App Security When Moving or Resetting Device

benasaur · July 27, 2020, 10:25pm

I had to factory reset my Android phone on which the Hubitat app was installed. I just let Google restore the apps and settings and didn't think much of it. I was very surprised to find that my reinstalled phone triggered the presence sensor (and corresponding rules) without any action on my part. Also, when I relaunched Chrome within the phone, it automatically logged back into Hubitat via the browser.

This seems like a big security problem because if the app login can survive a factory reset, anyone with the device could conceivably gain access to the dashboard and thus to the house. No other smart home app does this (Wyze, Google Home, Nexx Home, IFTTT etc.). They all required at a minimum for me to log back in by reentering credentials. Can this be fixed or a setting turned off?

On that note, I really think it's past time to implement 2-factor authentication for logging into Hubitat. I would think that being able to access the entire smart home with its corresponding locks and alarm systems would present an unacceptable risk to many, if a homeowner is lazy with passwords (the same credentials for both Wifi and Hubitat, for example).

moncho1138 · July 28, 2020, 12:02am

On the Android side, this is due the auto App backup feature from Google, this is secured on your Google account, so if you factory reset your phone it will be gone, unless you enter the account again. That said, this feature is being turned off on the next release of the Android app.

sstretchh · July 28, 2020, 4:04am

Also, have you enabled hub security ? If not you will want to look at these settings

sstretchh · July 28, 2020, 4:07am

I personally use my HE for home automation and i seperate my security from HE.

I have my door locks , alarm, etc ... on front point security then everything else on HE

benasaur · July 28, 2020, 5:49am

It did not prevent me from regaining access via the browser after device reset. Does this just require a username and password when I browse to my hub's IP? If that's the case, then this is just the bare minimum.

endorphin_junkie · August 6, 2020, 5:33am

Only if your android account can be logged into. It was restored after you authenticated, remember?

But yes, you should absolutely secure that account. Put 2-factor hardware key authorization on it and someone will need your phone, your login credentials, and your security crypto token to authenticate.