I still have some doubts about the security. While the cloud URL is encrypted, the local URL is not. I've confirmed through Wireshark that the app switches to local mode, it creates a connection to the hub with no authentication then sends the URL with token in the clear. Since the access tokens are the same for both local and cloud, I'm concerned that the app will detect the switch to wifi, blindly send the URL/token to whatever answers on the correct IP, and reveal my token to whoever might be listening.
Download the Hubitat app
