# risk of FTP



## ksiu (May 30, 2021)

Hi,
A newbie here.
FTP data transfer is not encrypted.FTP password is sent in plain text.  So, anyone get intercept it and log into my Android FTP server and access my phone's photos and documents.
Is this the worst they can do?
My FreeBSD laptop is only used as FTP-client.  A client machine is secure, right?


----------



## msplsh (May 30, 2021)

Upload new stuff, delete stuff, if there's an exploit that uses media, upload one of those.


----------



## tux2bsd (May 30, 2021)

ksiu said:


> my Android FTP server


Depends what this means.  If it is on your local personal LAN and your server is too then there's little to worry about.

On the Internet then FTP is to be avoided, it should have been executed well over a decade ago.


----------



## Lamia (May 30, 2021)

They are saying as long as you are doing this on your LAN & ftp ports are not exposed to the Internet, you are fine.


----------



## a6h (May 30, 2021)

If it's public, then there're different methods to secure FTP:
* SFTP (SSH FTP) --------> sftp(1)
* FTPS (FTP over SSL) ---> SSLv3 was deprecated in favour of the TLS 1.2
* FTPS (FTP over TLS) ---> Securing FTP with TLS
* FTP over SSH ----------> Securing FTP using SSH
Note: SFTP != FTPS != 'FTP over SSH'


----------



## Deleted member 67440 (May 30, 2021)

In reality, the risk is minimal *IF *the internet connection is safe.

Intercepting packets is almost impossible (without being part of the police), therefore even plain text passwords on internet do not present real risks,
*IF *you connect from a trusted connection, for example your home router used as an WiFi access point, or your smartphone 4G called from "home".

Changes radically *IF *you use a public WiFi, or company or friend's, in short in all cases *where you are not sure* that there is not a network card in promiscuous mode or a packet logger or whatever you want.

The "urban legend" tells that it is easy to intercept internet traffic by everyone.
It's simply not true.

So if you have a FTP server on you Android phone, *with a strong username and strong password*, _and the FTP server is not flawed/bugged_, you are safe even in plain text

*IF*

1) your phone and your PC are on yours home wifi network, and you connect the PC's FTP client to the Phone FTP server. It's a common, and safe, scenario.

2) your phone is on 4G ("on internet"), and you connect your PC FTP client (to the phone) from your home (WiFi or LAN) network. If the FTP server does not have holes there is no risk, at most slowdowns if you are targeted for multiple attempts.
4G networks usually have dynamic IPs, so it's not very frequent, but it happens.


----------



## ralphbsz (May 31, 2021)

ksiu said:


> ... into my Android FTP server a...


As far as I know, Android phones do not come with an FTP server. I just tried two phones (which are sitting on the desk next to me), and neither react on port 21.

If you installed a third-party FTP server on an Android device: Caveat emptor. If that FTP server uses traditional FTP (port 21), then it is probably quite insecure. On the other hand, if it is configured to only allow access to a download/upload area, the amount of damage it can do it limited.


----------



## recluce (Jun 2, 2021)

fcorbelli said:


> In reality, the risk is minimal *IF *the internet connection is safe.
> 
> That big* IF *is something you cannot know - and thus, FTP should not be used over the Internet or over most corporate networks (a small company with people you kown and trust might be OK, but the corporate network where I work, for example, with 15,000 users and 80+ locations, is almost as bad as the Internet).


----------



## aragats (Jun 2, 2021)

ralphbsz said:


> If you installed a third-party FTP server on an Android device


Better install an SSH server. After trying a few I found Termux to be the best and easiest solution.
After installing the app run `pkg install openssh` in its terminal, then start the server `sshd`.
The default port is 8022, you can change it by adding an sshd_config.


----------



## SirDice (Jun 5, 2021)

aragats said:


> After installing the app run `pkg install openssh` in its terminal, then start the server `sshd`.


sshd(8) is part of the base OS, no need to install anything.


----------



## Tieks (Jun 5, 2021)

If the only purpose is to copy files from/to your Android phone, an alternative to FTP could be /usr/ports/sysutils/android-file-transfer. I use that with a script started by devd when I connect the phone to a USB port. That way the phone cannot be accessed via internet and meanwhile the battery will be charged (although slowly).


----------



## aragats (Jun 5, 2021)

SirDice said:


> sshd(8) is part of the base OS, no need to install anything.


I'm talking about the Android's part, not FreeBSD's. Termux app has a package manager with the same name `pkg`, that's why it sounds confusing. Also rsync() can be installed in Android: it's very convenient to use to sync e.g. large amount of photos with a PC.


----------



## ksiu (Jun 11, 2021)

Tieks said:


> If the only purpose is to copy files from/to your Android phone, an alternative to FTP could be /usr/ports/sysutils/android-file-transfer. I use that with a script started by devd when I connect the phone to a USB port. That way the phone cannot be accessed via internet and meanwhile the battery will be charged (although slowly).


I couldnt figure out how to use android-file-transfer. 

I did install jmtpfs.  And successfully transfered files to my phone.  But jmtpfs requires root to mount Android.

I prefer FTP.  I don't have to mount and unmount and be root.


----------



## Tieks (Jun 11, 2021)

ksiu said:


> I couldnt figure out how to use android-file-transfer.
> 
> I did install jmtpfs.  And successfully transfered files to my phone.  But jmtpfs requires root to mount Android.
> 
> I prefer FTP.  I don't have to mount and unmount and be root.


I mentioned AFT because its command set is very similar to that of FTP. Available commands are:

```
cat                 <file> outputs file
    cd                  <path> change directory to <path>
    device-info         displays device's information
    device-properties   shows device's MTP properties
    exit                exits program
    get                 <file> downloads file
    get                 <file> <dst> downloads file to <dst>
    get-refs            returns object-associated refs
    get-thumb           <file> downloads thumbnail for file
    get-thumb           <file> <dst> downloads thumbnail to <dst>
    help                shows this help
    ls                  lists current directory
    ls                  <path> lists objects in <path>
    ls-r                lists current directory [recursive]
    ls-r                <path> lists objects in <path> [recursive]
    lsext               lists current directory [extended info]
    lsext               <path> lists objects in <path> [extended info]
    lsext-r             lists current directory [extended info, recursive]
    lsext-r             <path> lists objects in <path> [extended info, recursive]
    mkdir               <path> makes directory
    mkpath              <path> create directory structure specified in path
    properties          <path> lists properties for <path>
    put                 put <file> <dir> uploads file to directory
    put                 <file> uploads file
    pwd                 resolved current object directory
    quit                quits program
    type                <path> shows type of file (recognized by libmagic/extension)
```
In a script I use this to send a complete file list to /tmp: `/usr/local/bin/aft-mtp-cli 'lsext-r /' > $TMP 2>&1`. The script then processes that file list to GET the files that I want.
Only problem: On the phone I always have to change Settings, USB to 'File Transfer', because Android 10 does not keep that choice between sessions. That 's why the script sleeps for 30 seconds to allow me to choose that setting. The script is triggered by devd, hence runs as root. It communicates with a ugenN.N device, normally only root has read/write rights then. You can change that if you want to.


----------



## aragats (Jun 11, 2021)

ksiu said:


> I prefer FTP. I don't have to mount and unmount and be root.


Same with SSH. IMO even easier.


----------

