security anyway.  And worse, you've introduced a "Man in the Middle" that can see your traffic.  Most run squid/apache cache proxies.  Your web and dns data is available on the server side in plain text in these arrangements, and they're intercepting certificates than passing their own back.  Webshield anti-virus does this too (norton/avast).  You are better off with a direct SSL connection to whatever site you wish to contact without the "Man in the Middle" and net nanny selling your browsing info to 3rd parties.

VPN servers are free.  You can run one on your local gear.  YOU are the only one with your data in that case.  Then you can access local networks or machines.  The port the VPN server uses would be the only port you open (almost any port, the server doesn't care).  wireguard.com and openvpn.net are very popular for that.  They work differently.  Wireguard has less overhead, so better for streaming type traffic, but lacks logging.  You can do that by other means.    Openvpn can be configured anyway you like including various types of authentication.

Firewalls, give you more ability to control your traffic, segregate subnets, traffic shaping (priority/throttling), monitoring, adaptive hostile attack blocking. etc.  They can also run your VPN server.  Two free open source ones with easy graphical interfaces are opnsense.org and Netgate's community edition pfSense.org.  If you want to customize and build your own distribution, or stay on the very cutting edge with security and library updates, opnsense is much easier to compile and has build tools that do this with a couple of commands -- just setup a build machine or virtual machine to do it (virtualbox, also free). 

Hello @Trevanoc, thank you for taking time to reach out to us. We will be happy to help with any app issues that you may be having at the moment. Can you please send our team a direct message with your full name and full address? Our team is here to help! 

To send a "Peer to peer" ("Private") message:
Click "Sign In" if necessary
• Click the "Peer to peer chat" icon
• Click the "New message" (pencil and paper) icon
• Type "Xfinity Support" in the "To:" line and select "Xfinity Support" from the drop-down list which appears. The "Xfinity Support" graphic replaces the "To:" line