Hi, my colleague is worried about the app security with Homey, with so many unofficial apps out there.
Please note that I truly appreciate all the hard and dedicated work that individual developers are putting into creating apps - it really is fantastic. But the current approach with unofficial apps does make me wonder what happens if we come across a developer with malicious intentions. Can anyone please help shed light on the following:
-
How does Homey protect its users against rogue app developers? Is there any app vetting?
-
When a Homey app is granted access to a 3rd party API (so a device can be used in Homey via an API), what’s stopping a rogue developer from “listening in” or remote controlling the devices?
-
How does Homey prevent developers from accessing Homey users’ private data, web cams, etc?
-
Can a Homey developer access any data not related to their app at the individual Homey user?
Thanks,
Apps are vetted by Athom when submitted to ensure they have no obvious malicious code and apps that request extra privileges are checked more thoroughly.
Devs don’t get access to any users Homeys or devices just by publishing an app but it is possible they could add code to an app that sends personal details to a server somewhere.
I check all devs apps that I publish in the HCS for that sort of thing.
A lot of apps have their code on GitHub or similar repositories, so it might be possible to check them for yourself.
So, it is right to be cautious and question these things, but I have not come across any problems yet.
3 Likes
It’ll have to be very obvious for Athom to be able to spot it. I don’t know the exact process that Athom uses, but I’m going to posit that it’ll be trivial to smuggle malicious code into an app. And if you can make up a good reason why your app needs elevated privileges, for instance to use the Web API, a malicious app will be able to control all other devices on a Homey.
What guarantees are given that official apps don’t have malicious intent?
1 Like
Is that a joke? 
The probably, in most cases, have more “malicious” intend then most Homey Developer.
Do you know what you phone provider and internet provider collect of you?
You know you call, text, email, browse, etc through those providers, right
And about the review, Athom does a well enough job: i once build HOOP which created Homeyscripts to retrieve the elevated api code. The first time it went through the review, they did not notice it, but before it was released, the did, and they fixed the issue (Unfortunantly by blocking apps from communicating with homeyscript).
That’s what I would call “very obvious”.
