First: thanks for creating DAVdroid, I’m purchasing it for my family’s android devices and look forward to using it.
During my setup, I may have found a small security concern.
I’ve been having trouble making DAVdroid work with lighttpd authentication and it turns out that DAVdroid is using a preemptive authorization header on its first connection to the webserver. The only preemptive authorization capable on a first connection (without pre-shared secrets or PKI) is HTTP Basic.
When lighttpd is configured to use HTTP digest, it replies with a 400 - Bad Request, this kills off of the DAVdroid discovery process. I think lighttpd should be responding with a 401 - Unauthorized status and a WWW-Authenticate header line - this concern I’ll take up with the lighttpd author - it isn’t a DAVdroid issue. I guess I’m just trying to give some background… debugging the aforementioned issue is how I stumbled upon this concern.
It is concerning (I think) that DAVdroid is sending the (essentially cleartext) authentication data on its first connection, before determining that the server administrator has chosen such a weak authentication mechanism. DAVdroid seems to do this only over HTTPS so in theory it is not a clear text transmission, but given the use of MiTM SSL proxy configurations in the real world. Preemptive authentication on the first connection seems (IMHO) to be a dubious approach.
It also turns out that if the first connection over HTTPS results in a 301 redirect, the preemptive basic authentication request line is
replayed across HTTP. See attached log showing both cases…