mobile install - security qualms

Discussion topics related to mobile applications and ZoneMinder Event Server (including machine learning)
Post Reply
joea
Posts: 20
Joined: Mon Feb 20, 2017 8:11 pm

mobile install - security qualms

Post by joea »

So, with a new ZM install, seemed like zmNinja was a deal at the price.

That is, no offense intended, until it started asking me question I did not feel comfortable with. Such as the login to my ZM.

I did not go further and thought I would post here to get an explanation of what security measures are in place?
User avatar
asker
Posts: 1553
Joined: Sun Mar 01, 2015 12:12 pm

Re: mobile install - security qualms

Post by asker »

zmNinja needs your login/password to be able to log into ZM - unless it does that, there is no way it can show you feeds/data (because you protected it with a login/auth)

zmNinja uses APIs that ZM exposes, but the authentication layer ties into ZM, hence it needs to 'log in' to be able to create a session with ZM (without which neither the APIs nor the live/recorded feeds would be rendered - ZM would reject zmNinja saying 'not logged in')

With respect to security, zmNinja uses the same interface you do for ZM. If you use HTTP, it will use HTTP. If you use HTTPs, it will use HTTPs. It makes a web query to login, just like how you'd launch a browser and log in yourself.

zmNinja's source code is published - feel free to audit it - https://github.com/pliablepixels/zmNinja
I no longer work on zmNinja, zmeventnotification, pyzm or mlapi. I may respond on occasion based on my available time/interest.

Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
joea
Posts: 20
Joined: Mon Feb 20, 2017 8:11 pm

Re: mobile install - security qualms

Post by joea »

Again, no offense intended. I became concerned when, right out of the box, so to speak, it wanted log in credentials. I did think it might be necessary, but, in today's world . . . Maybe add a little text in that area to comfort the paranoid?

So, the only use of any "private" data such as login credentials (etc) are for "local" use only and are not communicated "off campus"?

Not that I have much to hide, but if I ever start supporting this for clients . . .

Auditing is probably beyond my comfort zone at the moment, but thanks for the invitation.
User avatar
asker
Posts: 1553
Joined: Sun Mar 01, 2015 12:12 pm

Re: mobile install - security qualms

Post by asker »

joea wrote: So, the only use of any "private" data such as login credentials (etc) are for "local" use only and are not communicated "off campus"?
No offense taken at all.

The login and password is only used to communicate from zmNinja (the app) to ZM (your server). If by "off campus" you mean if I am uploading them to some sort of cloud/server/DB, then the answer is no, I am not.
I no longer work on zmNinja, zmeventnotification, pyzm or mlapi. I may respond on occasion based on my available time/interest.

Please read before posting:
How to set up logging properly
How to troubleshoot and report - ES
How to troubleshoot and report - zmNinja
ES docs
zmNinja docs
Post Reply