How to deauthorize a lost phone app?


(Rafael Luna) #1

Hi,

I was wondering how can I deauthorize my phone from accessing my smartthings account in the case I lost it. I made a test changing my password using the API but the phone app (android) keeps working fine and never asked me to enter the new password.

Thanks.


(Convinced ST will never be unbroken…) #2

That’s a major issue you should report. Guessing this is a lazy caching issue where the credentials for a logged in mobile app are never checked on subsequent launches.


#3

Considering all the apps most of us have that can expose us in various ways, wouldn’t you want to use “Find My IPhone” to erase the phone?


(Convinced ST will never be unbroken…) #4

Ideally, your device has a strong password and a lock screen that engages shortly after sleep. But that doesn’t excuse checking credentials at launch should they be changed elsewhere.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #5

This is a known security issue. SmartThings currently uses 50 year authorization tokens for the App.

Contact Support@SmartThings.com ASAP… I believe they can force revoke / invalidate App login tokens on their end.


(Rafael Luna) #6

Thank you all,

tgauchat, I’m not currently in this situation, as I said in my first post, this was just a test to see what would happen if I lost my phone.

I understand that we should secure our phones, and also I am aware of the Find My Phone feature, but as scottinpollock pointed out, none of those should be an excuse, this is an app that can open your house if you have a smart lock. This is like if I lost the keys to my house and the locksmith told me "I’m sorry, I can’t change your locks and so you can’t prevent the lost keys to be able to open your house. I consider this as a mayor security problem and think that it should be fixed ASAP.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #7

As I mentioned … you can contact the “locksmith” in this case – i.e., Support@SmartThings.com. They can change the “keys” for you.

You just can’t change the lock yourself. Which, reasonably, people think should happen if you use “change password” on another device or the IDE.

This is absolutely a serious security concern that SmartThings has known about for many months – I reported this to SmartThings in July 2015.


(Rafael Luna) #8

You got me, your analogy was better than mine :grin: