Secure communication channel for iOS app

gb67 · October 1, 2025, 4:22pm

Going to add one more thing because I really want to contribute to the mindset of this idea. I don’t think TLS certificates is the right or wrong answer - but I do think the requirement is very important. The technical method is being dismissed (TLS), and the overall goal (security) is not being considered as a result.
Nabu is great but I don’t know how it works and the whole purpose of moving to HA was to get rid of cloud so I could take back control of things myself. Nabu is not a solution.
If Home Assistant wants adoption to go beyond low-security entities like light switches - it’s going to need to get serious about security. I have doors that it can unlock and air-conditioning units which I dare not expose on HA because it’s not secure enough. Username and password (and 2FA) are just one part of the 2 essential security requirements (something I know, and something I have). My 2FA is on the same phone I access HA - so cannot be classed as something I have.
A secure token that can be sent from the HA admin screen to the companion app for each device would satisfy “something I have”. It would do the same job as a cert (albeit less crude and more safe since it cannot be copied like certs can). In this case it also makes sense to have switch blocking access to HA by browsers from the external internet - users must use the companion app and its stored token for full security. This is what 2N and Axis (door entry security companies) did for their customers. I would happily pay a one-time fee to unlock this code. (but I am subscription exhausted - canceling as many as I can).

simposium · October 13, 2025, 9:43pm

Voted by looks like no one care on IOS im also exausted of subscriptions PLEASE allow MTLS on ios devices this make no sense

simposium · October 13, 2025, 9:46pm

10000% agreed with you, in my case im use vpn always on via wireguard, what is your solution for connection ? I just want to take ideas maybe im wrong but von wireguard always on is the secure options given the idea that i not want to pay nabucasa

FishDa · October 15, 2025, 5:58am

Also upvoting this.

I guess giving us the ability to add custom headers with custom values to any request made by the app would be less hard to implement and at least offer us some more options to filter for at WAF level.
At least give us this option if mtls isn’t gonna happen.

RMU · November 6, 2025, 9:10pm

The possibility to use mTLS authentication for the iOS compagnon app would be great! Voted!
I also use Immich they implemented it in their iOS app and that works great, maybe the home Assistant developers could have a look/talk there.

rroblik · December 4, 2025, 6:20am

Hello

New user coming from Jeedom !
I put mTLS security level on my homelab on Cloudflare directly whitout checking before the basic : is mTLS supported os iOS app ?
I was sure this pretty common thing was… I was wrong

It’s working on Android app, thanks god as my wife have android

I will remain behind Tailscale exposed FQDN on my side until this basic feature implemented properly on the iOS app !

C’mon guys, home assistant is a door to user doors, please give them best security level

RitteT · December 12, 2025, 4:27pm

Does HA as webapp support location update etc? I want to set this up for my parents as VPN
is to advanced for them and they have some automation depending on their phone location (home or not_home).

I could technically just us an input_boolean exposed to home-app in worst case.

electricsteve · January 10, 2026, 3:12pm

I want to do the exact same thing. For my father who still uses an iPhone (although he was supposed to switch to a new android phone issued from work this year, which we have not heard any news about) and I want to automate notifications for when he leaves work because he forgets to message us a lot of the time. I resorted to just exposing HA through cf for now with admin account behind local access, but this still isn’t what I want.

RitteT · January 10, 2026, 3:38pm

Hey, you can do something like:

Use safari webapp instead of home-assistant iOS app
- Enable mTLS since it’s just a website
Use Apple home for automation, expose a input_boolean or something else from home-assistant to Apple Home and let Apple Home adjust this switch based on his location
Do whatever you want with the input_boolean that gets updated based on location

Or since you use Cloudflare, you could use Cloudflare WAF and limit it to certain ASN (ie his mobile phone provider) and other rules that would limit the exposure greatly. I do this (for my parents) instead of going webapp since the Cloudflare WAF removes a 99% of the unwanted connections. That combined with 2FA should be good enough.

If you set up the good Cloudflare WAF rules, this should be secure enough. Not as mTLS but good enough.

poudenes · January 25, 2026, 8:41am

I would see that we can Cloudflare Headers in the App. So we can use the CloudFlare Zero Trust Application with Service Tokens Allow Access.

Someone did a feature request but it get rejected. I can’t understand why… it’s a good way of protection and you can turn the feature on if you wanna use it.

github.com/home-assistant/iOS

Allow custom headers to be added

master ← sevimuelli:custom-headers

opened 11:13PM - 20 Feb 24 UTC

sevimuelli

+461 -30

## Summary This allows to add custom headers to the server settings, for ex…ample for Cloudflare to be able to authenticate. It works on a simple idea that all the services used supports to add custom headers. Basically in every place where a request is made, if it is made to the correct address, the headers are added. If needed, it checks the requested URL to the specific server URL as you don't want to send your secrets to some third party service. This PR requires home-assistant/HAKit#47 So far everything works as expected. There are some open points: - [ ] Add translations - [ ] Add/Modify tests and run all tests - [ ] Modify ImageAttachmentViewController to support custom headers. This is the only element which does not yet support to add headers ## Screenshots ![customheaders](https://github.com/home-assistant/iOS/assets/32551072/cf84c987-3c81-484c-b44f-b10bd4440bb5) ## Link to pull request in Documentation repository Documentation: home-assistant/companion.home-assistant#1035 ## Any other notes There are two issues I struggle with: - How do I correctly add new translations? Right now everything is hardcoded. I checked out Lokalise but there I can't add something new. Or can only admins do this? I guess entering everything manually doesn't feel right? - When I debug the app, either in the simulator or on the phone, I can't notifications get to work. But I need this to test the changes. I got an Apple Dev account and set it up as described in this project. Is this not possible in the debug version or am I doing something wrong? I think I read something somewhere but I can't find it anymore.

mariusangelmann · January 28, 2026, 12:50am

Hi, everyone!
I played around a bit and got mTLS working, see PR below.

This code is by no means perfect, but might be a good starting ground, if the maintainers are willing to implement it, that is.

github.com/home-assistant/iOS

Add client certificate authentication support

main ← mariusangelmann:main

opened 12:58AM - 28 Jan 26 UTC

mariusangelmann

+1383 -66

# Add mTLS Client Certificate Support This PR adds support for mTLS client ce…rtificates, which is a major requirement for anyone running Home Assistant behind **Cloudflare Tunnels** or proxies that require certificate authentication. ### Key Changes - **WebSocket mTLS:** Patched HAKit and created a custom Starscream engine (`ClientCertificateNativeEngine`) to handle certificate challenges. - **Auth Flow:** Updated `AuthenticationAPI` to support certificates during token exchange. - **UI:** Added a new settings section to import `.p12` certificates and assign them to servers. - **Onboarding:** Integrated certificate checks into the initial setup flow. ### Notes The code might not be 100% perfect yet. Specifically, the HAKit change is currently a patch in the `Pods/` directory that should probably be moved upstream later. There are also some Swift 6 `Sendable` warnings to clean up, but the core functionality is working and tested. ## Screenshots <img width="250" height="2622" alt="Simulator Screenshot - iPhone 17 Pro - 2026-01-28 at 01 56 02" src="https://github.com/user-attachments/assets/b774db9e-5902-4e33-a1a3-4829475360cc" /> <img width="250" height="2622" alt="Simulator Screenshot - iPhone 17 Pro - 2026-01-28 at 01 56 18" src="https://github.com/user-attachments/assets/36e25c39-bc77-48e4-ad0f-edfcc046a8b1" /> <img width="250" height="2622" alt="Simulator Screenshot - iPhone 17 Pro - 2026-01-28 at 01 56 22" src="https://github.com/user-attachments/assets/7a1153d3-939e-4333-a4b3-d32d68794436" />

aaachen · January 28, 2026, 1:59am

Would love developers to re-consider integrating this feature…

The technical method is being dismissed (TLS), and the overall goal (security) is not being considered as a result.

+10000…

poudenes · January 28, 2026, 4:50am

I asked to make it possible to add headers in iOS app. I’m using Cloudflare zero trust and applications with policies. Wanna add f service token in the app so I can create a policy to allow connection to HA otherwise deny it.

3DJupp · February 8, 2026, 2:32pm

Hopefully the recent PR by marius or the previous one by sevi might get a chance. Its not understandable why HA would not support the implementation of custom headers and/or mTLS.
People want to implement authentication and remote access on their own. Its not about, hey, you might subscribe the Nabu Casa service, its about the open platform itself.