Security Concern when Entering your Arm/Disarm Code on the Mobile site

Information and support for EnvisaLink modules.

Moderators: EyezOnRich, GrandWizard

Shades
Posts: 4
Joined: Sat Apr 29, 2017 3:58 pm

Security Concern when Entering your Arm/Disarm Code on the Mobile site

Post by Shades »

I did a search and couldn't find anything related, probably because I am not using the right terminology. Sorry.

But I find this a security issue when using the mobile site to arm or disarm the house, when you type in the TEXT BOX to enter your house code it displays the numbers. And if you have "auto form complete" option set to ON it saves what you have typed, so if someone steals your phone they just click on the box and it shows what you have previously entered.

Can we change this TEXT BOX to a PASSWORD BOX where it shows **** after entering characters​, and doesn't save your entries.

I apologize if this is not the right place to post this, please let me know where the right place is and I'll repost my query.
Attachments
Security Concern!
Security Concern!
Screenshot_20170429-130911.png (110.62 KiB) Viewed 17747 times
Crikey
Posts: 90
Joined: Mon Aug 22, 2016 10:04 am

Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site

Post by Crikey »

Shades wrote:And if you have "auto form complete" option set to ON it saves what you have typed, so if someone steals your phone they just click on the box and it shows what you have previously entered.
You make a good point, in my opinion, but, also in my opinon, I'd argue that having an unlocked mobile device with that kind of access is at least as bad an idea, if not worse. If you leave your device unlocked, let your browser remember your pass code, and the device gets "borrowed," nobody'd necessarily need to see the code, would they?

(I'm assuming, from your complaint, you don't lock your device with password, pin, pattern, facial recognition, fingerprint, what-have-you.)

(Personally, given what I've seen and experienced, I don't trust Android security enough to actually enter my alarm system codes into an app running upon it, anyway. But that's a kind of side-issue.)
Shades
Posts: 4
Joined: Sat Apr 29, 2017 3:58 pm

Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site

Post by Shades »

Crikey wrote:
Shades wrote:And if you have "auto form complete" option set to ON it saves what you have typed, so if someone steals your phone they just click on the box and it shows what you have previously entered.
You make a good point, in my opinion, but, also in my opinon, I'd argue that having an unlocked mobile device with that kind of access is at least as bad an idea, if not worse. If you leave your device unlocked, let your browser remember your pass code, and the device gets "borrowed," nobody'd necessarily need to see the code, would they?

(I'm assuming, from your complaint, you don't lock your device with password, pin, pattern, facial recognition, fingerprint, what-have-you.)

(Personally, given what I've seen and experienced, I don't trust Android security enough to actually enter my alarm system codes into an app running upon it, anyway. But that's a kind of side-issue.)
Regardless if I lock my device or not, why can't it be a password box so it never shows or stores your passcode? This is just a website interface through the browser, it would show up the same on iPhone devices because it's just a website link to their server.
mwortham
Posts: 12
Joined: Wed Jan 04, 2017 10:51 am

Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site

Post by mwortham »

I second this. The value in this field should be masked, and should disable auto-complete in the user's browser.

For comparison, this field in the non-mobile web interface IS a password input field, and the characters you type ARE masked. Seems like an oversight on the mobile interface, IMO.
Shades
Posts: 4
Joined: Sat Apr 29, 2017 3:58 pm

Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site

Post by Shades »

mwortham wrote:I second this. The value in this field should be masked, and should disable auto-complete in the user's browser.

For comparison, this field in the non-mobile web interface IS a password input field, and the characters you type ARE masked. Seems like an oversight on the mobile interface, IMO.
Thanks for backing my suggestion up.

I'm not seeing any replies by the mods or devs, wonder if my suggestion is taken into consideration.
GrandWizard
Posts: 2321
Joined: Tue Nov 16, 2010 4:08 pm

Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site

Post by GrandWizard »

Sorry, yes, I forwarded this thread to the mobile portal devs. On my phone I don't see this behaviour so it may be related to specific devices.
Shades
Posts: 4
Joined: Sat Apr 29, 2017 3:58 pm

Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site

Post by Shades »

GrandWizard wrote:Sorry, yes, I forwarded this thread to the mobile portal devs. On my phone I don't see this behaviour so it may be related to specific devices.
Awesome thanks!

This also shows up the same when I use my PC to access my system... see the picture attached.
Attachments
Untitled.jpg
Untitled.jpg (101.06 KiB) Viewed 17570 times
mwortham
Posts: 12
Joined: Wed Jan 04, 2017 10:51 am

Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site

Post by mwortham »

Has there been any development on this issue? I'm annoyed that this screen still stores my code and displays it to me every time I use the app...
mwortham
Posts: 12
Joined: Wed Jan 04, 2017 10:51 am

Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site

Post by mwortham »

I haven't seen confirmation of a fix for this, but over the past few days this issue has disappeared for me. Shades, can you confirm? It looks like it's been fixed.
GMc
Posts: 38
Joined: Thu Dec 03, 2015 7:27 am

Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site

Post by GMc »

I noticed the issue disappeared yesterday when setting the alarm. I just logged in and see I'm on ver. 102
Post Reply