Cloudflare Access and the Android App

Disable “Cloudflare Access”, so you can setup your app. Once the app works, enable “Cloudflare Access” again.

Seems not work on Android. Currently my HA instance is accessible on public internet without any additional authorization layer then the HA internal (with two factor).

The companion app is already setup, but once I’ve enabled the application on Cloudflare Zero Trust, the app is not working anymore (HA could not be reached) followed by the authentication loop in Chrome.

Even if you got this working you would have to carve out a bypass exception for the entire HA API. It’s not possible to get HA entirely behind access because the app has to be able to talk to the API without requiring any user interaction to do things like report zone/location changes, changes in phone settings, etc.

If cloudflares auth token had expired (which is does once every 30 days if you give it max lifetime) then these API calls would simply fail. An API call cannot require user interaction so an auth screen is failure.

I tried to set this up at once point but gave up. I kept running into challenges and realized I was going to have to carve out this gaping exception so it made it kind of pointless. Since the API can do everything the UI can do and more after all.

With GitHub Access method in Cloudflare, it works, but only when setting up the companion app first time.
The problem is that, after a month, you have to delete all app data and reconfigure angain the app so in the initial setting up process you are showed the login page.

Other solution I have tried is a bypass policy with warp 1.1.1.1 and zero trust teams, so devices connected via zero trust 1.1.1.1 team can access directly without any login in GitHub or Google.
Problem with this solution is that 1.1.1.1 does not work perfectly, and my mobile phone lost internet connection some times, and I had to turn off and on 1.1.1.1

Anyway, the first solution suggests that the companion app has the ability to show the login cloudflare page, as it does at the initial set up process.
It would be great if they enable it always, or in some configuration option.
Other solution would be the possibility of making a backup of the companion app configuration, so when once a month we have to delete app data, we could restore previous configuration easily.

I think I “solved” this issue locally, however it required code change in android companion app. It looks that:
io.homeassistant.companion.android.webview.WebViewActivity
uses TLSWebViewClient as webViewClient. This TLSWebViewClient is preconfigured there and there are overrides for several standard methods from WebViewClient. Method “shouldOverrideUrlLoading” is root cause of our problem here.
It implements following condition:

} else if (!webView.url.toString().contains(it.toString())) {
                                Log.d(TAG, "Launching browser")
                                val browserIntent = Intent(Intent.ACTION_VIEW, it)
                                startActivity(browserIntent)
                                return true;
                            }

When CF authorization happens, this condition is matched and web browser is oppened.
If this condition is commented webbrowser is not started and we can successfully accomplish CF authentication.

Well done on finding this!

Also battling with this… Taken me a while to get my head around all the networking… Running CloudFlared in Docker and everything is now working except for this issue. If I use ha in browser that works just not in companion app. Any chance of this fix making its way into an app update anytime soon?

1 Like

I have noticed something else here, when the app launches the browser and it gets stuck in its endless “unable to connect” loop… The URL is:
https://ha.xxx.xxx/lovelace?external_auth=1
If you delete the external_auth=1 then obviously it loads with no issue… Not sure if this is at all useful but hoping for a fix…

Well the CloudFlared add on seems to work but it’s the same I guess as having no access control from CloudFlare side… Not ideal but still better than port forwarding an unencrypted connection

I can confirm the behavior and I’m also interested to get a working solution.

Authorization just works on the first companion (Android) setup but after the authorization expires you won’t be able to authorize again. The only workaround is to delete the app data.

Another solution would be use service tokens.:
Link

I would prefer the service token but both solutions should work in my opinion.

Another workaround is the WARP App.:
Link
(I hope it is ok to Link external, maybe someone is interested in the workaround…)

3 Likes

It would be nice if CloudFlare worked with the Android app, but for now I’ll keep using WireGuard.

Also hoping for an app update supporting this. Looks like it should be as easy as removing that “external_auth” query parameter when loading the app after using access.

Feel free to submit a pull request to do it if it sounds that easy.

Feel free to submit a pull request to do it if it sounds that easy.

Maybe I will.

Please consider not making snarky remarks and be more welcoming of new members. Thanks.

I tried using the WARP app, but it just doesn’t seem to work. I can get it to link to my Zero Trust Account, but the HA Android App (and even if I try to access HA through a browser) keep telling me that the Gateway is off, even after following multiple tutorials.

Did you enable an access policy for gateway in the App you created on cloudflare for HA?

Hi, I found an easy solution for anyone who wants to have Cloudflare Access for external access.
We could add an option after the “Internal Connection URL”. We could call it “External Connection Headers”.

This new option would allow the user to add Key Value entries. These entries would be added to every request made using the non-internal URL.

I don’t develop Android apps for years (never developed iOS apps). Doesn’t sound hard to do. Anyone interested, with Android/iOS knowledge, could validate the possibility. This is the idea I have. Might be a better solution, or, a problem I’m missing out.

1 Like

this could be a solution. Zero Trust allow to add a skip policy for a token in header.
Anyway, with the last app update, now we can remove server and add it again. You have to reconfigure widgets but, at least, you don’t have to reconfigure all sensors

Has anyone found a solution for this? I would love to add the extra security One-time PIN to access my HA from the APP

Someone just opened a PR allowing the Android companion app to have custom headers, this will allow us to use Cloudflare service token!

Let’s manifest your interest for this feature with a :+1: on the PR so moderators know we care about this feature!

2 Likes

I would also like this capability! Give us remote access along with an additional secure layer of zero trust authentication!

You can implement SSL authentication in cloudflare Firewall (WAF).
Then you just install the certificate on your mobile. The android app allows to authenticate via certificate.
You only have to clear cache in the app, and log in. You will be asked to choose a certificate among those installed on your mobile. You choose cloudflare certificate and voilà.