It’s great that the iOS app supports location and push notifications, but I’m very reluctant to open up full home assistant to the external world.
Is there a possibility (as a feature request) to support a limited API to home assistant to update things like location etc, such that if there is a vulnerability later down the line - exposure could be limited.
As the app matures the “limited” API you propose would eventually become the full API as features are added. This idea will just add more maintenance overhead and wouldn’t really serve any purpose.
There are tons of people who have exposed their HA instance to the internet. If you do it properly, there isn’t much to worry about. If you are hesitant because of a possible exploit being found, then you may want to kill all power to your home just to be safe.
You need to allow requests to /api/states, /api/service*, /api/events*at least. Will try to remember to check the full list later tonight and report back.