Security of Apps in Homey Pro

What protections are there from a malicious or privacy-invasive apps installed on a Homey Pro?

I see that Homey has a permission system to limit access to certain things:

  • Manager API access (“complete control over the Homey”)
  • Geolocation
  • Certain hardware use (433/868 RF; IR; BLE; NFC; Speech output; LED ring use)
  • App-to-app communication (declared per app pair)

However internet and local network access is not restricted.
It seems like all apps have blanket direct outgoing internet access, plus access to make proxied inbound connections (via API webhooks)

So, what guarantees do we have that apps aren’t scraping a bunch of data off the local network or off of IoT devices and uploading it to their servers?

The only thing I can think of is to review the source for each app. However, not all apps are open-source. And I don’t think there’s any reproducible build system, so the only option for open-source apps is to compile and install them yourself after having reviewed the source.

Presumably one could block Homey from all outbound connections except to the Homey servers (unless they run on a cloud service and don’t have dedicated IPs – in which case it’s impossible to limit access only to Homey servers). And this doesn’t block the inbound webhook mechanism, which operates through the Homey servers.

Am I missing something?
Is there a way to block apps from network and webhook access?

I’ve just put everything in a separate vlan for iot devices and locked it down. I think thats the easiest way.