Syncthing Android HTTPS

Why does the Android app use HTTPS for the web GUI by default?

To protect against the possibility of a malicious external app “stealing” the 8384 GUI port in an attempt to sniff API-key credentials.

1 Like

@Nummer378 Couldn’t that happen on the desktop version too? But it’s off by default there…

Unlike the Android webbview, your webbrowser doesn’t know syncthing’s API key, so if your syncthing instance is unprotected (the default) there’s no leakage of credentials. If your syncthing instance is password protected you should guard yourself against this attack before entering the password, yes. We thus recommend that https is used as well when setting a password.

(Also, the security models on desktops are typically vastly different from mobile. On many desktop OS’es, apps can freely access a large portion of the system’s files. If that’s the case, a malicious app can just read syncthing’s configuration and gain credentials this way. On Android however, app data is protected much more strictly which results in a tighter security model)

@Nummer378 That causes a warning about the certificate in Safari, though.

Is it safe to select ‘always trust’?

That’s a very complicated topic with few easy answers. The simplest one I can give is yes, just ignore it. I think most browsers these days are smart enough to remember the exact certificate that has been ignored (at least Firefox does), in which case this is safe to do - click the warning once, but only once (e.g. if the browser warns again this means that the certificate was changed, which may indicate that something happened).


On Safari it seems like there’s actually two options.

  1. Ignore the warning and visit the site. (This is based on cookies and will reset when browsing data is deleted, etc.)

  2. Trust the certificate (This is permanent until manually revoked)

Since #1 will warn you every time your cookies are cleared, it seems like #2 is (counterintuitively) actually safer? Since you would only get a warning for a new, changed certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.