
Open Source Android SSH client sends your keys to Google - mattcopp
https://github.com/connectbot/connectbot/issues/146
======
jeffdubin
I don't see this as a ConnectBot-specific issue. Instead, it'd be nice if I
had the choice of where to send my Android system backups, along with the
ability to specify a key. Please note that I said 'choice', so that if one
didn't really care who had their data, it could operate as it does now and
default to Google's storage.

------
tdkl
It would be nice if Google made adb backup more robust and offered an OFFLINE
DESKTOP backup tool for ALL apps.

That's something I enjoyed on the iPhone using iTunes (well now you can't
backup apps anymore because of app thinning). Connecting a device, then
waiting on the magic cloud to finish restoring and not knowing which apps and
what data will even get restored is just moronic.

It's not a coincidence that the most popular app on the Play Store since ages
which uses root is Titanium Backup.

~~~
snaky
> OFFLINE DESKTOP backup tool for ALL apps

That would be soo unfashionable, like you know, that ancient Palm devices. Oh,
and Google could not read all of your data.

------
voltagex_
Both VXConnectBot and ConnectBot appear to be abandoned / unmaintained.

~~~
douglaswth
I don't believe this is true, ConnectBot has commits to master as recently as
21 days ago; it is just that development is slow and stable releases aren't
coming out very often.

~~~
voltagex_
Right, sorry. VXConnectBot hasn't been updated for quite some time.

Either way, the lack of response on this issue in particular is a bit of a
worry.

------
RubyPinch
the excessively excited "omg how could you even be discussing this??" is a bit
offputting

Isn't there APIs for safely storing passwords outside of config data?

~~~
fattire

         the excessively excited "omg how could you even be discussing this??" is a bit offputting
    

I wrote that sentence minus the omg part, but I don't think I meant what you
think I meant-- The "how could you even be discussing this" wasn't
dismissive-- I meant this is TOO important an issue to leave to discussion--
that action by Google (namely extending the API so the user could opt-out of
auto-backup) was needed, and that until that happened, Connectbot should shut
it off. Unfortunately, neither occurred.

    
    
          Isn't there APIs for safely storing passwords outside of config data?
    

There are means of storing data that avoid the auto-backup to Google Drive,
but unless they happened to have been done already (such as saving to the
/cache directory, which isn't auto-backed up) it would typically require
additional work, such as manifest changes by the Developer to opt specific
directories in/out of the auto-backup.

This is not just a Connectbot-specific thing. It's my understanding that ALL
apps that target Marshmallow or Nougat (that is, the current and last version
of Android, API 23 and 24) will automatically get this 25MB backup "service".
The end user can't opt out per app either, only system-wide.

Incidentally, Connectbot does explicitly enable the backup agent.

[https://github.com/connectbot/connectbot/blob/master/app/src...](https://github.com/connectbot/connectbot/blob/master/app/src/main/AndroidManifest.xml#L38-L39)
& 190/191

    
    
          "The automatic backup feature preserves the data your app creates on a user device by uploading it to the user’s Google Drive account and encrypting it."
    

For me at least, I don't want my private SSH keys and server info sent to
Google, even if it's encrypted once/after it gets there. (and before someone
says "use a good passphrase".. yeah, okay.)

------
anonbanker
Anyone know if the FDroid version has a similar issue?

