I believe I see a security flaw in the operation of the mobile app. It appears that when connecting HE to the cloud, the local IP of the hub is stored and then used when the app switches from cloud mode to local mode. The local communication with the hub is sent in clear text, including the access token which is the same access token used for the cloud. If the app attempts to connect to the local IP any time it changes connection or is connected to WiFi, one could easily intercept that attempt and gain access to the key which could then be used to gain access to the cloud.
Do we know if there is some mechanism in place to prevent the app from blindly handing over the token to any thing that answers on the correct IP?