Up until now, I have not been sharing my phone’s location with the HA app. I access HA over http:// while on wifi and also while not at home, over VPN. So, only the internal URL is configured in the app.
A prompt appeared when I opened the HA app on my iPhone 13 today. It suggested I share location data with the app because there are apparently security vulnerabilities if I don’t do so. I don’t understand how such vulnerabilities can exist, nor how sharing my location addresses them. Perhaps the concern is that, if I’m away from home and not on VPN, and I open the app on public wifi, someone might intercept a security token or similar?
Here is the link. If someone could explain if/why someone accessing unencrypted HA over VPN would benefit from sharing location data, that would be very helpful.
On Android you can also set using a VPN or Ethernet access as home network
Apple undoubtedly doesn’t provide that info under iOS. So it’s probably not that it’s insecure, it’s just that the app can’t tell you’re on a VPN, so it errs on the side of caution.
Thank you for that. I do think the iOS app would “know” that I am either using a VPN, or I am otherwise not successfully connecting to my internal URL when I’m not home. And I think it’s true that, if I’m using a VPN, there is no security risk.
So I suppose that means that I’m correct in my presumption that, if I do not have my phone’s VPN client turned on and I open the HA app, there is an inherent security risk in having done so (otherwise, why send out these prompts to users like me?)? If so, what is the risk? Tokens being eavesdropped upon?
For instance, if the app were to attempt to connect to http://192.168.1.5:8123&token=abcdefg1234567, and then some evil-doer saw that token from the attempted (but failed, because VPN was inactive) login? But if the iOS app can’t know whether the VPN is active or inactive anyway, what’s the point of it knowing whether I’m home or away?
@bgoncal perhaps you would be kind enough to clarify. In short, my issue is:
iOS app is configured with only internal URL. So, if I open HA companion app (iPhone 13) while not on home wifi I will need to use my VPN. As such, three possibilities exist:
I open the app while on home wifi
I open the app while not on home wifi and VPN is active
I open the app while not on home wifi and VPN is not active (yet)
My question is, given that only my internal URL is configured in the app, what security vulnerabilities exist if I open the app as per #3, above? And how are those vulnerabilities mitigated if I share my location with the HA app as recommended in the official docs?
Edit: I should note that I have read the portion of the docs that reads “However, if you accidentally connect from a public Wi-Fi network or untrusted location…” and I am confused because I cannot connect to my server without using the VPN. Perhaps this was written for users who forward port 8123? Or, should the docs read “if you accidentally attempt to connect…” and there is indeed an issue that pertains to possibility #3.
I honestly don’t understand how it applies to me and I presume that it does somehow. I am genuinely curious to know.
Since you only use VPN for your remote access, this means your internal URL = external URL, you use the same URL whether you’re home or not (even when you only set one of those in the app).
If you choose the “Most secure” connection security level, it will require location permission to check which Wi-Fi network you’re on at that moment. If it matches what you configured as “Home network” in the app, it will allow using the internal URL.
The app always allows usage of the external URL because, in theory, you shouldn’t have non-HTTPS remote access since it’s not secure.
Back to your situation: you use VPN to access Home Assistant remotely. In that case, the connection security level feature won’t help you. To have your setup working, you have to move your internal URL to external and (in a perfect world) always be connected to the VPN to avoid exposing your credentials on public Wi-Fi.
Credentials can be exposed in situations where the app accesses information or performs actions in the background, such as getting the state of an entity to display on a widget or triggering a script from Siri Shortcuts. If your VPN is on, you’re good; if it’s off, your credentials travel without encryption through HTTP.
Thank you for the thorough explanation. Forgive me, but I’m still a bit confused.
So, if I’m on public wifi and my VPN is off, I will indeed transmit sensitive data if I open the companion app (and/or have the Siri or sensor features you mentioned). Correct?
And the point of sharing the location with the app is so the app knows when it is away from home, and thereby it will not transmit sensitive data unless the VPN is connected. So, the iOS companion app knows whether a VPN is connected or not. Correct?
By the way, the app is great and I really appreciate all the work that goes into it. Thank you so much.
Yes, if you are on public wifi and you VPN is off, when you open the App it will expose your credentials.
On the other hand sensors reporting is encrypted, so those won’t expose.
Your second statement is partially correct, the connection security level protects your local IP in a setup where you have internal AND external URL, so the App uses the external when you are not at home (external should be encrypted always, otherwise it’s a user misconfiguration), for VPN it does not help, the App does not know when you are connected to the VPN, so or you leave the VPN always ON, or you may expose your credentials on public wifi.
I see. So the benefit of sharing location with the app only applies to those who have an unencrypted local URL and an encrypted external URL configured in the app, at least for iOS users. The app knows when the phone is connected to the “home wifi” and will connect via the unencrypted internal URL only in that case. When the home wifi is not connected, the app will then connect to the external URL.
For iOS users who have an unencrypted internal URL configured in the app and no external URL, the location sharing does not provide any benefit. If such a user has selected “Security Level: Most secure” and is sharing location with the app, it is still up to the user to always remember to ensure the VPN is active prior to opening the companion app while on public wifi, to prevent potential eavesdroppers, since the app will still connect via the unencrypted internal URL even though it knows the phone is not connected to the home wifi.
If this is the case, I think a false sense of security is being encouraged among users like me. I have been reluctant to share my location data but I finally did because I figured “I might as well” if it meant I had a more secure setup. I’m glad to know I actually derive no benefit. I’ve turned location sharing off and changed my security level to Less secure. If users who only have the internal URL configured don’t stand to gain from the Security Level setting, perhaps there is a way to make this more clear in the docs. Perhaps the landscape is changing so quickly that you are only a mere iOS update away from a time when the companion app can activate the VPN, in which case this conversation will be outdated. But for now, I do think other users will benefit from a more clear understanding of how the feature works so they can make a more-informed decision about the Security Level they choose. And also so they can be better-informed about the risks inherent in using the app on public wifi, because it had never occured to me that I would be sending sensitive data before the app had even located a server to send that sensitive data to.
This feature is indeed not focused on VPN users, the goal is to protect your internal unencrypted URL.
If a VPN user selects “most secure”, this person will be protected, because the App wont use the internal URL (not even on VPN), but at the same time you wont have your VPN remote connection.
For now the iOS App cannot detect VPN, hopefully in the future.
I better understand now. And I am very grateful for the time you have spent in explaining the specifics in this thread. I do strongly think there would be benefit to updating the docs to clarify the points that were unclear to me, as I am likely not the only one who was (is) not properly informed by the docs.
A few things pulled from the docs:
“This also means that background activity will be blocked until a secure connection can be established.”
A VPN is one kind of secure connection, but the security setting is intended only for users who use a different kind: SSL. This should be made more clear. Perhaps rephrase it to state: “…activity will be blocked until a secure connection can be established over the companion app’s SSL-enabled external URL.”
“When you connect to Home Assistant using an unencrypted URL (such as http://homeassistant.local:8123 ), all data transmitted between your device and Home Assistant is sent in plain text.”
Whether data is sent between one’s device and HA, or whether there is no HA on the other end because the user forgot to connect to his network via VPN, the device sends the sensitive data. So the above statement is not specific enough.
I’m concerned that someone might think the security setting provides some protection for VPN users when it does not. For instance, if I had observed that I needed to configure my external URL to be the same as my internal in order for my HA to work while VPN is active and Most Secure is configured (I don’t think you have made is clear whether this would indeed work, but I presume it would), I would have in fact made no positive change with respect to the security of my device while it would appear that I had done so, because my app would be set to “Most Secure.” There is nothing in the docs to make it clear that I would mistaken in such case.
I understand that you are doing the best you can with respect to the limitations provided by iOS, and I will say again that the app is great. That page of the docs could just be made more clear, and I think it is important that users be able to rely on the docs for such important information.
I honestly don’ understand the purpose of this change. I smells like a solution looking for a problem. A user’s data connection is orthogonal from an app like HA mobile. HA mobile should simply use the connection provided by the underlying OS and connect via the configured URL. That’s it. This new “feature” just adds unnecessary complexity to the product.
Also I don’t see the need for an internal and an external URL. Just configure the external URL and use it whether you’re at home or away. Doesn’t need to be any more complicated.