I've recently started using KDEconnect... My only issue is that the clipboard sharing and URL sending present a possible security risk.
While the idea is sound that I can share my clipboard with my phone, there is no influencing what is shared. I could copy a huge swath of text or other sensitive information, and end up with that on my phone without knowing, and then accidentally paste.
Similarly, the URL sharing automatically opens the URL on my desktop or my phone, which could create a pathway for malware infecting my phone to cause my computer to open a dangerous website.
Would the sane behaviour not be to specifically open a url from the KDE connect notification or under the connect taskbar widget? Should there not be some settings or at least a way of modifying the clipboard sharing... say a KDE connect manual send?
- I'm still getting into QT coding and hope to add patches, but at the moment this is outside of my abilities.
Being conscious of security is always wise, but it's worth noting that the connection between two devices in a KDE Connect network is:
- Paired — KDE Connect doesn't accept clipboard or URL transfers from just any arbitrary devices, only ones it recognizes and has already established a pre-existing relationship with.
- Bi-directionally confirmed — User action has to be taken on both ends of the connection, in order to establish a new pairing link; an unknown device can't pair with your phone, or with your computer, without you having to authorize the pairing request.
- Encrypted — Once the pairing is established, every communication over the link is end-to-end encrypted. None of the content transferred from one device to another is ever visible to the outside world, and any attempts by the outside world to hijack that connection and insert malicious data will be ignored without the proper encryption.
The intent is to make the relationship between the two devices secure enough that they can be treated as extensions of each other. Absent any bugs or security flaws, syncing your clipboard's contents to a paired device shouldn't carry significantly more risk than placing that data in the clipboard in the first place.
In fact, I've also noticed the problem of security. But if the sharing of clipboard always needs a confirmation/notification, it will be noisy and not so convenient. We should balance security and convenience.
You are reasonable, but maybe we can make it configurable in the plugin rather than always showing notifications. Users can choose whether they'd like to directly share clipboards between devices.