The current Agenda items could certainly take up the whole hour, but, if there is time available…
I have a security concern related to Mode:
- Can you confirm that “
changeMode(anymode)” can be called without being declared in SmartApp Preferences? i.e.,
- From within any SmartApp?
- From any Web Service that has access to any SmartApp (i.e., is there an API call equivalent to changeMode in the REST-API, and this call does not require explicit user authentication)?
-
Is this a “loophole” within the user authorization process (for both native SmartApps and/or Web Services), in which users get granular control over which Devices the App is permitted to access? ie., While the user is aware they are granting access to their hub and certain devices, they may not be aware that they are granting read and/or write access to Location-Mode.
-
If #1 and #2 are true, then is this possibly a serious security concern, since Mode is commonly used for “security sensitive information or event triggers”, for example:
- Locks that unlock if Mode changes from “Away” to “Home”.
- Alarms and Sirens that are disabled when Mode = “Home”.
- and … Even read-only knowledge that a location is unoccupied (i.e., Mode = “Vacation”) makes that location more susceptible to intrusion (canceling out the benefits of simulated occupancy apps like random lights on/off).
For further discussion and a recommended possible SOLUTION (using Virtual Device Instances with “mode-like attributes” instead of Mode), please refer to this Topic/Post"
Thanks,
…CP / Terry.