swiftp icon indicating copy to clipboard operation
swiftp copied to clipboard

Published 20 hours ago verified publisher icon ppareit

Quick Settings tile should not be able to enable server without unlocking device

Open kaoneko opened this issue 1 year ago • 6 comments

As it is now, when you add the QS tile, anyone who gets a hold of your phone can turn on the FTP server and access your internal storage. Or whatever directories you're sharing. I think people will not be aware of this when adding the tile (I wasn't at first).

kaoneko avatar Jan 22 '24 18:01 kaoneko

TLDR: Personally, I don't see anything to do here except in other ways for security. Someone else might have another opinion on it. I won't be doing anything with it but perhaps someone else might.

Just don't use anonymous or a bad password (which should be a given for security anyway). While not having the app run, better would be to remove the password from the app so even if it gets started while the device is locked such as from ADB or another issue, then there's nothing to be used.

Xavron avatar Jan 23 '24 15:01 Xavron

Oops, totally forgot it requires authentication 😅 I'm so used to enabling the FTP Server and connecting to it from my computer that I forgot my computer has the credentials memorized. Not an issue then!

kaoneko avatar Jan 25 '24 18:01 kaoneko

It could still be a good idea anyway. Idk.

Just to me there's other ways of looking at it like even, newer Android versions have a setting to disable wifi and enable it when back at specific SSID's of which I use. So, that mostly voids the issue as well.

I don't have an issue with leaving the app enabled but that's me and I have too many other thoughts on it and security.

Someone might want to anyway :)

Xavron avatar Jan 26 '24 13:01 Xavron

Best practice would be not allowing someone without device access to start a file server on said device in my opinion. I'd like to minimize attack surface in case I ever lose my device. Have peace of mind knowing my files cannot be accessed in such a situation. Being able to start FTP Server... I don't know what vulnerabilities that opens up, so I'd rather that's not a possibility.

I've replicated the Quick Settings tile with Tasker and made it require authentication when the device is locked :)

kaoneko avatar Jan 26 '24 15:01 kaoneko

I now expect to look at this in some months (at least 1 month - or longer or shorter, just depends) and create a pull request if no one else does it by then. It should only take a quick moment. Previously, I wasn't going to do anything further but things changed =)

Xavron avatar Apr 09 '24 12:04 Xavron

Pull request added https://github.com/ppareit/swiftp/pull/226

Build from source can use that pull request right now. Otherwise, need to wait for ppareit to accept it and then put out app builds with it included.

Tested as working on Android 6 (current app minimum), Android 7.1.1, and Android 14.

Xavron avatar Apr 27 '24 09:04 Xavron

Fixed in #226

ppareit avatar Jun 30 '24 14:06 ppareit