I was going to try to deal with support directly on this issue, but their initial response was to post this to the community. Pretty poor response to a security issue. Wish they would treat potential security flaws with a bit more discretion. However, I guess it was already fairly publicly reported here without much response.
and
But ultimately the real issue is that any input box in a smartapp is stored and persists after install.
So, here’s the issue:
input "Password", "password", title: "Password"
this is stored in the settings Array as setting.password in plain text.
In the IDE SmartApps settings it does mask out the password, but anyone logging the settings array would see settings.password including the default action of
log.debug "Installed with settings: ${settings}"
you will see in the settings array password=“password”
Trying to overcome this issue I tried to issue this command after install:
settings.remove("Password")
which does appear to remove the password from settings but it survives that function call scope and comes back in other function calls.
the appSettings array supposedly exists for this use case but their is no way to get a user input password and have it not stored for the life of the SmartApp.
What does this mean? Any SmartApp that asks for private information is NOT stored privately and is cached even when it is attempted to be cleared. Any SmartApp needs to do is find the app with the security information and pull out the settings array.
There should be some way to salt/hash passwords and store them securely within the SmartApp and restrict their logging display or access outside the SmartApp.
More over, there should be a way to clear a settings option and not have it survive a “remove” call.
Right now, there is simply no way to remove the password once it is inputted within a SmartApp other than to have the user enter the “wrong” password again after a successful login.
Just a heads up that if you use any SmartApp or DeviceType that requires a password, that it is stored in plain text and is easily accessible in the IDE / Logs.