The Fully Kiosk Browser integration allows to interact with the Fully app from HA. The integration uses the app’s Remote Admin RESTful API to expose its reporting and control capabilities in Home Assistant as a device with multiple entities. While the Fully app API supports HTTPS, the integration doesn’t. It defaults to HTTP only, which appears to be hardcoded.
FullyKioskEntity in homeassistant\components\fully_kiosk\entity.py has http hardcoded in the configuration_url parameter:
class FullyKioskEntity(CoordinatorEntity[FullyKioskDataUpdateCoordinator], Entity):
"""Defines a Fully Kiosk Browser entity."""
_attr_has_entity_name = True
def __init__(self, coordinator: FullyKioskDataUpdateCoordinator) -> None:
"""Initialize the Fully Kiosk Browser entity."""
super().__init__(coordinator=coordinator)
self._attr_device_info = DeviceInfo(
identifiers={(DOMAIN, coordinator.data["deviceID"])},
name=coordinator.data["deviceName"],
manufacturer=coordinator.data["deviceManufacturer"],
model=coordinator.data["deviceModel"],
sw_version=coordinator.data["appVersionName"],
configuration_url=f"http://{coordinator.data['ip4']}:2323",
connections={(CONNECTION_NETWORK_MAC, coordinator.data["Mac"])},
)
A packet capture taken while adding the integration shows the attempt to get app data over HTTP, revealing sensitive information:
Adding support for HTTPS would be greatly beneficial for obvious security reasons. Specially because of the wide-ranging control that the app can exert over the host device. This is greatly helpful for managing tablets that function as smart home panels.