Is kdeconnect secure? If not, can I secure or replace it?

cfr · 2022-03-09 20:47:13

I should say that I am extremely new to the smartphone world. I still find Android rather confusing, especially its filesystem and file-handling generally. I'm not, for example, in a position where I'd consider rooting the device or replacing its OS. [I did look into this, but the less intimidating options aren't available for the phone I've got.]

My main aim is currently to exchange files between my laptop and the phone. To this end, I briefly toyed with mtp and android-file-transfer before discovering kdeconnect.

kdeconnect makes it incredibly easy to exchange files (touch whatever virtual wood is available).
My concern is about its security. I'm especially concerned about the security of kdeconnectd running on my laptop on untrusted WIFI networks.

After googling for a bit,

on the laptop, I've disabled most features except file sharing and,
on the phone, I've told the kdeconnect app to use only my home network.

However, there doesn't seem to be a way to limit kdeconnectd to certain networks on the laptop. The thing runs all the time.

I would also ideally like the laptop to *ask* before receiving files regardless of my location, but, having agreed once, it seems the process is entirely automatic. It doesn't even require a client application to be running - only the daemon.

For the phone, I'd ideally like kdeconnect to pack itself back into its box when it isn't being used, but it seems forcing the app to stop manually is the only option. (But this is really a secondary issue which is at least as much about power as it is about security.)

Although I'm somewhat concerned about the security of both devices, I am especially concerned about the security of my laptop.

Am I being unnecessarily paranoid? Should I just not be worrying about this? I realise that random devices can't connect with the laptop and maybe that's enough even on insecure networks?
If not, is it possible to increase the security of kdeconnect(d) and, if so, how?
If it can't be secured, is there a more secure alternative, at least for file exchange?

I know that it has been possible to essentially use the standard command-line tools for this (e.g. ssh, sshd, sftp etc.). However, my understanding is that all terminal-like capabilities on Android are going to disappear (termux, ssh servers/helpers etc. are doomed) because, for security (and perhaps other) reasons, Google is removing the capabilities on which the various apps rely. So running a ssh server on the phone, for example, doesn't look like an option. [Reading this rather made me feel as if I'd arrived just as the police turned up to shut the party down. I'm also not sure if this will be the death of kdeconnect as well, since I understand it relies on ssh underneath.]

I've been playing with the idea of having some kind of script to detect network changes and kill kdeconnectd when on non-home networks (and possibly adjust the iptables rules as a secondary layer), but I can't imagine there isn't a better solution.

cfr · 2022-03-11 19:35:33

Fedora's KDE spin runs kdeconnectd by default, which I find somewhat reassuring though I'd much prefer to understand why it isn't problematic. Moreover, I, of course, have opened ports in my firewall to allow kdeconnectd to work, which isn't the case on the Fedora machine and certainly not by default.

I'd really like kdeconnectd to run only on demand, where demand is internally-led. That is, I'd like it to run only when I initiate something on the laptop to activate it. I understand the reasons for not having the daemon be on-demand, since that's obviously not much use if you want it to respond to connection attempts, but I'd happily give up that convenience for added security.

Or maybe I should just try closing the firewall holes when I'm on a different network? Or only opening them when I'm on the home network?

Strike0 · 2022-03-11 21:13:41

Hi, I have not used kdeconnect or looked into it's capabilites, so I cannot give you input on that.

What I use to file share with Android is https://wiki.archlinux.org/title/Syncthing
I synchronise files (encrypted) across multiple machines + Android with it. There is a synthing.service running, it requires two open ports at runtime and when it discovers a connected machine it synchronises files in a configured base directory, with optional acknowledgement. The daemon is configured via a browser, which is nifty. Per default it uses global discovery servers, but you can also set it for local network discovery only (I usually do) and/or start the .service and Android app on demand only, of course.

V1del · 2022-03-11 21:50:13

Afaik all communications with an actually paired device are encrypted once established once. It should be safe to have it running on a public network

cfr · 2022-03-13 06:42:55

Really appreciate the syncthing suggestion. I'll take a look.

V1del wrote:

Afaik all communications with an actually paired device are encrypted once established once. It should be safe to have it running on a public network

Thanks. I'm more concerned about other devices which aren't paired exploiting the service/open ports. Or the phone being hacked, for example. I don't understand the software running on my phone and I don't trust it.

[I don't understand the software running on my laptop either, but I understand it a lot better than the stuff on my phone. That's not saying much, but I don't even understand Android's flipping file system.]

Arch Linux

#1 2022-03-09 20:47:13

Is kdeconnect secure? If not, can I secure or replace it?

#2 2022-03-11 19:35:33

Re: Is kdeconnect secure? If not, can I secure or replace it?

#3 2022-03-11 21:13:41

Re: Is kdeconnect secure? If not, can I secure or replace it?

#4 2022-03-11 21:50:13

Re: Is kdeconnect secure? If not, can I secure or replace it?

#5 2022-03-13 06:42:55

Re: Is kdeconnect secure? If not, can I secure or replace it?

Board footer