I did a search and couldn't find anything related, probably because I am not using the right terminology. Sorry.
But I find this a security issue when using the mobile site to arm or disarm the house, when you type in the TEXT BOX to enter your house code it displays the numbers. And if you have "auto form complete" option set to ON it saves what you have typed, so if someone steals your phone they just click on the box and it shows what you have previously entered.
Can we change this TEXT BOX to a PASSWORD BOX where it shows **** after entering characters, and doesn't save your entries.
I apologize if this is not the right place to post this, please let me know where the right place is and I'll repost my query.
Security Concern when Entering your Arm/Disarm Code on the Mobile site
Moderators: EyezOnRich, GrandWizard
Security Concern when Entering your Arm/Disarm Code on the Mobile site
- Attachments
-
- Security Concern!
- Screenshot_20170429-130911.png (110.62 KiB) Viewed 17741 times
Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site
You make a good point, in my opinion, but, also in my opinon, I'd argue that having an unlocked mobile device with that kind of access is at least as bad an idea, if not worse. If you leave your device unlocked, let your browser remember your pass code, and the device gets "borrowed," nobody'd necessarily need to see the code, would they?Shades wrote:And if you have "auto form complete" option set to ON it saves what you have typed, so if someone steals your phone they just click on the box and it shows what you have previously entered.
(I'm assuming, from your complaint, you don't lock your device with password, pin, pattern, facial recognition, fingerprint, what-have-you.)
(Personally, given what I've seen and experienced, I don't trust Android security enough to actually enter my alarm system codes into an app running upon it, anyway. But that's a kind of side-issue.)
Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site
Regardless if I lock my device or not, why can't it be a password box so it never shows or stores your passcode? This is just a website interface through the browser, it would show up the same on iPhone devices because it's just a website link to their server.Crikey wrote:You make a good point, in my opinion, but, also in my opinon, I'd argue that having an unlocked mobile device with that kind of access is at least as bad an idea, if not worse. If you leave your device unlocked, let your browser remember your pass code, and the device gets "borrowed," nobody'd necessarily need to see the code, would they?Shades wrote:And if you have "auto form complete" option set to ON it saves what you have typed, so if someone steals your phone they just click on the box and it shows what you have previously entered.
(I'm assuming, from your complaint, you don't lock your device with password, pin, pattern, facial recognition, fingerprint, what-have-you.)
(Personally, given what I've seen and experienced, I don't trust Android security enough to actually enter my alarm system codes into an app running upon it, anyway. But that's a kind of side-issue.)
Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site
I second this. The value in this field should be masked, and should disable auto-complete in the user's browser.
For comparison, this field in the non-mobile web interface IS a password input field, and the characters you type ARE masked. Seems like an oversight on the mobile interface, IMO.
For comparison, this field in the non-mobile web interface IS a password input field, and the characters you type ARE masked. Seems like an oversight on the mobile interface, IMO.
Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site
Thanks for backing my suggestion up.mwortham wrote:I second this. The value in this field should be masked, and should disable auto-complete in the user's browser.
For comparison, this field in the non-mobile web interface IS a password input field, and the characters you type ARE masked. Seems like an oversight on the mobile interface, IMO.
I'm not seeing any replies by the mods or devs, wonder if my suggestion is taken into consideration.
-
- Posts: 2320
- Joined: Tue Nov 16, 2010 4:08 pm
Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site
Sorry, yes, I forwarded this thread to the mobile portal devs. On my phone I don't see this behaviour so it may be related to specific devices.
Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site
Awesome thanks!GrandWizard wrote:Sorry, yes, I forwarded this thread to the mobile portal devs. On my phone I don't see this behaviour so it may be related to specific devices.
This also shows up the same when I use my PC to access my system... see the picture attached.
- Attachments
-
- Untitled.jpg (101.06 KiB) Viewed 17564 times
Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site
Has there been any development on this issue? I'm annoyed that this screen still stores my code and displays it to me every time I use the app...
Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site
I haven't seen confirmation of a fix for this, but over the past few days this issue has disappeared for me. Shades, can you confirm? It looks like it's been fixed.
Re: Security Concern when Entering your Arm/Disarm Code on the Mobile site
I noticed the issue disappeared yesterday when setting the alarm. I just logged in and see I'm on ver. 102