You’re right when it comes to DNS and signed certificates. I’m talking about selfsigned certificates and IP address usage to my Philips Hue. Except a man-in-the-middle attack, a selfsigned certificate encrypts the traffic between the two hosts. By capturing the WiFi traffic -and finding the WPA2 key- they still don’t have my Hue API key.
An extra security is to store the hue-host certificate as trusted to prevent M-i-t-M, but I think this is more related to Homey Core then this app.
