amir
be3f46287a
CRITICAL - SftpProvider: replace PromiscuousVerifier with TofuHostKeyVerifier (trust-on-first-use; stores SHA-256 fingerprints in EncryptedSharedPreferences; rejects key changes on subsequent connections) HIGH - GoogleDriveProvider: replace raw string interpolation with buildJsonObject in uploadFile, createDirectory, and moveFile to prevent JSON injection - DropboxProvider: replace all raw JSON strings and Dropbox-API-Arg headers with buildJsonObject for the same reason - OAuthHelper: add cryptographically random state parameter to Dropbox and OneDrive authorization URLs (stored alongside the PKCE verifier) - OAuthRedirectActivity: validate returned state against stored value before exchanging the authorization code (CSRF protection) MEDIUM - WebDavProvider: block cross-host redirects in the manual redirect interceptor so Authorization headers are never forwarded to a different server - AccountSetupScreen: set FLAG_SECURE on the window while credential fields are visible to prevent screenshots and screen-recording capture - libs.versions.toml: security-crypto alpha06 → stable 1.0.0; biometric-ktx alpha05 → biometric 1.1.0 (stable, non-ktx artifact matches the BiometricManager/BiometricPrompt API actually used in MainActivity) - CredentialStore: migrate to security-crypto 1.0.0 API (MasterKeys.getOrCreate + positional create() args); add saveHostKey/getHostFingerprint for SFTP TOFU Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SyncFlow
Native Android file sync app — sync any folder to WebDAV, SFTP, Nextcloud, ownCloud, Google Drive, Dropbox, or OneDrive.
Features
- Multi-provider — WebDAV, SFTP, SFTPGo, Nextcloud, ownCloud, Google Drive, Dropbox, OneDrive
- Flexible sync — one-way upload, one-way download, or two-way mirror
- Auto-sync — schedule by interval or trigger on Wi-Fi connect / device charge
- Conflict resolution — keep local, keep remote, keep newer, or keep both
- Secure — credentials encrypted with Android Keystore; biometric app-lock option
- No cloud dependency — runs fully on-device, no third-party relay
Install
- Download
SyncFlow.apkfrom the latest release - On your Android phone: Settings → Apps → Install unknown apps → allow your browser/file manager
- Open the downloaded APK and tap Install
- Open SyncFlow, go to Accounts tab → Add Account, pick your provider and sign in
- Tap + on the Syncs tab to create your first sync pair
Supported Providers
| Provider | Auth |
|---|---|
| WebDAV | Username + password |
| SFTP | Password or private key |
| SFTPGo | Username + password |
| Nextcloud | Username + password |
| ownCloud | Username + password |
| Google Drive | OAuth 2.0 (PKCE) |
| Dropbox | OAuth 2.0 (PKCE) |
| OneDrive | OAuth 2.0 (PKCE) |
Requirements
- Android 8.0+ (API 26)
- Storage permission (or SAF picker) for local folder access