So I came across something today in the portal that seems to be a bit of a security risk when using the lock code managers offered by ethayer and rboy.
If you go to “My Locations” then list smartapps and find the user code manager you can click and get all the values assigned.
Is there any way to mask these values via Smart App code?
You would still need access to your SmartThings account to get this info, if they had this access they could just unlock the door without a code anyways…
If you really wanted to you could change the field from a string to a ‘password’ and it will hide it, though I think this is overkill.
Yes… I recommend hashing them using a hash key in closed source code… ie, submitted / published SmartApp.
I’m fully that they’d need your account information and could open the door through the app if they wish. My question was not about what hackers would need to access it or what they could do anyway with it.
The question was whether they could be masked. Which in hindsight as @tgauchat recommended, hashing is what I’m looking for.
Having a way to obscure saved SmartApp preferences/settings is not something that should be impossible to do. It’s a valid concern.
That’s actually exactly the solution I was looking for. I didn’t think of hashing but it would make more sense to do it like that. The smart app could handle the data prior to it being used or sent to the lock.
Do you know of any built in functions to do that with groovy or the SmartThings API? I’m new to groovy so pardon my noob status with it.
My use case for lock management is a bit different than the average home user so making these unreadable via the portal and ultimately hiding them from additional users is something I want to accomplish.
Yup… I’m on mobile so can’t look it up at the moment, but remind me if I don’t post back within a couple days.
Sweet! Sorry I just saw this but if you have some time to link a reference to that I’d greatly appreciate it.
I don’t have time at the moment to dig very far, but I have an example simple hash expression that works within a SmartApp:
Lookup the documentation for the Java “security” Class (etc.) and that should help you understand how the MD5 hashing is being applied. The rest is just padding so the result is a string of consistent length…
def hash = new BigInteger(1,java.security.MessageDigest.getInstance("MD5").digest("${valueToHash}".getBytes())).toString(16).padLeft(32,"0")