Jump to content

Archived

This topic is now archived and is closed to further replies.

Netduma Fraser

Netduma App

Recommended Posts

Hey guys, the Netduma app has begun development, big thanks to Abc for doing this, its definitely a massive help! I'm sure he has plenty of ideas for it but don't hesitate to give any suggestions, I'm sure he'll try his best to implement them if he can :)

Share this post


Link to post
Share on other sites

Awesome that would be cool! It should be straight forward aswelll as you can use the get http request (I used to do a bit of android and ios dev)

*****

just remembered it doesnt use different http addresses and uses php? I think****

Share this post


Link to post
Share on other sites

Awesome that would be cool! It should be straight forward aswelll as you can use the get http request (I used to do a bit of android and ios dev)

*****

just remembered it doesnt use differant http addresses and uses php? I think****

 

I've been sworn to secrecy and wrapped in a shroud of darkness.

 

No really, it is just basic HTTP.

Share this post


Link to post
Share on other sites

May I request it use HTTPS instead of HTTP?  If you need a cert, there's always https://letsencrypt.org/if you don't want to pay for it.  Wifi's trivial to sniff, MiTM, or outright hijack, and while an attacker may not have access to your home network normally, having plaintext HTTP going over the air is just asking for nastiness to occur.

 

(I'd also request that, when the username/password security option is added to the R1 firmware, that a move from http to https in the firmware be made as well.  This, of course, would be necessary for the app to use HTTPS with the R1).

Share this post


Link to post
Share on other sites

May I request it use HTTPS instead of HTTP?  If you need a cert, there's always https://letsencrypt.org/if you don't want to pay for it.  Wifi's trivial to sniff, MiTM, or outright hijack, and while an attacker may not have access to your home network normally, having plaintext HTTP going over the air is just asking for nastiness to occur.

 

(I'd also request that, when the username/password security option is added to the R1 firmware, that a move from http to https in the firmware be made as well.  This, of course, would be necessary for the app to use HTTPS with the R1).

 

What sensitive data is travelling between the app and the router that needs protecting with HTTPS? :) Thats a genuine question btw :)

Share this post


Link to post
Share on other sites

abc is the right guy for this job! :)

 

if i were to bring up a suggestion id say maybe consider an iOS app too for us non-android users ;)

Share this post


Link to post
Share on other sites

May I request it use HTTPS instead of HTTP?  If you need a cert, there's always https://letsencrypt.org/if you don't want to pay for it.  Wifi's trivial to sniff, MiTM, or outright hijack, and while an attacker may not have access to your home network normally, having plaintext HTTP going over the air is just asking for nastiness to occur.

 

(I'd also request that, when the username/password security option is added to the R1 firmware, that a move from http to https in the firmware be made as well.  This, of course, would be necessary for the app to use HTTPS with the R1).

I don't control the protocol that the router uses, these are all good feature requests but they are also all things that would be implemented on the router's firmware.  

 

Once HTTPS was implemented the API we are using would need to be redefined to require OAuth2 to stop unauthorized requests.

 

 

What sensitive data is travelling between the app and the router that needs protecting with HTTPS? :) Thats a genuine question btw :)

 

Honestly there is a lot on your network, an iOS app if it were "sniffing" traffic could pick up a lot of information (passwords and credit card info)...this app will only be communicating within your own network so no concerns there.

 

abc is the right guy for this job! :)

 

if i were to bring up a suggestion id say maybe consider an iOS app too for us non-android users ;)

That will be the first app. :) and thanks

 

Really excited!  Thanks ABC.  Is this going to be on the app store / google play store?  

iOS is going to be first, then i'll be porting the code to android.

Share this post


Link to post
Share on other sites

Honestly there is a lot on your network, an iOS app if it were "sniffing" traffic could pick up a lot of information (passwords and credit card info)...this app will only be communicating within your own network so no concerns there.

 

So there is nothing worth sniffing between the app and router? :)

Share this post


Link to post
Share on other sites

How long do you think itll take you to make thr app???

 

As this is a side project and can't be released open source (yet) I will be working on it in my spare time.

That being said I hope to give frequent updates on the status and screenshots/videos when the time comes.

 

So there is nothing worth sniffing between the app and router? :)

 

Nothing that you couldn't sniff going from your router to any of the web clients (http://r1) it's all the same thing.  There currently isn't any security around all that.  I am making sure to note anything that needs to be deprecated and or changed for security and safety of the products main intention of not being a cheating device.

Share this post


Link to post
Share on other sites

I've been sworn to secrecy and wrapped in a shroud of darkness.

 

No really, it is just basic HTTP.

 

Oh ok I am very rusty so dont remember much but I am very interested in how it goes

Share this post


Link to post
Share on other sites

If abc's doing it,i assure you it will be done right    ;)

agreed ABC 123 is always a great forum member and is very supportive so i am sure he will do it very well and dont worry about time scale, better for it to be working and not end up like the pc port of arkham knight ;)

Share this post


Link to post
Share on other sites

Nothing that you couldn't sniff going from your router to any of the web clients (http://r1) it's all the same thing.  There currently isn't any security around all that.  I am making sure to note anything that needs to be deprecated and or changed for security and safety of the products main intention of not being a cheating device.

 

Ok :) Are you writing it in Swift or Objective-C?

Share this post


Link to post
Share on other sites

I don't control the protocol that the router uses, these are all good feature requests but they are also all things that would be implemented on the router's firmware.  

 

Once HTTPS was implemented the API we are using would need to be redefined to require OAuth2 to stop unauthorized requests.

 

 

 

Honestly there is a lot on your network, an iOS app if it were "sniffing" traffic could pick up a lot of information (passwords and credit card info)...this app will only be communicating within your own network so no concerns there.

 

Oh, I realize there's a lot on a local network.  My point is that WPA2 is crackable, MiTMable, etc.  Which means that, by putting something on the network that's wirelessly communicating with the administrative interface of the router (without the additional encryption of HTTPS -- which is also MiTMable, but with more difficulty, as (ignoring the OpenSSL bug reported last week) faking a CA and/or overcoming cert pinning isn't as easy) leaves a large security hole exploitable by anyone within range of your AP.  They don't have to be associated to and authenticated by your AP, just able to pull the signal from the air.  And that can be done from the curb, or even from miles away.  There's a difference between having to associate and authenticate to your AP (at which point they could access the admin interface themselves) and simply flipping bits en route while the app is using the admin interface.

 

True, you'd need to be of interest to someone, but there are millions of routers out there that fell victim to "I'm nobody; nobody will bother hacking me".  Hacking wireless and hacking home routers is the favorite pastime of both bored teenagers and Eastern European crime syndicates alike.  Any router is valuable when the target is every click you make (e.g., changing your DNS settings to hijack your ad views, which is just what a recent aforementioned Eastern European crime syndicate did).

 

Agreed that the router needs to support HTTPS first; hopefully that'll be coming shortly.  Once it's in place, I'd dearly hope any app would not just offer it as an option, but require it.

 

With things like the WiFi Pineapple out there (there are plenty of other, more sophisticated tools, but I mention it because it's cheap, easy to use, and a favorite of those who enjoy this sort of thing), one can't be too lax with anything going over wireless these days.

Share this post


Link to post
Share on other sites

This got my attention, I was wondering would IOS or Android be coming out first? Hopefully a dual launch so some people don't feel salty?? Like me for instance :)

Share this post


Link to post
Share on other sites

This got my attention, I was wondering would IOS or Android be coming out first? Hopefully a dual launch so some people don't feel salty?? Like me for instance :)

 

 

abc is the right guy for this job! :)

 

if i were to bring up a suggestion id say maybe consider an iOS app too for us non-android users ;)

 

That will be the first app. :) and thanks

Share this post


Link to post
Share on other sites

If abc's doing it,i assure you it will be done right    ;)

Thanks

 

Oh ok I am very rusty so dont remember much but I am very interested in how it goes

No worries, it is basically just a bunch of HTTP (GET, POST, PUT, DELETE) but there are no DELETE just GET (Read), POST (Create), PUT (Update)

 

agreed ABC 123 is always a great forum member and is very supportive so i am sure he will do it very well and dont worry about time scale, better for it to be working and not end up like the pc port of arkham knight ;)

Thanks!

 

Ok :) Are you writing it in Swift or Objective-C?

Swift, apple is moving away from Objective-C...however the minor issue is Swift isn't fully supported by 3rd party libraries yet.

 

So currently it is written in Swift, we'll see.

 

Oh, I realize there's a lot on a local network.  My point is that WPA2 is crackable, MiTMable, etc.  Which means that, by putting something on the network that's wirelessly communicating with the administrative interface of the router (without the additional encryption of HTTPS -- which is also MiTMable, but with more difficulty, as (ignoring the OpenSSL bug reported last week) faking a CA and/or overcoming cert pinning isn't as easy) leaves a large security hole exploitable by anyone within range of your AP.  They don't have to be associated to and authenticated by your AP, just able to pull the signal from the air.  And that can be done from the curb, or even from miles away.  There's a difference between having to associate and authenticate to your AP (at which point they could access the admin interface themselves) and simply flipping bits en route while the app is using the admin interface.

 

True, you'd need to be of interest to someone, but there are millions of routers out there that fell victim to "I'm nobody; nobody will bother hacking me".  Hacking wireless and hacking home routers is the favorite pastime of both bored teenagers and Eastern European crime syndicates alike.  Any router is valuable when the target is every click you make (e.g., changing your DNS settings to hijack your ad views, which is just what a recent aforementioned Eastern European crime syndicate did).

 

Agreed that the router needs to support HTTPS first; hopefully that'll be coming shortly.  Once it's in place, I'd dearly hope any app would not just offer it as an option, but require it.

 

With things like the WiFi Pineapple out there (there are plenty of other, more sophisticated tools, but I mention it because it's cheap, easy to use, and a favorite of those who enjoy this sort of thing), one can't be too lax with anything going over wireless these days.

I completely agree, that is definitely a discussion point I have with Iain.  But as they are pushing out features, currently security is on the back burner.

Share this post


Link to post
Share on other sites

Swift, apple is moving away from Objective-C...however the minor issue is Swift isn't fully supported by 3rd party libraries yet.

 

So currently it is written in Swift, we'll see.

 

Cool - looking forward to this! :)

Share this post


Link to post
Share on other sites

Status Update:

Everything is going smoothly i'll be building out the API calls (which isn't too bad), still need to start parsing the data for packets and handling the mapping properly.

 

current issues:

Drawing a circle on a map...MapBox doesn't include it

Using MapKit or Google Map SDK allows for circles on a map easily...however you cannot style the map to be dark or anything else other than normal.

 

minor update

reviewing a couple cross-platform systems (primarily NativeScript).  Although this appears to not solve the above issue it does allow for the same codebase to work on iOS and Android

Share this post


Link to post
Share on other sites

 

Just a demo of a map with the geo-filter size...

 

Next, will be the basic visuals of the geo-filter...and moving the home location.  Once we have that i'll likely demo again and then publish, extra features will come for sure.

Share this post


Link to post
Share on other sites

×
×
  • Create New...