Configuring FolderSync android app

Based on this link it looks like foldersync supports FTPS: http://www.tacit.dk/foldersync   On the NAS side, ftps connections are accepted by the normal FTP setup, and there is also an option to mandate FTPS

SMB does offer encryption, but you'd need to be very certain that the NAS would not accept unencrypted connections before you open a port for that.

---

redstamp wrote:

 

NB I presume this 'encryption' means that a man-in-the-middle could hijack my FTP username and password (not OK) - or does it simply mean a middle-man (as it were) would just be able to get the data (which if its the normal pictures of my dogs - he's welcome!)

When you are talking about security, "Man-in-the-middle" (or MITM) is a very specific threat, and perhaps we should first clarify what it is.

A "man in the middle" device manages to get in-between your client (android phone in this case) and the server (the NAS for example).  So when the phone tries to connect to the NAS, it actually connects to the MITM.  The MITM pretends it is the NAS whenever it is talking to the phone.  Then it opens its own connection to the NAS (pretending it is the phone).  

The only way to defend against MITM is to use "mutual authentication" - the phone needs to verify that it is really talking to the NAS, and the NAS needs to verify that it is really talking to the phone.  The usual method is that the client (phone) establishes an encrypted connection, and first verifies that it is really talking to the server (NAS) with a certificate-based mechanism.  After it is sure that it is talking to the NAS, it gives the NAS the username and password (over the encrypted link) so the NAS can verify that it is really talking to the phone (more accurately, that it is talking to device that has authorized username/password)..

A MITM not only sees your username, password, and data, it can also substitute false data for real data.  And in your use case, it could take data from your NAS that the phone isn't asking for (since it has your username and password).

An "eavesdropper" is a very different thing - it is a device that can passively observe the traffic between your phone and the NAS, but it does not pretend to be your phone or your NAS.

---

redstamp wrote:

 I did come across an post where StephenB recommended FTPS - but then went on to say certificates were required...

---

If we are talking about eavesdroppers, then the self-signed certficate that the NAS already uses is enough.  For instance, FTPS encrypts both the control traffic and the data traffic, and that is done before the phone sends the username/password to the NAS.  The key-exchange mechanism prevents an eavesdropper from learning the key, even if he can observe all the data traffic in both directions. 

If you are facing a MITM, then the self-signed certificate in the NAS is not enough.  It might still offer some protection (the client can check if the certificate is the one it has seen from the NAS before).  But there aren't that many private addresses in common use (512 on the 192.168.0.x and 192.168.1.x networks that most people use), and sometimes the self-signed certificate in the MITM device will happen to match the IP address the NAS used when it generated the certificate.   

So FTPS can be used without needing to install your own public certificate.  That is a great defense from an eavesdropper, but is not a good enough defense for MITM.