Articles‎ > ‎

Local Sync - data transfer protection with SSL

posted Sep 2, 2012, 2:32 PM by Ondřej Pšenčík   [ updated Sep 10, 2012, 5:28 AM ]
Since Local Sync version 1.7 WiFi data transfer is protected with SSL. This feature is available only for Android version 4 or greater and by default all data transfer is encrypted but files synchronization. If you want to encrypt also file synchronization, this setting can be found in Android Local Sync Menu - Settings.


There are 2 security scenarios that can occur when using Local Sync
  1. By default there is used Local Sync built-in exchange certificate - basic security if you want to be protected from novice eavesdropper (experienced cracking eavesdropper will decipher your data)
  2. You can provide own certificate for better security if you need to be protected from an adversary (will require active attacks and exploitation to obtain your data - she will probably use other methods than Local Sync program exploitation to get your data)
In the Windows Local Sync main log it is indicated by icon whether transfer was secured or not. Unsecured transfer is indicated by normal green flag, secured transfer is indicated by green flag with key  so you can verify whether security is maintained.

If you want to use own certificate (pfx file - with private key) for SSL you configure this in Windows Local Sync program. Save your pfx file in some folder and open Windows Local Sync settings.


As you can see by default there is used Built in certificate in Local Sync program. Press Select certificate button and select your own pfx file.


You must provide password for private key. Password is stored in plain text in Local Sync settings file (which is in Application Data folder), so you will want to have that folder secured.


If you save settings by pressing OK on Settings dialog window, certificate will be applied (and Local Sync SSL server component restarted) as you can see in the main application log.


How to get own certificate for free and be protected from an adversary?
Built in certificate works out of the box with zero configuration, however better security is achieved with own certificate. Certificate used for Local Sync SSL Server must have trust anchor. You will not buy certificate for this purpose but you will prepare own fine certificate. This is possible because since Android 4 it is possible to configure trusted certificates in the Android. Steps to make it work are:
  1. generate own signing certificate that will be used for generating Local Sync SSL Server certificate
  2. generate Local Sync SSL Server certificate
  3. import cer from step 1 into Android trust store
  4. set certificate from step 2 in Windows Local Sync
Software necessary for creating certificates is makecert by Microsoft. Download it as part of Windows SDK. You can open SDK command prompt and

Create CA Certificate (you will be prompted for private key password)
makecert -r -pe -n "CN=Local Sync CA"  -ss CA -sr currentuser -a sha256 -sky signature -cy authority -sv LocalSyncCA.pvk LocalSyncCA.cer

Create Local Sync SSL Server certificate
makecert -pe -n "CN=Local Sync Local" -a sha256 -ss my -sr currentuser -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -ic LocalSyncCA.cer -iv LocalSyncCA.pvk -sy 12 LocalSync.cer

Open certmgr.msc and export LocalSync certificate with private key into LocalSync.pfx file (you will be prompted for private key password - this password you will set in Local Sync Windows app when you configure certificate). Delete Local Sync certificate from Personal store in certmgr because you do not need it there anymore.

Copy LocalSyncCA.cer onto Android sdcard and add own CA certificate into Android trust store. Open Settings - Security, tap Install from SD card, alert dialog is shown.


Tap OK, if you do not have set PIN or screen lock pattern, you will have to do it now (which is great)


And you have imported your own certificate in the Android trust store.


Set LocalSync.pfx certificate in Windows Local Sync program. You must protect own certificates, Local Sync SSL server private key password is stored plain text so you might want to encrypt your Application Data folder with encrypting file system. Local Sync data transfer is then secured with fine SSL setting. The last step to increase security (and avoid some types of attacks) is then disable built in certificate in Android - Menu - Settings.

Note: Synchronization done via USB cable is not protected with SSL.