I recently discovered a very useful app - Elgato StreamDeck Integration App for Homey | Homey - which allows you to control all devices in your Homey account with a StreamDeck device, as well as see readings from a device (such as CO2 measurements etc). And while this can be very handy, it also raises some serious questions as to what data and devices an app can provide access to.
I’m fully confident The StreamDeck integration developer has the best of intentions - but imagine if a rogue developer (or a rogue app update by someone than the developer) used the same technique to stealthily access devices on the user’s account. He or she could effectively take control of all devices in the user’s home.
My friend who discovered this has raised this very issue to Homey support, but they unfortunately don’t seem to be too concerned with this. They say that the StreamDeck app needs that sort of access for it to work, which makes sense from a practical perspective - but from a security perspective, it offers absolutely no protection for its users.
Support also mentioned that they can’t vet 3rd party apps (while others in this forum have mentioned that they do limited vetting) - which makes me think they need to revisit how apps interact with Homey in the first place.
I’m no security expert, but it sounds like Homey needs to implement some sort of security/permissions layer to protect its users from potential rogue apps. Some thoughts on what this could include:
Control what apps can and cannot access: Only allow apps to have limited access to user data and other devices. Allow the user to grant and remove access - based on, for example, what sort of device types an app can interact with, whether it wants online or offline access etc.
Introduce restricted device types: Maybe special security measures should be implemented for privacy-sensitive devices (such as cameras or audio-recording devices), or devices that may be “dangerous” if turned on/off, such as household appliances
Inform the user: a) Always inform the Homey user about what sort of access a given app requests. If it requests unusual access, clearly inform the user so he/she can make an informed decision on whether to permit it. b) If the app requests online access, show where the user data is being sent. c) Create a list of all installed apps and what sort of permissions they have (like on Android devices).
Also, in terms of API Keys: How’s the user protected from a rogue developer intercepting an API key, so he/she can control the users devices using said key? If there’s no protection here, this would also be worth resolving somehow.
I hugely appreciate the work done by 3rd party community developers - but it sounds like users are being left at sea with little to no security when it comes to 3rd party apps (and no ability to judge what an app gets access to, and whether it’s making legitimate access requests or not). A security/permissions layer between Homey and apps could empower the users to bring back some of that security.