Kiosk mode security issues

I just checked the Homey kiosk mode and I realized that it isn’t fully locked down. For example, it’s possible to long-press a device, click the Flows tab, create a new Flow and then you can do pretty much anything with the system. Same goes for long-pressing a device and clicking the Settings icon, where you can modify anything of that device, and even open the app screen where you can disable the app that controls the device, and access any other devices from that app.

What is the Kiosk Mode for? If it’s just to prevent accidentally exiting of the dashboard, then you could just create a confirmation dialog (something the Homey app already has when closing out of a dashboard).

I’ve just found a method to exit the kiosk mode entirely (without needing the password).

Prerequisites:

• You should have no Moods
• You should have a Favorite Moods widget on your dashboard
• You should have at least 1 light device

Steps to reproduce:

1. With the favorite Moods widget, activate Kiosk Mode. You can now no longer exit the dashboard.
2. Click the “Add favorite Mood“ button.
3. Now click “Create Mood“.
4. You should now run through the process to create a Mood with the light.
5. After clicking “Create“, you are now sent to the Devices tab from where you can click through to any tab and do anything on the Homey.