iSmart App Security

[AlC]

Does anyone else feel a little uneasy with the lack of attention to detail around security for the iSmart app?

Functionality wise, it's good, and I use it. But every time I have to reset my password because the app has randomly signed me out (and I've forgotten my password because it doesn't integrate with my phone's password manager) - I come back to feeling uneasy about it.

I guess my main concerns are:

• Inability to use special characters in the password - you kind of get forced into selecting a less secure password
• No multi factor authentication option

Perhaps I worry too much, but the fact is with access to an iSmart account, you can GPS locate someone's car, unlock it and potentially drive it away using the digital key.

I know there's the additional PIN prompt for some functions but you don't really want to be in situation where you're relying on your PIN to prevent someone from taking your car.

Also - as someone who works in tech, the fact they limit special characters for the password makes me wonder about how they're being handled at the back end. If they're being hashed and salted, really the system shouldn't care about what characters are in them. The fact that they limit special characters makes me wonder if they're being stored in the clear and the character limitations are there to prevent SQL injection attacks... like, are they using the password as part of a select statement? Because that would be... bad

 

[noel72]

Does anyone else feel a little uneasy with the lack of attention to detail around security for the iSmart app?

Functionality wise, it's good, and I use it. But every time I have to reset my password because the app has randomly signed me out (and I've forgotten my password because it doesn't integrate with my phone's password manager) - I come back to feeling uneasy about it.

I guess my main concerns are:

• Inability to use special characters in the password - you kind of get forced into selecting a less secure password
• No multi factor authentication option

Perhaps I worry too much, but the fact is with access to an iSmart account, you can GPS locate someone's car, unlock it and potentially drive it away using the digital key.

I know there's the additional PIN prompt for some functions but you don't really want to be in situation where you're relying on your PIN to prevent someone from taking your car.

Also - as someone who works in tech, the fact they limit special characters for the password makes me wonder about how they're being handled at the back end. If they're being hashed and salted, really the system shouldn't care about what characters are in them. The fact that they limit special characters makes me wonder if they're being stored in the clear and the character limitations are there to prevent SQL injection attacks... like, are they using the password as part of a select statement? Because that would be... bad

I am having a similar problem, except when I say forgot password, and click send link, I am not receiving any email to reset password. I only have 1 attempt left, what happens if I still don't get email to reset password, any advice be greatly appreciated, thanks.

 

[siteguru]

FWIW my app does integrate with Google password manager ... I never need to remember it.

 

[Rolfe]

I am having a similar problem, except when I say forgot password, and click send link, I am not receiving any email to reset password. I only have 1 attempt left, what happens if I still don't get email to reset password, any advice be greatly appreciated, thanks.

Have you looked in your spam folder?

 

[noel72]

Have you looked in your spam folder?

Yes, it's strange as password is saved, but it didn't come up.

 

[Scaeva]

Somehow my iSmart app has forgotten the password. Of course I don't remember what password I used. I don't know if the app automatically forgets the password after about 20 days of registering or whether it happened to co-incide with my device updating to Android 14 recently.

I'm almost out of attempts to guess it correctly.

Every time I choose "Forgot password?", then press "Send" next to my email address, after about 4 seconds I receive "the service is not available,please try again later~" message. However I've tried every hour for the past 6 hours and I'm still getting the same message.

Is there another way, like a website instead of the app, where I can submit a forgot password request? Some googling showed that people are able to reset it with their phone number somehow, but I don't see that option anywhere.

I'm using the app from Perth, Australia, and it's worked fine for the last 2 weeks.

 

[Corindikev]

Did you check your emails. When I originally set mine up I got the same message. Then I went to my PC & found 3 or 4 emails from SAIC with the code, all expired by then. One more go & I was good to go.

 

[Converted]

Is there another way, like a website instead of the app, where I can submit a forgot password request? Some googling showed that people are able to reset it with their phone number somehow, but I don't see that option anywhere.

I'm using the app from Perth, Australia, and it's worked fine for the last 2 weeks.

Hi Scaeva,
I too am in Perth WA, downloaded the app on both mine and my wife's phone Friday afternoon, have made multiple attempts on both phones since then and to date (just tried again) and failed again.
I dont even have the option of phone numbers.
Hoping someone picks up on this as I don't know how to resolve but 4 days (for me) is painfull, especially considering we took delivery Friday and still unresolved.....

 

[Kithmo]

It will be the phone update that's done it.
Did you originally set up the app with your email or your phone number ?

 

[Converted]

Did you originally set up the app with your email or your phone number ?

For us we originally set up using the phone but only using our individual email adresses and not our phone numbers. From memory there was not the option to use phone numbers. Even removed/deleted the app and started again but that failed too.

 

[siteguru]

The app itself doesn't remember the password*; it's Google's password manager that does it. Have you looked in Chrome browser (either on a PC or on your phone), opened the password manager and searched for saic and/or mg and seen if there are any results? (On my laptop the results are found under saic; on my phone they're found under mg). If there are then there's a good chance that the contents include your app password.

* the app will usually keep you logged in, but sometimes you'll get logged out. An Android update would do that.

 

[Kithmo]

For us we originally set up using the phone but only using our individual email adresses and not our phone numbers. From memory there was not the option to use phone numbers. Even removed/deleted the app and started again but that failed too.

If you used more than one email address, I assume you checked both ?

 

[Converted]

If you used more than one email address, I assume you checked both ?

Yes mate, both, and checked junk mail on both too

 

[siteguru]

2 email addresses equals 2 accounts ... I don't think you can use 2 emails with one account? And a car can only be bound to one account.

 

[Converted]

Thanks siteguru but I didnt even get the chance to register either, nor was there an opportunity to bind either to the car.....because we are stopped at registering with the same response ""This service is not available. Please try again later."

Apologies Scaeva, I didnt mean to hijack your issue and I hope you get yours sorted out!

 

[Rolfe]

There was another thread last week about a very similar issue so I have merged the two in the hope of keeping all the info in the one place.

 

[barn]

Somehow my iSmart app has forgotten the password. Of course I don't remember what password I used. I don't know if the app automatically forgets the password after about 20 days of registering or whether it happened to co-incide with my device updating to Android 14 recently.

I'm almost out of attempts to guess it correctly.

Every time I choose "Forgot password?", then press "Send" next to my email address, after about 4 seconds I receive "the service is not available,please try again later~" message. However I've tried every hour for the past 6 hours and I'm still getting the same message.

Is there another way, like a website instead of the app, where I can submit a forgot password request? Some googling showed that people are able to reset it with their phone number somehow, but I don't see that option anywhere.

I'm using the app from Perth, Australia, and it's worked fine for the last 2 weeks.

Exact same problem for me in Sydney. "Service not available, try again later....." I had used a google strong password but can't find it anywhere. No reply from MG via email yet.

Somehow my iSmart app has forgotten the password. Of course I don't remember what password I used. I don't know if the app automatically forgets the password after about 20 days of registering or whether it happened to co-incide with my device updating to Android 14 recently.

I'm almost out of attempts to guess it correctly.

Every time I choose "Forgot password?", then press "Send" next to my email address, after about 4 seconds I receive "the service is not available,please try again later~" message. However I've tried every hour for the past 6 hours and I'm still getting the same message.

Is there another way, like a website instead of the app, where I can submit a forgot password request? Some googling showed that people are able to reset it with their phone number somehow, but I don't see that option anywhere.

I'm using the app from Perth, Australia, and it's worked fine for the last 2 weeks.

Password reset worked for me just now.

 

[mGizmo]

I tried password reset to no avail. I know the password is right because (a) I've used to it set the account in the car's infotainment, and (b) if I deliberately get it wrong it says "wrong password". There's got to be something wrong at MG's end.

 

[Martinonline]

ISmart requested my password yesterday after the car was charged to 100% and I could not remove the plug. I entered the correct password twice to no avail. I then sorted out the plug and left the car unlocked and powered up. The app then allowed my password. No problems since.

Could be coincidence but perhaps the server needs to confirm with the car the account details and fails if it cannot connect. Hence the lack of a 'wrong password' response.

 

[Scaeva]

Good news for me, password recovery worked today. The app did not let me use non alpha- numeric. I only noticed because LastPass let me see the password I thought I had typed.