AlC
Standard Member
Does anyone else feel a little uneasy with the lack of attention to detail around security for the iSmart app?
Functionality wise, it's good, and I use it. But every time I have to reset my password because the app has randomly signed me out (and I've forgotten my password because it doesn't integrate with my phone's password manager) - I come back to feeling uneasy about it.
I guess my main concerns are:
Perhaps I worry too much, but the fact is with access to an iSmart account, you can GPS locate someone's car, unlock it and potentially drive it away using the digital key.
I know there's the additional PIN prompt for some functions but you don't really want to be in situation where you're relying on your PIN to prevent someone from taking your car.
Also - as someone who works in tech, the fact they limit special characters for the password makes me wonder about how they're being handled at the back end. If they're being hashed and salted, really the system shouldn't care about what characters are in them. The fact that they limit special characters makes me wonder if they're being stored in the clear and the character limitations are there to prevent SQL injection attacks... like, are they using the password as part of a select statement? Because that would be... bad
Functionality wise, it's good, and I use it. But every time I have to reset my password because the app has randomly signed me out (and I've forgotten my password because it doesn't integrate with my phone's password manager) - I come back to feeling uneasy about it.
I guess my main concerns are:
- Inability to use special characters in the password - you kind of get forced into selecting a less secure password
- No multi factor authentication option
Perhaps I worry too much, but the fact is with access to an iSmart account, you can GPS locate someone's car, unlock it and potentially drive it away using the digital key.
I know there's the additional PIN prompt for some functions but you don't really want to be in situation where you're relying on your PIN to prevent someone from taking your car.
Also - as someone who works in tech, the fact they limit special characters for the password makes me wonder about how they're being handled at the back end. If they're being hashed and salted, really the system shouldn't care about what characters are in them. The fact that they limit special characters makes me wonder if they're being stored in the clear and the character limitations are there to prevent SQL injection attacks... like, are they using the password as part of a select statement? Because that would be... bad