keat63 wrote:
I could do with a method of finding out which port the mobile app is coming from.
or if you think this rule is safe as it is, then I'll leave it as is.

The app. itself probably doesn't know - I'm guessing it's just a random port.

As it is, anyone who knows Port 70 is the target can connect - you ought to include at least the mobile app's IP address in the Firewall Rule - though I'm guessing that's dynamic too

The safest solution, is to enforce VPN-only access.

For a laugh, visit https://www.shodan.io/ and see what your 'attack surface' looks like...
"Security through Obscurity" is a long-dead concept.

If you have only a few known users I suggest as hornbyp says above (which is what I do for my DVR access) -

Set each user up as a "Remote Dial-In User" for VPN access. Assign each of them a static IP address on the connection.

Set Firewall rules to allow each of those IPs access to the DVR IP, with a following rule to block access to any other IP.