I was wondering how can I deauthorize my phone from accessing my smartthings account in the case I lost it. I made a test changing my password using the API but the phone app (android) keeps working fine and never asked me to enter the new password.
That’s a major issue you should report. Guessing this is a lazy caching issue where the credentials for a logged in mobile app are never checked on subsequent launches.
Ideally, your device has a strong password and a lock screen that engages shortly after sleep. But that doesn’t excuse checking credentials at launch should they be changed elsewhere.
1 Like
tgauchat
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy)
5
This is a known security issue. SmartThings currently uses 50 year authorization tokens for the App.
Contact Support@SmartThings.com ASAP… I believe they can force revoke / invalidate App login tokens on their end.
tgauchat, I’m not currently in this situation, as I said in my first post, this was just a test to see what would happen if I lost my phone.
I understand that we should secure our phones, and also I am aware of the Find My Phone feature, but as scottinpollock pointed out, none of those should be an excuse, this is an app that can open your house if you have a smart lock. This is like if I lost the keys to my house and the locksmith told me "I’m sorry, I can’t change your locks and so you can’t prevent the lost keys to be able to open your house. I consider this as a mayor security problem and think that it should be fixed ASAP.
tgauchat
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy)
7
As I mentioned … you can contact the “locksmith” in this case – i.e., Support@SmartThings.com. They can change the “keys” for you.
You just can’t change the lock yourself. Which, reasonably, people think should happen if you use “change password” on another device or the IDE.
This is absolutely a serious security concern that SmartThings has known about for many months – I reported this to SmartThings in July 2015.