Encrypted Config

[xAffan]

Security Hazard. Config is not encrypted thus can be stolen by malware or intruder.

Should be encrypted by either biometrics and/or conventional password, requiring unlock whenever app is first opened

[leowankerddd]

Interesting. Never thought of this because my phone has biometric to unlock.

This sounds like a nice feature.

Tops on my personal wish list is the completion and production release of the content provider preview it's listed as experimental and I'd like it to be production. It's a very valuable feature.

[Erz3]

You can follow this to make it on PC: https://rclone.org/docs/#configuration-encryption

However, I am not sure if Android's built-in feature to lock apps will work to encrypt configuration files too.

[leoj3n]

RSAF gives the option to protect the UI...

This protects the UI, although not sure if the rclone.config is technically encrypted at rest in either app?

[g-roi]

Any biometric authentication when opening the app would be perfect.

Is this important security feature planned ?

[kaoneko]

Hi, new user here! You guys are making me nervous. From what I understand credentials are stored in obfuscated form in rclone.conf, which itself is stored in the app's data storage, only accessible by the app itself. This seems to adhere to the documentation @Erz3 linked to:

Your configuration file contains information for logging in to your cloud services. This means that you should keep your rclone.conf file in a secure location.

So, there is no security issue here, right? What @xAffan suggests is about limiting the consequences of an Android system security breach by an attacker/malware, no?

[xAffan]

It is possible that the app data may be accessed by an exploit, or maybe even using adb. A highly skilled attacker can surely get hold of your rclone.config but if it was encrypted, it wouldn't be the case. Besides, obfuscation security is not a real security.

On Thu, Apr 4, 2024, 11:02 PM kaoneko @.***> wrote:

Hi, new user here! You guys are making me nervous. From what I understand credentials are stored in obfuscated form in rclone.conf, which itself is stored in the app's data storage, only accessible by the app itself. This seems to adhere to the documentation @Erz3 https://github.com/Erz3 linked to:

Your configuration file contains information for logging in to your cloud services. This means that you should keep your rclone.conf file in a secure location.

So, there is no security issue here, right? What @xAffan https://github.com/xAffan suggests is about limiting the consequences of an Android system security breach by an attacker/malware, no?

— Reply to this email directly, view it on GitHub https://github.com/newhinton/Round-Sync/issues/200#issuecomment-2037852407, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODGAV3OPYI42SR66Q5MM6TY3WIUFAVCNFSM6AAAAABAVGRODSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZXHA2TENBQG4 . You are receiving this because you were mentioned.Message ID: @.***>

[newhinton]

This is not an security issue per se. Assuming your device is safe (all updates, not too old, not rooted), there is no way (that is known to me) that someone else can get to the rclone.conf, except with physical access to your phone and your pin/password.

Oh, you also have to have some kind of screen lock to protect yourself.

[leowankerddd]

Hi, new user here! You guys are making me nervous. From what I understand credentials are stored in obfuscated form in rclone.conf, which itself is stored in the app's data storage, only accessible by the app itself. This seems to adhere to the documentation @Erz3 linked to:

Your configuration file contains information for logging in to your cloud services. This means that you should keep your rclone.conf file in a secure location.

So, there is no security issue here, right? What @xAffan suggests is about limiting the consequences of an Android system security breach by an attacker/malware, no?

By default your phone is always in your possession and locked and it would require somebody to be a Android hacker to gain access to your config file and even then you're password is encrypted.

I wouldn't be nervous.

[xAffan]

Your password is NOT encrypted in its current state. I merely suggested to add an extra line of defense in case of very skilled hackers or specialized malware. Although, I admit, only a minority of people full under this threat model.

On Thu, Apr 4, 2024, 11:19 PM leowankerddd @.***> wrote:

Hi, new user here! You guys are making me nervous. From what I understand credentials are stored in obfuscated form in rclone.conf, which itself is stored in the app's data storage, only accessible by the app itself. This seems to adhere to the documentation @Erz3 https://github.com/Erz3 linked to:

Your configuration file contains information for logging in to your cloud services. This means that you should keep your rclone.conf file in a secure location.

So, there is no security issue here, right? What @xAffan https://github.com/xAffan suggests is about limiting the consequences of an Android system security breach by an attacker/malware, no?

By default your phone is always in your possession and locked and it would require somebody to be a Android hacker to gain access to your config file and even then you're password is encrypted.

I wouldn't be nervous.

— Reply to this email directly, view it on GitHub https://github.com/newhinton/Round-Sync/issues/200#issuecomment-2037888141, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODGAV3KZ3YADNKNUSS6TWTY3WKSTAVCNFSM6AAAAABAVGRODSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZXHA4DQMJUGE . You are receiving this because you were mentioned.Message ID: @.***>

[leowankerddd]

Your password is NOT encrypted in its current state.

Looks like Rclone says it's encrypted. See pic.

[newhinton]

you're password is encrypted.

This is not the case, depending on your definition. Afaik, all files are 'encrypted at rest', by android per default for a while now.

The rclone.conf itself however, is not additionally encrypted. If your device is unlocked, any root-process could read and steal that file. Any other process (like other apps) have no access to its location.

The file is also not accessible by any file manager.

[newhinton]

Looks like Rclone says it's encrypted.

Technically it is encrypted (it uses some encryption algorithms), but the "password" is hardcoded, at least last time i checked. So obfuscated would be the better term.

Though im not so sure anymore, i'll have to check that again.

[newhinton]

add an extra line of defense in case of very skilled hackers or specialized malware

Generally true, but that hacker/maleware already defeated android's security model and therefore you lost the defense-game already. If you can read other app's internal storage, you can also dump the memory of said app, and then you have it's data anyway, encryption or no.

[newhinton]

Though im not so sure anymore, i'll have to check that again.

I checked:

There is indeed the option to encrypt the config, but from the screenshot you made i guess that you are "only" using obfuscation.

Do you have to enter your password every time you use rclone?

Source: https://rclone.org/docs/#configuration-encryption

[leowankerddd]

Do you have to enter your password every time you use rclone?

You can't see it in the pic but yes there is an rclone settings password that is unique from all remotes.

On my Windows/Linux rclone requires a password.

[leowankerddd]

@newhinton FYI I'm beta testing Mega S4 cloud storage, and I'm having issues. I'm just not sure yet where the fault lies. Rclone for Windows/Linux work. Roundsync has issues that I'm working to isolate. I will post when I have more data.

[newhinton]

Great! Best you create a new issue for that. Feel free to ignore the issue-template if you so choose, but be precise please.

[kaoneko]

Besides, obfuscation security is not a real security.

The Rclone documentation says it was added to protect against shoulder surfing.

[mvevitsis]

@newhinton are there plans to implement support for configuration encryption?

It might not be as critical a security flaw as running an unencrypted config file on desktop* but it's still not best practice.

*Unless you are rooted in which case it's a massive security flaw.

[Erz3]

This is an important feature when we need to export settings in a user directory and/or It is been synchronized in a cloud storage.