Syncthing-Android have had a change of owner/maintainer
31 comments
·December 7, 2025bxparks
I don't follow the Syncthing ecosystem, so it's difficult to understand what is happening.
[Edit: The GitHub repos are called "syncthing-android". The Android apps are called "Syncthing-Fork" or "Syncthing-Fork Wrapper", which adds to the confusion.]
If I recall, there used to be a syncthing-android app on Google PlayStore. That was discontinued by @imsodin in Oct 2024 (https://forum.syncthing.net/t/discontinuing-syncthing-androi...).
There was a version of sycnthing-android on F-Droid. I don't remember who maintained that. I have version 1.30.0.4 installed. But I cannot find any information about that version anymore.
The current version on F-Droid is 2.0.12.1. That seems to be maintained by a fellow named @researchxxl. Apparently @researchxxl claims to have inherited the source code and signing keys from a person named @Catfriend1 (Not sure who that is, the maintainer of version 1.30.0.4?)
There is another fellow named @nel0x who seems to be maintaining a different version of synchthing-android? (Edit: Here it is, https://github.com/nel0x/syncthing-android, which says that it is a fork of the one maintained by @Catfriend1).
bxparks
[Passed my edit window, so replying to self]
Looks like the original repo of syncthing-android, (https://github.com/Catfriend1/syncthing-android), which was maintained by @Catfriend1, now redirects to the one maintained by @researchxxl (https://github.com/researchxxl/syncthing-android).
The problem seems to be that no one in the syncthing community knows who @researchxxl is. The account was created only 3 weeks ago. There was no communication about how the transfer took place. Was the transfer actually authorized? Did @Catfriend1 get hacked? People are worried about a backdoor hijack attack similar to the XZ libary.
There's a long discussion at https://forum.syncthing.net/t/does-anyone-know-why-syncthing.... It is too long and complex for me to follow. (I tried to get an LLM to summarize that thread for me, but the output was not helpful.)
It is unclear what sycnthing-android users are supposed to do right now. I am staying at version 1.30.0.4 until things become more clear.
j-bos
> People are worried about a backdoor hijack attack similar to the XZ libary.
This is a particular concern because the syncthing-fork is coded to require full storage access, iirc for compatibility with certain phones. Idr, went through with Claude and iterrated through a diff of everything that between Catfriend1's changes and the original repo. The broad access really isn't necessary on most phones as I refactored the flag, compiled the app and installed it with no problems. I ultimately decided to go with the official build to make updates easy, now hmmm. Troubling when the trust gets so dilluted.
accoil
This is how I've observed it: Catfriend1 has long been the owner of syncthing-fork on android, which was fork of the official client syncthing-android. It had extra features around Android that were lacking in the official client (e.g sync windows to reduce battery usage).
When google locked down on file apis a year or so ago, the official syncthing-android pulled out of google play, but syncthing-fork stuck around in fdroid as the fork was for personal purposes, and they were using fdroid for distribution in the first place.
This change in ownership is new to me, but I'm also not surprised it happened as syncthing-fork was always a personal project.
s_ting765
> I have version 1.30.0.4 installed.
Can confirm same case here. App was installed from f-droid, no longer linked to the store.
embedding-shape
Additional context from the original author of syncthing-android, Catfriend1: https://forum.syncthing.net/t/does-anyone-know-why-syncthing...
sevg
Thanks for sharing this.
I thought this comment was strange at the end of Catfriend1’s post:
> I’ll review the progress from time to time and if I find anything malicious going on, I’ll let you know here.
That’s absolutely not something you say when you trust the person you’re handing things over to :s
bgbntty2
Seems like a statement to reassure users who don't necessarily have any trust in the new maintainer. And even if the users trust the new maintainers, it's better to have the reassurance of previous maintainer on top.
Trust is not transitive, nor should it be. We (the users) trust the previous maintainer. They trust the new one. We don't (naturally). The old maintainer says they'll review the new one's work, so we'll have trust the old maintainer (mostly).
Not that the whole trust system can't improve in various ways in general. But for now we have to trust someone.
sevg
> Seems like a statement to reassure users who don't necessarily have any trust in the new maintainer.
The statement didn’t seem reassuring.
It’d have been reassuring to hear something like “This person has been a committer for X period, and has demonstrated Y and Z.”
> They trust the new one.
Well my point is it doesn’t sound like they actually do trust the new maintainer. Maybe just poor choice of words, but it didn’t fill me with confidence.
NelsonMinar
Syncthing is such a reliable workhorse. I hope the Android situation gets sorted out. It's been tricky over the years as Android makes it harder and harder to work with simple files.
zelphirkalt
Nowadays there are people out there, who use computing devices (can we still call Android phones that?), who don't even know what a "file" is. Mind-boggling, or maybe not so much, considering the constant pushes by big tech.
joshstrange
I use Syncthing and have for many years but I don’t use it on Android so feel free to dismiss my opinion.
I’ve read through a number of the GitHub/Gitlab/Forum threads and while I’m not saying anything new:
You couldn’t script a more suspicious transfer [0]. That fact is maybe the most compelling reason to assume it’s actually above board, if there is malicious intent, it’s being poorly disguised. To make matters worse, both Catfriend1 and researchxxl appear to be very bad at communicating (both in language and speed). Yes, Catfriend1 has surfaced and says they did transfer the repo/signing keys. Why that couldn’t have been posted at the start of this is beyond me. Researchxxl seems to not be a native english speaker and I tried to take that into consideration but I’m increasingly finding it difficult to give them the benefit of the doubt. They seem… immature, that’s the best way I can put it. They certainly don’t seem trustworthy nor have they made any attempt to address raised concerns. I wouldn’t touch their releases based on what I’ve seen, way too much access and way too little trust.
[0] Repo redirected to brand new account/repo with no notice/announcement from original owner. Furthermore, evidence that the signing keys were transferred and users might be at risk of malicious updates (see the many examples of Chrome extensions that were quietly sold and turned malicious).
robbiet480
I love using Syncthing for syncing all my ROMs and saves across my handhelds (RG35XXSP running muOS, AYN Thor running Android), my NAS and MacBook. I'm trying to figure out what my concern level should be with a change in ownership of syncthing-fork for Android though. I guess let's see what happens?
shantara
I’m using Syncthing, though not the Android version. After reading the forum thread, the whole situation seems to be mishandled pretty badly. I wouldn’t feel comfortable entrusting my sensitive data to them after such a sketchy handover process. As mentioned by the others there, it’s suspiciously similar to browser extensions being sold to the data mining / adtech companies.
blibble
> it’s suspiciously similar to browser extensions being sold to the data mining / adtech companies.
it looks very much like this
if it had been handed over to someone with a long-lived github account, who was known in the community it would be one thing
but a 3 week old account? I'll be staying the hell away
honktown
I ended up moving from Syncthing to FolderSync, the Syncthing setup for adding folders is pretty tedious and I can reuse my existing webdav (or sftp) server with FolderSync.
My use case was probably simpler than some peoples use of syncthing as I just use it for backing up photos/messages/settings and dont need it to be instant.
My only issue with FolderSync is that its proprietary but its the only option i found that worked well. The various rclone frontends that exist also didnt work nicely with the webdav server I use so I settled on it, its very polished so I dont mind too much.
raybb
For those curious: https://foldersync.io/
10 euros for an Android license for or $28 (yes they use two currencies on one page) for a desktop license. The free ad supported version on the play store has over a million downloads.
dotancohen
I'm glad to see that they have a Linux client.
yoavm
FWIW, I see EUR for both offerings.
pylotlight
roundsync is good too
skeledrew
I'm on v1.28.1. Didn't even notice it hasn't been updated for a while as it works fine for me as is. And unless Android gets more things that cause breakage I don't see a need for updating.
rolandog
Seems like I hadn't switched away from the previously official Play store app (v 1.27.3) [0] archived on 2024-12-03.
null
XorNot
Urgh okay I'm confused about what's happening: looking at F-droid it looks like the handover has happened so what are people feeling about this now?
xnx
tldr. What should I use? I've got "Syncthing-Fork Wrapper Version v2.0.10.1"
Additional context from the original author of syncthing-android, Catfriend1: https://forum.syncthing.net/t/does-anyone-know-why-syncthing...