SUMMARY If you accidentally click on the wrong device when requesting pairing, there is no way to cancel. This means you must wait for either (a) the request to timeout, or (b) the (potentially hostile) other device to accept your pairing request, and then revoke pairing as quickly as possible, hopefully before it is able to do any damage. A secondary component of this issue is that there's no way for the device that requests pairing to verify the key of the device that receives the request before pairing is activated. If both sides had to click okay, with a chance to view the other's key, before pairing became active, that would ameliorate this issue. As things stand "request pair" amounts to "please give away all my device permissions to whatever is on the other end of this device label". This issue applies to both desktop (at least on Linux) and the Android applications. SOFTWARE/OS VERSIONS Operating System: Arch Linux KDE Plasma Version: 5.27.5 KDE Frameworks Version: 5.106.0 Qt Version: 5.15.9 Kernel Version: 6.3.2-arch1-1 (64-bit) Graphics Platform: X11 Android version 1.24.5 (Google Play store)
A possibly relevant merge request was started @ https://invent.kde.org/network/kdeconnect-android/-/merge_requests/366
Git commit 537f2e35ac84b498b248d7fd5da1abeeffe439dd by Albert Vaca Cintora. Committed on 31/05/2023 at 15:23. Pushed by albertvaka into branch 'master'. Add the option to cancel a pairing request we sent M +1 -0 res/values/strings.xml M +1 -1 src/org/kde/kdeconnect/Backends/BasePairingHandler.java M +1 -1 src/org/kde/kdeconnect/Backends/BluetoothBackend/BluetoothPairingHandler.java M +2 -2 src/org/kde/kdeconnect/Backends/LanBackend/LanPairingHandler.java M +2 -2 src/org/kde/kdeconnect/Backends/LoopbackBackend/LoopbackPairingHandler.java M +3 -4 src/org/kde/kdeconnect/Device.java M +8 -1 src/org/kde/kdeconnect/UserInterface/DeviceFragment.kt M +1 -1 src/org/kde/kdeconnect/UserInterface/MainActivity.kt https://invent.kde.org/network/kdeconnect-android/-/commit/537f2e35ac84b498b248d7fd5da1abeeffe439dd