Amahi Anywhere Security
Posted: Thu Sep 18, 2014 7:57 am
It is great to see the Amahi Anywhere app for Android working. I have had a quick play, and it works very well.
My main concern is security. The app gives access to all shares on the HDA, including those belonging to individual users that would otherwise not be accessible to other users. This seems to leave a big hole in the security of the HDA and the files stored there, as someone with the credentials for my Amahi account, details of which I have to trust to the Amahi servers, could install the Android or Apple app and have access to everything on my HDA.
Secondly, there is no security on the app itself, so if someone can gain access to the device they have my files. There is no way, from the HDA, of limiting access other than uninstalling Amahi Anywhere (unless there is a config file that I can edit - I have not looked yet).
I think there are two things needed here:
1. The ability to authorise (and de-authorise) devices from the HDA itself. If I install the Android/Apple app, I must also also have access to the HDA to initially authorise access from that device.
2. Some security on the app, such as an access password or pin, perhaps like Dropbox or Evernote which will delete the login credentials if I get the pin wrong 3 times.
I think it would also be useful to have some way of limiting what shares the app can access, for example just shares that are accessible to all users, and require supplementary login to shares that are accessible to specific users using their credentials.
Good as the app is, I am uninstalling Amahi Anywhere from my HDA because of the security risks.
My main concern is security. The app gives access to all shares on the HDA, including those belonging to individual users that would otherwise not be accessible to other users. This seems to leave a big hole in the security of the HDA and the files stored there, as someone with the credentials for my Amahi account, details of which I have to trust to the Amahi servers, could install the Android or Apple app and have access to everything on my HDA.
Secondly, there is no security on the app itself, so if someone can gain access to the device they have my files. There is no way, from the HDA, of limiting access other than uninstalling Amahi Anywhere (unless there is a config file that I can edit - I have not looked yet).
I think there are two things needed here:
1. The ability to authorise (and de-authorise) devices from the HDA itself. If I install the Android/Apple app, I must also also have access to the HDA to initially authorise access from that device.
2. Some security on the app, such as an access password or pin, perhaps like Dropbox or Evernote which will delete the login credentials if I get the pin wrong 3 times.
I think it would also be useful to have some way of limiting what shares the app can access, for example just shares that are accessible to all users, and require supplementary login to shares that are accessible to specific users using their credentials.
Good as the app is, I am uninstalling Amahi Anywhere from my HDA because of the security risks.