Security Spy iOS App
  • Having two different locations where I use SS I noticed that when I have multiple servers configured for the app that if I do a long press on a configured server that it will give me a pop up window that will let me connect, sign out, or delete the server from the iOS app. I also noticed that it shows two separate addresses along with port numbers... it shows me a name.local:8000 address and also the DNS name of ....

    So the question is... is the app able to determine whether the SS server is currently local to the iOS device running the app and uses the local network name and if it's not on the same network then does it then go on to try the DNS name internet address ?

    I am hoping the above is what is happening... and then I'm also hoping you can point me to how I can do the same thing for an app that I'm working on. I want to know if I can access it via the local address or will I be going on the internet DNS route to get there.
  • What our app does is simultaneously try to connect to both addresses, and then simply use the one that works. If both work, it currently prefers the LAN address, but we're going to change this in the future so that it prefers the WAN address, as any SSL certificate configured in SecuritySpy will be generated from the WAN address, and using anything other than the WAN address to connect to SecuritySpy via HTTPS will result in a name mismatch and therefore an invalid certificate (a situation for which we have to take some special and inconvenient steps in the software to work around).

    I'm happy to answer any other questions you might have. Good luck with your app!
  • Thank you Ben. I do think though that there is a big problem that arises by changing to using the WAN address when the LAN address is available. My concern is that by using the WAN address then you are forced into streaming the data via your ISP. As more people leave cable and satellite TV service for streaming services then the load on their broadband data plan is being increased even when they are on their local network if you make that change. I would think if they are on their local network that using TLS would not really be an issue. I’m not sure I would worry about security issue on private network. I realize that may be short sighted. I ran into the issue that to get dynamic updates from HomeSeer system that they offer a socket connection that will report any device status changes. The problem is that they require authorization and the username and password are sent as clear text. Rather than redesign this poor design they wrote a new iOS app that only uses http interface but to do that they have resorted to polling to detect state changes.

    I found that their new app resembles their old one and I find it cartoonish. My solution is going to be that I recommend users only configure for local network access. If they want to use it over a WAN then they need a VPN. I took a Raspberry Pi, and have an IPSec server running on it. I’m now adding to my app so that you can configure the VPN credentials needed and WAN address.
    I have been able to run my app and if the local address is not available then it will attempt to start a VPN connection and open a connection. It’s working really well. The new networking Apple has given us is great. No more third party libraries for network connections. Especially for connecting to socket based servers.

    This lets me have a truly dynamic connection to the HomeSeer system and have everything encrypted over the internet.

    I’m thinking to do the same sort of DNS like you do... the hosting service you use is very affordable. The question is do I build and sell the VPN device or just post a prebuilt image and let people have it... or offer both. So many decisions to make. This is what bored retired software engineers do... I probably should just buy a Z Wave SDK license and write my own gateway hub. But that gets expensive fast.
  • Connecting to the WAN address while you are within the LAN doesn't route the traffic via the Internet. In this case, either your router supports "loopback", in which case it will recognise that you're attempting to connect to a device on the LAN and will route the connection back within your LAN to the right device, or it doesn't support loopback, in which case the connection will fail. There is an extra hop via your router, but the data never touches the Internet and shouldn't count towards ISP limits (which you correctly state can be an issue with certain connections).

    Provided that your LAN itself is reasonably secure (e.g. no open WiFi or weak passwords etc.) then I agree that unencrypted connections within the LAN are basically fine for most purposes. However users are becoming more and more security-conscious, and encryption for all connections is becoming the expected norm.

    For WAN access, you could look at ngrok - it's simple, effective and secure. It may be a good alternative to a VPN, and wouldn't require you to set up a DDNS service.

    In any case it sounds like you have a fun project on your hands!
  • Thanks Ben. I looked at then ngrok service. It is simple, but I'm not sure I subscribe to the theory that it's secure. Here we are trusting that this service is itself not looking at data streams as they secure them. It seems that these days everyone wants us to "trust they are the good guys" when it comes to securing our data. I think you are correct about the loopback and the extra hop should never be noticeable to anyone without a sniffer.
  • Yes that's certainly a good point - you still have to trust a third party with your data, which is something that should be done with caution!

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!