mobile install - security qualms

Discussion topics related to mobile applications for ZoneMinder
Post Reply
joea
Posts: 13
Joined: Mon Feb 20, 2017 8:11 pm

mobile install - security qualms

Post by joea » Wed Feb 22, 2017 5:03 pm

So, with a new ZM install, seemed like zmNinja was a deal at the price.

That is, no offense intended, until it started asking me question I did not feel comfortable with. Such as the login to my ZM.

I did not go further and thought I would post here to get an explanation of what security measures are in place?

asker
Posts: 795
Joined: Sun Mar 01, 2015 12:12 pm

Re: mobile install - security qualms

Post by asker » Wed Feb 22, 2017 6:20 pm

zmNinja needs your login/password to be able to log into ZM - unless it does that, there is no way it can show you feeds/data (because you protected it with a login/auth)

zmNinja uses APIs that ZM exposes, but the authentication layer ties into ZM, hence it needs to 'log in' to be able to create a session with ZM (without which neither the APIs nor the live/recorded feeds would be rendered - ZM would reject zmNinja saying 'not logged in')

With respect to security, zmNinja uses the same interface you do for ZM. If you use HTTP, it will use HTTP. If you use HTTPs, it will use HTTPs. It makes a web query to login, just like how you'd launch a browser and log in yourself.

zmNinja's source code is published - feel free to audit it - https://github.com/pliablepixels/zmNinja
--
My collection of ZoneMinder learnings:
https://wiki.zoneminder.com/Various_ZM_thoughts

joea
Posts: 13
Joined: Mon Feb 20, 2017 8:11 pm

Re: mobile install - security qualms

Post by joea » Wed Feb 22, 2017 7:02 pm

Again, no offense intended. I became concerned when, right out of the box, so to speak, it wanted log in credentials. I did think it might be necessary, but, in today's world . . . Maybe add a little text in that area to comfort the paranoid?

So, the only use of any "private" data such as login credentials (etc) are for "local" use only and are not communicated "off campus"?

Not that I have much to hide, but if I ever start supporting this for clients . . .

Auditing is probably beyond my comfort zone at the moment, but thanks for the invitation.

asker
Posts: 795
Joined: Sun Mar 01, 2015 12:12 pm

Re: mobile install - security qualms

Post by asker » Wed Feb 22, 2017 7:16 pm

joea wrote: So, the only use of any "private" data such as login credentials (etc) are for "local" use only and are not communicated "off campus"?
No offense taken at all.

The login and password is only used to communicate from zmNinja (the app) to ZM (your server). If by "off campus" you mean if I am uploading them to some sort of cloud/server/DB, then the answer is no, I am not.
--
My collection of ZoneMinder learnings:
https://wiki.zoneminder.com/Various_ZM_thoughts

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest