risk of FTP

Hi,
A newbie here.
FTP data transfer is not encrypted.FTP password is sent in plain text. So, anyone get intercept it and log into my Android FTP server and access my phone's photos and documents.
Is this the worst they can do?
My FreeBSD laptop is only used as FTP-client. A client machine is secure, right?
 
They are saying as long as you are doing this on your LAN & ftp ports are not exposed to the Internet, you are fine.
 
In reality, the risk is minimal IF the internet connection is safe.

Intercepting packets is almost impossible (without being part of the police), therefore even plain text passwords on internet do not present real risks,
IF you connect from a trusted connection, for example your home router used as an WiFi access point, or your smartphone 4G called from "home".

Changes radically IF you use a public WiFi, or company or friend's, in short in all cases where you are not sure that there is not a network card in promiscuous mode or a packet logger or whatever you want.

The "urban legend" tells that it is easy to intercept internet traffic by everyone.
It's simply not true.

So if you have a FTP server on you Android phone, with a strong username and strong password, and the FTP server is not flawed/bugged, you are safe even in plain text

IF

1) your phone and your PC are on yours home wifi network, and you connect the PC's FTP client to the Phone FTP server. It's a common, and safe, scenario.

2) your phone is on 4G ("on internet"), and you connect your PC FTP client (to the phone) from your home (WiFi or LAN) network. If the FTP server does not have holes there is no risk, at most slowdowns if you are targeted for multiple attempts.
4G networks usually have dynamic IPs, so it's not very frequent, but it happens.
 
... into my Android FTP server a...
As far as I know, Android phones do not come with an FTP server. I just tried two phones (which are sitting on the desk next to me), and neither react on port 21.

If you installed a third-party FTP server on an Android device: Caveat emptor. If that FTP server uses traditional FTP (port 21), then it is probably quite insecure. On the other hand, if it is configured to only allow access to a download/upload area, the amount of damage it can do it limited.
 
In reality, the risk is minimal IF the internet connection is safe.

That big IF is something you cannot know - and thus, FTP should not be used over the Internet or over most corporate networks (a small company with people you kown and trust might be OK, but the corporate network where I work, for example, with 15,000 users and 80+ locations, is almost as bad as the Internet).
 
If you installed a third-party FTP server on an Android device
Better install an SSH server. After trying a few I found Termux to be the best and easiest solution.
After installing the app run pkg install openssh in its terminal, then start the server sshd.
The default port is 8022, you can change it by adding an sshd_config.
 
If the only purpose is to copy files from/to your Android phone, an alternative to FTP could be /usr/ports/sysutils/android-file-transfer. I use that with a script started by devd when I connect the phone to a USB port. That way the phone cannot be accessed via internet and meanwhile the battery will be charged (although slowly).
 
If the only purpose is to copy files from/to your Android phone, an alternative to FTP could be /usr/ports/sysutils/android-file-transfer. I use that with a script started by devd when I connect the phone to a USB port. That way the phone cannot be accessed via internet and meanwhile the battery will be charged (although slowly).
I couldnt figure out how to use android-file-transfer.

I did install jmtpfs. And successfully transfered files to my phone. But jmtpfs requires root to mount Android.

I prefer FTP. I don't have to mount and unmount and be root.
 
I couldnt figure out how to use android-file-transfer.

I did install jmtpfs. And successfully transfered files to my phone. But jmtpfs requires root to mount Android.

I prefer FTP. I don't have to mount and unmount and be root.
I mentioned AFT because its command set is very similar to that of FTP. Available commands are:
Code:
    cat                 <file> outputs file
    cd                  <path> change directory to <path>
    device-info         displays device's information
    device-properties   shows device's MTP properties
    exit                exits program
    get                 <file> downloads file
    get                 <file> <dst> downloads file to <dst>
    get-refs            returns object-associated refs
    get-thumb           <file> downloads thumbnail for file
    get-thumb           <file> <dst> downloads thumbnail to <dst>
    help                shows this help
    ls                  lists current directory
    ls                  <path> lists objects in <path>
    ls-r                lists current directory [recursive]
    ls-r                <path> lists objects in <path> [recursive]
    lsext               lists current directory [extended info]
    lsext               <path> lists objects in <path> [extended info]
    lsext-r             lists current directory [extended info, recursive]
    lsext-r             <path> lists objects in <path> [extended info, recursive]
    mkdir               <path> makes directory
    mkpath              <path> create directory structure specified in path
    properties          <path> lists properties for <path>
    put                 put <file> <dir> uploads file to directory
    put                 <file> uploads file
    pwd                 resolved current object directory
    quit                quits program
    type                <path> shows type of file (recognized by libmagic/extension)
In a script I use this to send a complete file list to /tmp: /usr/local/bin/aft-mtp-cli 'lsext-r /' > $TMP 2>&1. The script then processes that file list to GET the files that I want.
Only problem: On the phone I always have to change Settings, USB to 'File Transfer', because Android 10 does not keep that choice between sessions. That 's why the script sleeps for 30 seconds to allow me to choose that setting. The script is triggered by devd, hence runs as root. It communicates with a ugenN.N device, normally only root has read/write rights then. You can change that if you want to.
 
Last edited by a moderator:
Back
Top