Page 1 of 1

mobile install - security qualms

Posted: Wed Feb 22, 2017 5:03 pm
by joea
So, with a new ZM install, seemed like zmNinja was a deal at the price.

That is, no offense intended, until it started asking me question I did not feel comfortable with. Such as the login to my ZM.

I did not go further and thought I would post here to get an explanation of what security measures are in place?

Re: mobile install - security qualms

Posted: Wed Feb 22, 2017 6:20 pm
by asker
zmNinja needs your login/password to be able to log into ZM - unless it does that, there is no way it can show you feeds/data (because you protected it with a login/auth)

zmNinja uses APIs that ZM exposes, but the authentication layer ties into ZM, hence it needs to 'log in' to be able to create a session with ZM (without which neither the APIs nor the live/recorded feeds would be rendered - ZM would reject zmNinja saying 'not logged in')

With respect to security, zmNinja uses the same interface you do for ZM. If you use HTTP, it will use HTTP. If you use HTTPs, it will use HTTPs. It makes a web query to login, just like how you'd launch a browser and log in yourself.

zmNinja's source code is published - feel free to audit it - https://github.com/pliablepixels/zmNinja

Re: mobile install - security qualms

Posted: Wed Feb 22, 2017 7:02 pm
by joea
Again, no offense intended. I became concerned when, right out of the box, so to speak, it wanted log in credentials. I did think it might be necessary, but, in today's world . . . Maybe add a little text in that area to comfort the paranoid?

So, the only use of any "private" data such as login credentials (etc) are for "local" use only and are not communicated "off campus"?

Not that I have much to hide, but if I ever start supporting this for clients . . .

Auditing is probably beyond my comfort zone at the moment, but thanks for the invitation.

Re: mobile install - security qualms

Posted: Wed Feb 22, 2017 7:16 pm
by asker
joea wrote: So, the only use of any "private" data such as login credentials (etc) are for "local" use only and are not communicated "off campus"?
No offense taken at all.

The login and password is only used to communicate from zmNinja (the app) to ZM (your server). If by "off campus" you mean if I am uploading them to some sort of cloud/server/DB, then the answer is no, I am not.