dshokouhi
commented
6 months ago However I notice that on certain actions another user agent is used
Can you please let us know in what actions this happens in?
Closed titiviking closed 3 months ago
dshokouhi
commented
6 months ago However I notice that on certain actions another user agent is used
Can you please let us know in what actions this happens in?
titiviking
commented
6 months ago Webhook is using "Home Assistant..." Calendar display in app is using "Mozilla..."
dshokouhi
commented
6 months ago based on the JSON it looks like this is happening inside of WebView as ths API is not used by the app directly.
"clientRequestPath": "/api/calendars/calendar.misses",
We do indeed set the user agent when the WebView instance is created
Wonder if this is something the HA frontend overrirdes?
marazmarci
commented
6 months ago A side note loosely related to the bug report: relying on User-Agent strings for controlling access to your HA instance doesn't provide too much security. Did you know that the Android app supports mTLS client certificate authentication and that you can configure mTLS on Cloudflare? It was added in #2526. (and in #3924 for Wear OS)
Unfortunately, the iOS app doesn't (yet) support it, but here's a discussion that you can track if you're interested.
I hope I could help :slightly_smiling_face:
titiviking
commented
6 months ago You are correct, but the user agent for mobile phones includes the phone model... so checking that the user-agent has "Home Assistant", as well as the mobile phone reference, and restricting that to the HA domain endpoint, already limits the attack surface somehow... Ideally I would like to add the validation of presence of the Authorization header to ensure only authenticated connections would be allowed without a CloudFlare challenge... but that is not yet possible on CloudFlare...
My aim is to provide some level of security with whatever information is available, while still:
So all source IP, ASN, etc are out of the question as there is still too much variability based on the use cases... mTLS would indeed be a possibility, but this mandates all devices to have this... my tablet, girlfriends phone, etc don't have that yet (or it would be complex to manage and maintain)... hence the combination of UA and host to already implement some kind of barrier...
dshokouhi
commented
3 months ago lets let the frontend issue run its course and close this, the app already sets teh user agent so most likely the frontend will need to correct it.
Home Assistant Android app version(s): 2023.11 Android version(s): Android 13 Device model(s): OnePlus 8 Pro Home Assistant version: 2023.12 Last working Home Assistant release (if known):
Description of problem, include YAML if issue is related to notifications:
Home Assistant companion app on Android does not user consistently its User Agent string.
As I'm configuring WAF rules on CloudFlare, I'm attempting to identify my phone using a combination of substrings in the User Agent header and target hostname. I would expect that the app uses it "Home Assistant/[...]" user agent consistently. However I notice that on certain actions another user agent is used "Mozilla/5.0 (Linux; Android 13; IN2023 Build/RKQ1.211119.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/120.0.6099.144 Mobile Safari/537.36"
I can see this when I compare 2 WAF events from CloudFlare firewall-event-840d681f4ef274fe.json firewall-event-840d682fe83783c4.json
Companion App Logs:
Screenshot or video of problem:
Additional information: