Picture notification now supported via event server (Android only)

[asker]

One of the things I did in ES 2.0, in addition to support machine learning was to introduce picture messaging.
This currently only works for Android as the push plugin I use doesn't yet support rich notifications for iOS.

Note that to get pictures as part of push notifications, you can't use self signed certificates. Android rejects them with a "cannot find trust anchor" error message. So this will only work if you use a trusted CA chain, like the free LetsEncrypt

To upgrade your ES make sure you download the latest server and configuration files. instructions on enabling picture messaging are here.

When you get everything working, your notifications will look like this. Enjoy.

[nrbell]

This is a wonderful feature, thanks for implementing it. I was wondering, though, about the security implications. Your recommendation for a picture URL is:

Code: Select all

picture_url = https://yourserver/zm/index.php?view=image&eid=EVENTID&fid=alarm&width=600&username=admin&password=yourpassword

I realize that all paths are encrypted, but this still exposes a full Zoneminder login to someone. You can lock down the login somewhat, but they could still use it to view any of your recorded events.

I mitigated this somewhat partially due to my unusual setup. I don't expose my Zoneminder interface to the wider Internet. I do have a VPS, however, that sports Let's Encrypt certificates. I use my VPS to proxy the picture request to a local proxy that finally makes the request to Zoneminder. The only information passed over the Internet is the event ID. It's a little Rube-Goldbergian, but it works. This still allows someone to view event snapshots, since the IDs are easily guessable.

Have you considered making the event ID information more opaque? Perhaps it could be a time-limited random cookie that gets mapped to the event ID. This would prevent event ID guessing.

[asker]

You're right. This is the easiest format, but most susceptible as well. Oddly, I've found most ZM users run their system behind a VPN and don't seem worried. That doesn't justify its use, of course.

There are however other options:

Option 1 (not really sure what will happen after 60m):

Code: Select all

picture_url = https://yourserver/zm/index.php?view=image&eid=EVENTID&fid=alarm&width=600&auth=token

Where you can get token from using the new login API (ZM 1.32.x) . The token expires every hour (ZM PHP session period) so I don't really know what will happen if you see the notification 2 hours later

Option 2:

Write a script to fetch the alarmed image and upload to S3/Dropbox and use that link

Have you considered making the event ID information more opaque? Perhaps it could be a time-limited random cookie that gets mapped to the event ID. This would prevent event ID guessing.

No. (As in I haven't considered - these are all good ideas and if you are a coder, would be happy to receive code contributions)