0xf104a
commented
3 years ago Hello.
I completely agree with you about MITM attacks. So currently as for release 1.0-beta8 if switch Use insecure connection is off app will try to connect via https only(and no cleartext traffic will be sent).
Also I am not sure if previous releases behaved as you have described(failing back to http): there was an issue(#5) when app was failing to connect via HTTP despite correct address and credentials. So if you are sure that the app on your device is failing back to HTTP, please send logs and your Android version.
Thanks for the work on this much needed app.
From what I can tell, nextcloud services will first try to connect to a server via https but if no https server is found it will fail over to http. I believe this may leave open a potential security vulnerability where a 'man in the middle' could block https to force a less secure connection.
In the interest of security, I would prefer if there was a way to prevent the app from ever attempting to connect via http.