How to deauthorize a lost phone app?

reluna · June 4, 2016, 1:08am

Hi,

I was wondering how can I deauthorize my phone from accessing my smartthings account in the case I lost it. I made a test changing my password using the API but the phone app (android) keeps working fine and never asked me to enter the new password.

Thanks.

scottinpollock · June 4, 2016, 1:32am

That’s a major issue you should report. Guessing this is a lazy caching issue where the credentials for a logged in mobile app are never checked on subsequent launches.

PhilB · June 4, 2016, 1:44am

Considering all the apps most of us have that can expose us in various ways, wouldn’t you want to use “Find My IPhone” to erase the phone?

scottinpollock · June 4, 2016, 1:50am

Ideally, your device has a strong password and a lock screen that engages shortly after sleep. But that doesn’t excuse checking credentials at launch should they be changed elsewhere.

tgauchat · June 4, 2016, 1:56am

This is a known security issue. SmartThings currently uses 50 year authorization tokens for the App.

Contact Support@SmartThings.com ASAP… I believe they can force revoke / invalidate App login tokens on their end.

reluna · June 6, 2016, 2:39pm

Thank you all,

tgauchat, I’m not currently in this situation, as I said in my first post, this was just a test to see what would happen if I lost my phone.

I understand that we should secure our phones, and also I am aware of the Find My Phone feature, but as scottinpollock pointed out, none of those should be an excuse, this is an app that can open your house if you have a smart lock. This is like if I lost the keys to my house and the locksmith told me "I’m sorry, I can’t change your locks and so you can’t prevent the lost keys to be able to open your house. I consider this as a mayor security problem and think that it should be fixed ASAP.

tgauchat · June 6, 2016, 6:22pm

As I mentioned … you can contact the “locksmith” in this case – i.e., Support@SmartThings.com. They can change the “keys” for you.

You just can’t change the lock yourself. Which, reasonably, people think should happen if you use “change password” on another device or the IDE.

This is absolutely a serious security concern that SmartThings has known about for many months – I reported this to SmartThings in July 2015.

reluna · June 7, 2016, 1:25am

You got me, your analogy was better than mine

Topic		Replies	Views
I forgot my passcode and got onto the smart things find and i made more problems then i had before General Discussion	0	219	February 5, 2024
Was the Smart Things security flaw for smartlocks fixed? General Discussion security	10	3677	February 2, 2017
SmartThings iphone touch id not really secure? iOS	6	1647	November 23, 2017
Smartthings force logging in to wrong account iOS	3	3199	October 7, 2017
Securely adding a person and device Features & Feedback	4	1380	July 14, 2015

How to deauthorize a lost phone app?

Related topics