diff --git a/cmd/camtool/index.go b/cmd/camtool/index.go
index 9dc2b0249..829f0027e 100644
--- a/cmd/camtool/index.go
+++ b/cmd/camtool/index.go
@@ -19,15 +19,18 @@ package main
 import (
 	"flag"
 	"fmt"
+	"net/http"
 	"os"
+	"strconv"
 
 	"camlistore.org/pkg/client"
 	"camlistore.org/pkg/cmdmain"
 )
 
 type indexCmd struct {
-	verbose bool
-	wipe    bool
+	verbose     bool
+	wipe        bool
+	insecureTLS bool
 }
 
 func init() {
@@ -35,6 +38,9 @@ func init() {
 		cmd := new(indexCmd)
 		flags.BoolVar(&cmd.verbose, "verbose", false, "Be verbose.")
 		flags.BoolVar(&cmd.wipe, "wipe", false, "Erase and recreate all discovered indexes. NOOP for now.")
+		if debug, _ := strconv.ParseBool(os.Getenv("CAMLI_DEBUG")); debug {
+			flags.BoolVar(&cmd.insecureTLS, "insecure", false, "If set, when using TLS, the server's certificates verification is disabled, and they are not checked against the trustedCerts in the client configuration either.")
+		}
 		return cmd
 	})
 }
@@ -79,6 +85,10 @@ func (c *indexCmd) sync(from, to string) error {
 func (c *indexCmd) discoClient() *client.Client {
 	var cl *client.Client
 	cl = client.NewOrFail()
+	cl.InsecureTLS = c.insecureTLS
+	cl.SetHTTPClient(&http.Client{
+		Transport: cl.TransportForConfig(nil),
+	})
 	cl.SetupAuth()
 	return cl
 }
diff --git a/cmd/camtool/sync.go b/cmd/camtool/sync.go
index 2472c477e..961038675 100644
--- a/cmd/camtool/sync.go
+++ b/cmd/camtool/sync.go
@@ -21,7 +21,9 @@ import (
 	"flag"
 	"fmt"
 	"log"
+	"net/http"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -38,11 +40,12 @@ type syncCmd struct {
 	dest  string
 	third string
 
-	loop      bool
-	verbose   bool
-	all       bool
-	removeSrc bool
-	wipe      bool
+	loop        bool
+	verbose     bool
+	all         bool
+	removeSrc   bool
+	wipe        bool
+	insecureTLS bool
 
 	logger *log.Logger
 }
@@ -59,6 +62,10 @@ func init() {
 		flags.BoolVar(&cmd.wipe, "wipe", false, "If dest is an index, drop it and repopulate it from scratch. NOOP for now.")
 		flags.BoolVar(&cmd.all, "all", false, "Discover all sync destinations configured on the source server and run them.")
 		flags.BoolVar(&cmd.removeSrc, "removesrc", false, "Remove each blob from the source after syncing to the destination; for queue processing.")
+		// TODO(mpl): maybe move this flag up to the client pkg as an AddFlag, as it can be used by all commands.
+		if debug, _ := strconv.ParseBool(os.Getenv("CAMLI_DEBUG")); debug {
+			flags.BoolVar(&cmd.insecureTLS, "insecure", false, "If set, when using TLS, the server's certificates verification is disabled, and they are not checked against the trustedCerts in the client configuration either.")
+		}
 
 		return cmd
 	})
@@ -163,7 +170,10 @@ func (c *syncCmd) storageFromParam(which storageType, val string) (blobserver.St
 		return disk, nil
 	}
 	cl := client.New(val)
-	// TODO(mpl): probably needs the transport setup for trusted certs here.
+	cl.InsecureTLS = c.insecureTLS
+	cl.SetHTTPClient(&http.Client{
+		Transport: cl.TransportForConfig(nil),
+	})
 	cl.SetupAuth()
 	cl.SetLogger(c.logger)
 	return cl, nil
@@ -206,9 +216,17 @@ func (c *syncCmd) syncAll() error {
 	for _, sh := range syncHandlers {
 		from := client.New(sh.From)
 		from.SetLogger(c.logger)
+		from.InsecureTLS = c.insecureTLS
+		from.SetHTTPClient(&http.Client{
+			Transport: from.TransportForConfig(nil),
+		})
 		from.SetupAuth()
 		to := client.New(sh.To)
 		to.SetLogger(c.logger)
+		to.InsecureTLS = c.insecureTLS
+		to.SetHTTPClient(&http.Client{
+			Transport: to.TransportForConfig(nil),
+		})
 		to.SetupAuth()
 		if c.verbose {
 			log.Printf("Now syncing: %v -> %v", sh.From, sh.To)
@@ -235,6 +253,11 @@ func (c *syncCmd) discoClient() *client.Client {
 	} else {
 		cl = client.New(c.src)
 	}
+	cl.SetLogger(c.logger)
+	cl.InsecureTLS = c.insecureTLS
+	cl.SetHTTPClient(&http.Client{
+		Transport: cl.TransportForConfig(nil),
+	})
 	cl.SetupAuth()
 	return cl
 }
diff --git a/pkg/client/config.go b/pkg/client/config.go
index 5a6164fb1..808d292b0 100644
--- a/pkg/client/config.go
+++ b/pkg/client/config.go
@@ -278,24 +278,28 @@ func (c *Client) useTLS() bool {
 	return strings.HasPrefix(c.server, "https://")
 }
 
-// SetupAuth sets the client's authMode from the client configuration file or from the environment.
+// SetupAuth sets the client's authMode. It tries from the environment first if we're on android or in dev mode, and then from the client configuration.
 func (c *Client) SetupAuth() error {
-	// env var always takes precendence
-	authMode, err := auth.FromEnv()
-	if err == nil {
-		c.authMode = authMode
-		return nil
-	}
-	if err != auth.ErrNoAuth {
-		return fmt.Errorf("Could not set up auth from env var CAMLI_AUTH: %v", err)
+	// env var takes precedence, but only if we're in dev mode or on android.
+	// Too risky otherwise.
+	if android.OnAndroid() || os.Getenv("CAMLI_DEV_CAMLI_ROOT") != "" {
+		authMode, err := auth.FromEnv()
+		if err == nil {
+			c.authMode = authMode
+			return nil
+		}
+		if err != auth.ErrNoAuth {
+			return fmt.Errorf("Could not set up auth from env var CAMLI_AUTH: %v", err)
+		}
 	}
 	if c.server == "" {
-		return fmt.Errorf("CAMLI_AUTH not set and no server defined: can not set up auth.")
+		return fmt.Errorf("No server defined for this client: can not set up auth.")
 	}
 	authConf := serverAuth(c.server)
 	if authConf == "" {
 		return fmt.Errorf("Could not find auth key for server %q in config", c.server)
 	}
+	var err error
 	c.authMode, err = auth.FromConfig(authConf)
 	return err
 }