Administrators Netduma Fraser Posted July 10, 2015 Administrators Share Posted July 10, 2015 Hey guys, the Netduma app has begun development, big thanks to Abc for doing this, its definitely a massive help! I'm sure he has plenty of ideas for it but don't hesitate to give any suggestions, I'm sure he'll try his best to implement them if he can Link to comment Share on other sites More sharing options...
lukasz Posted July 10, 2015 Share Posted July 10, 2015 I salute ABC Link to comment Share on other sites More sharing options...
ByMgRs Posted July 10, 2015 Share Posted July 10, 2015 Awesome that would be cool! It should be straight forward aswelll as you can use the get http request (I used to do a bit of android and ios dev) ***** just remembered it doesnt use different http addresses and uses php? I think**** Link to comment Share on other sites More sharing options...
abc123 Posted July 11, 2015 Share Posted July 11, 2015 Awesome that would be cool! It should be straight forward aswelll as you can use the get http request (I used to do a bit of android and ios dev) ***** just remembered it doesnt use differant http addresses and uses php? I think**** I've been sworn to secrecy and wrapped in a shroud of darkness. No really, it is just basic HTTP. Link to comment Share on other sites More sharing options...
mcl Posted July 11, 2015 Share Posted July 11, 2015 May I request it use HTTPS instead of HTTP? If you need a cert, there's always https://letsencrypt.org/if you don't want to pay for it. Wifi's trivial to sniff, MiTM, or outright hijack, and while an attacker may not have access to your home network normally, having plaintext HTTP going over the air is just asking for nastiness to occur. (I'd also request that, when the username/password security option is added to the R1 firmware, that a move from http to https in the firmware be made as well. This, of course, would be necessary for the app to use HTTPS with the R1). Link to comment Share on other sites More sharing options...
Netduma Staff Netduma Crossy Posted July 11, 2015 Netduma Staff Share Posted July 11, 2015 May I request it use HTTPS instead of HTTP? If you need a cert, there's always https://letsencrypt.org/if you don't want to pay for it. Wifi's trivial to sniff, MiTM, or outright hijack, and while an attacker may not have access to your home network normally, having plaintext HTTP going over the air is just asking for nastiness to occur. (I'd also request that, when the username/password security option is added to the R1 firmware, that a move from http to https in the firmware be made as well. This, of course, would be necessary for the app to use HTTPS with the R1). What sensitive data is travelling between the app and the router that needs protecting with HTTPS? Thats a genuine question btw Link to comment Share on other sites More sharing options...
Od1n Posted July 11, 2015 Share Posted July 11, 2015 abc is the right guy for this job! if i were to bring up a suggestion id say maybe consider an iOS app too for us non-android users Link to comment Share on other sites More sharing options...
EffinFancy Posted July 11, 2015 Share Posted July 11, 2015 Really excited! Thanks ABC. Is this going to be on the app store / google play store? Link to comment Share on other sites More sharing options...
abc123 Posted July 11, 2015 Share Posted July 11, 2015 May I request it use HTTPS instead of HTTP? If you need a cert, there's always https://letsencrypt.org/if you don't want to pay for it. Wifi's trivial to sniff, MiTM, or outright hijack, and while an attacker may not have access to your home network normally, having plaintext HTTP going over the air is just asking for nastiness to occur. (I'd also request that, when the username/password security option is added to the R1 firmware, that a move from http to https in the firmware be made as well. This, of course, would be necessary for the app to use HTTPS with the R1). I don't control the protocol that the router uses, these are all good feature requests but they are also all things that would be implemented on the router's firmware. Once HTTPS was implemented the API we are using would need to be redefined to require OAuth2 to stop unauthorized requests. What sensitive data is travelling between the app and the router that needs protecting with HTTPS? Thats a genuine question btw Honestly there is a lot on your network, an iOS app if it were "sniffing" traffic could pick up a lot of information (passwords and credit card info)...this app will only be communicating within your own network so no concerns there. abc is the right guy for this job! if i were to bring up a suggestion id say maybe consider an iOS app too for us non-android users That will be the first app. and thanks Really excited! Thanks ABC. Is this going to be on the app store / google play store? iOS is going to be first, then i'll be porting the code to android. Link to comment Share on other sites More sharing options...
MrWhooz Posted July 11, 2015 Share Posted July 11, 2015 How long do you think itll take you to make thr app??? Link to comment Share on other sites More sharing options...
Netduma Staff Netduma Crossy Posted July 11, 2015 Netduma Staff Share Posted July 11, 2015 Honestly there is a lot on your network, an iOS app if it were "sniffing" traffic could pick up a lot of information (passwords and credit card info)...this app will only be communicating within your own network so no concerns there. So there is nothing worth sniffing between the app and router? Link to comment Share on other sites More sharing options...
abc123 Posted July 12, 2015 Share Posted July 12, 2015 How long do you think itll take you to make thr app??? As this is a side project and can't be released open source (yet) I will be working on it in my spare time. That being said I hope to give frequent updates on the status and screenshots/videos when the time comes. So there is nothing worth sniffing between the app and router? Nothing that you couldn't sniff going from your router to any of the web clients (http://r1) it's all the same thing. There currently isn't any security around all that. I am making sure to note anything that needs to be deprecated and or changed for security and safety of the products main intention of not being a cheating device. Link to comment Share on other sites More sharing options...
fuzzy clam Posted July 12, 2015 Share Posted July 12, 2015 If abc's doing it,i assure you it will be done right Link to comment Share on other sites More sharing options...
ByMgRs Posted July 12, 2015 Share Posted July 12, 2015 I've been sworn to secrecy and wrapped in a shroud of darkness. No really, it is just basic HTTP. Oh ok I am very rusty so dont remember much but I am very interested in how it goes Link to comment Share on other sites More sharing options...
ByMgRs Posted July 12, 2015 Share Posted July 12, 2015 If abc's doing it,i assure you it will be done right agreed ABC 123 is always a great forum member and is very supportive so i am sure he will do it very well and dont worry about time scale, better for it to be working and not end up like the pc port of arkham knight Link to comment Share on other sites More sharing options...
Netduma Staff Netduma Crossy Posted July 12, 2015 Netduma Staff Share Posted July 12, 2015 Nothing that you couldn't sniff going from your router to any of the web clients (http://r1) it's all the same thing. There currently isn't any security around all that. I am making sure to note anything that needs to be deprecated and or changed for security and safety of the products main intention of not being a cheating device. Ok Are you writing it in Swift or Objective-C? Link to comment Share on other sites More sharing options...
mcl Posted July 12, 2015 Share Posted July 12, 2015 I don't control the protocol that the router uses, these are all good feature requests but they are also all things that would be implemented on the router's firmware. Once HTTPS was implemented the API we are using would need to be redefined to require OAuth2 to stop unauthorized requests. Honestly there is a lot on your network, an iOS app if it were "sniffing" traffic could pick up a lot of information (passwords and credit card info)...this app will only be communicating within your own network so no concerns there. Oh, I realize there's a lot on a local network. My point is that WPA2 is crackable, MiTMable, etc. Which means that, by putting something on the network that's wirelessly communicating with the administrative interface of the router (without the additional encryption of HTTPS -- which is also MiTMable, but with more difficulty, as (ignoring the OpenSSL bug reported last week) faking a CA and/or overcoming cert pinning isn't as easy) leaves a large security hole exploitable by anyone within range of your AP. They don't have to be associated to and authenticated by your AP, just able to pull the signal from the air. And that can be done from the curb, or even from miles away. There's a difference between having to associate and authenticate to your AP (at which point they could access the admin interface themselves) and simply flipping bits en route while the app is using the admin interface. True, you'd need to be of interest to someone, but there are millions of routers out there that fell victim to "I'm nobody; nobody will bother hacking me". Hacking wireless and hacking home routers is the favorite pastime of both bored teenagers and Eastern European crime syndicates alike. Any router is valuable when the target is every click you make (e.g., changing your DNS settings to hijack your ad views, which is just what a recent aforementioned Eastern European crime syndicate did). Agreed that the router needs to support HTTPS first; hopefully that'll be coming shortly. Once it's in place, I'd dearly hope any app would not just offer it as an option, but require it. With things like the WiFi Pineapple out there (there are plenty of other, more sophisticated tools, but I mention it because it's cheap, easy to use, and a favorite of those who enjoy this sort of thing), one can't be too lax with anything going over wireless these days. Link to comment Share on other sites More sharing options...
Trolling_Farm Posted July 12, 2015 Share Posted July 12, 2015 This got my attention, I was wondering would IOS or Android be coming out first? Hopefully a dual launch so some people don't feel salty?? Like me for instance Link to comment Share on other sites More sharing options...
Netduma Staff Netduma Crossy Posted July 12, 2015 Netduma Staff Share Posted July 12, 2015 This got my attention, I was wondering would IOS or Android be coming out first? Hopefully a dual launch so some people don't feel salty?? Like me for instance abc is the right guy for this job! if i were to bring up a suggestion id say maybe consider an iOS app too for us non-android users That will be the first app. and thanks Link to comment Share on other sites More sharing options...
abc123 Posted July 12, 2015 Share Posted July 12, 2015 If abc's doing it,i assure you it will be done right Thanks Oh ok I am very rusty so dont remember much but I am very interested in how it goes No worries, it is basically just a bunch of HTTP (GET, POST, PUT, DELETE) but there are no DELETE just GET (Read), POST (Create), PUT (Update) agreed ABC 123 is always a great forum member and is very supportive so i am sure he will do it very well and dont worry about time scale, better for it to be working and not end up like the pc port of arkham knight Thanks! Ok Are you writing it in Swift or Objective-C? Swift, apple is moving away from Objective-C...however the minor issue is Swift isn't fully supported by 3rd party libraries yet. So currently it is written in Swift, we'll see. Oh, I realize there's a lot on a local network. My point is that WPA2 is crackable, MiTMable, etc. Which means that, by putting something on the network that's wirelessly communicating with the administrative interface of the router (without the additional encryption of HTTPS -- which is also MiTMable, but with more difficulty, as (ignoring the OpenSSL bug reported last week) faking a CA and/or overcoming cert pinning isn't as easy) leaves a large security hole exploitable by anyone within range of your AP. They don't have to be associated to and authenticated by your AP, just able to pull the signal from the air. And that can be done from the curb, or even from miles away. There's a difference between having to associate and authenticate to your AP (at which point they could access the admin interface themselves) and simply flipping bits en route while the app is using the admin interface. True, you'd need to be of interest to someone, but there are millions of routers out there that fell victim to "I'm nobody; nobody will bother hacking me". Hacking wireless and hacking home routers is the favorite pastime of both bored teenagers and Eastern European crime syndicates alike. Any router is valuable when the target is every click you make (e.g., changing your DNS settings to hijack your ad views, which is just what a recent aforementioned Eastern European crime syndicate did). Agreed that the router needs to support HTTPS first; hopefully that'll be coming shortly. Once it's in place, I'd dearly hope any app would not just offer it as an option, but require it. With things like the WiFi Pineapple out there (there are plenty of other, more sophisticated tools, but I mention it because it's cheap, easy to use, and a favorite of those who enjoy this sort of thing), one can't be too lax with anything going over wireless these days. I completely agree, that is definitely a discussion point I have with Iain. But as they are pushing out features, currently security is on the back burner. Link to comment Share on other sites More sharing options...
Netduma Staff Netduma Crossy Posted July 12, 2015 Netduma Staff Share Posted July 12, 2015 Swift, apple is moving away from Objective-C...however the minor issue is Swift isn't fully supported by 3rd party libraries yet. So currently it is written in Swift, we'll see. Cool - looking forward to this! Link to comment Share on other sites More sharing options...
abc123 Posted July 12, 2015 Share Posted July 12, 2015 Status Update: Everything is going smoothly i'll be building out the API calls (which isn't too bad), still need to start parsing the data for packets and handling the mapping properly. current issues: Drawing a circle on a map...MapBox doesn't include it Using MapKit or Google Map SDK allows for circles on a map easily...however you cannot style the map to be dark or anything else other than normal. minor update reviewing a couple cross-platform systems (primarily NativeScript). Although this appears to not solve the above issue it does allow for the same codebase to work on iOS and Android Link to comment Share on other sites More sharing options...
abc123 Posted July 13, 2015 Share Posted July 13, 2015 Just a demo of a map with the geo-filter size... Next, will be the basic visuals of the geo-filter...and moving the home location. Once we have that i'll likely demo again and then publish, extra features will come for sure. Link to comment Share on other sites More sharing options...
R3M!X Posted July 13, 2015 Share Posted July 13, 2015 ABC from the other forum? Damn. The legend continues.... Link to comment Share on other sites More sharing options...
Administrators Netduma Iain Posted July 13, 2015 Administrators Share Posted July 13, 2015 Massive salute to ABC... I think I'm most excited!! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.