Michel Kohanim Posted December 7, 2014 Posted December 7, 2014 Hello oberkc, Thanks so very much for the details. I am a little surprised that only high works (AES256/SHA2). I am hopeful that we can get some development Android platform to actually see the errors. I suspect it may have to do with certificates as well. Thanks again so very much. With kind regards, Michel
oberkc Posted December 7, 2014 Author Posted December 7, 2014 I can do screen shots of error messages if that would help. If you need much deeper than this view of "errors", you would have to advise.
MWareman Posted December 7, 2014 Posted December 7, 2014 Michel, it looks like this is out of date for the latest firmware: http://www.universal-devices.com/docs/ISY994%2520Series%2520Network%2520Security%2520Guide.pdf. Could you post what High/Medium and Low actually are in the current release? I have a feeling the Google disabled SHA1 in Android 5, but I'm not sure. I'll see if I can get some testing done tonight. Michael.
Michel Kohanim Posted December 9, 2014 Posted December 9, 2014 Hi Michael, We recently updated this document. What's out of date? Any help on Android 5 is appreciated. With kind regards, Michel
MWareman Posted December 10, 2014 Posted December 10, 2014 From page 2: http://imgur.com/Avpn5BP I'm confident the non-pro ISY no longer does SSL3 for instance. I don't know what else has changed with protocols for each security level, and 'All' isn't documented. Page 4 also lists the old default, not the new. Michael.
Michel Kohanim Posted December 10, 2014 Posted December 10, 2014 Hello MWareman, Thank you. I am not sure where you are getting that (what URL)? The URL is: http://www.universal-devices.com/docs/production/ISY994%20Series%20Network%20Security%20Guide.pdf With kind regards, Michel
MWareman Posted December 10, 2014 Posted December 10, 2014 Hello MWareman, Thank you. I am not sure where you are getting that (what URL)? The URL is: http://www.universal-devices.com/docs/production/ISY994%20Series%20Network%20Security%20Guide.pdf With kind regards, Michel That URL resolves to http://www.universal-devices.com/docs/production/ISY994%20Series%20Network%20Security%20Guide.pdf and gives a 404. If you google 'ISY Security Guide' - its the first hit (a PDF). Michael.
MWareman Posted December 10, 2014 Posted December 10, 2014 Ahh - got the new one after disecting your URL. Thanks! One thing to note - the only ciphersuite on non-pro ISY ( TLS_RSA_WITH_RC4_128_MD5) will not work on Win 8.1 with IE 11 and later - RC4 is gone. There is also a patch in Windows Update to disable RC4 on older versions of Windows as well. You need to consider a stronger cipher as your base as OS vendors start dropping the older insecure ciphers. I'll look at the crossection with Android when I can find a good Android 5 reference - but the Win 8.1/IE11 issue alone should push an additional change really.
Michel Kohanim Posted December 11, 2014 Posted December 11, 2014 Hi Michael, Thanks so very much and noted. We shall update it in our next cycle. With kind regards, Michel
hoopty Posted December 20, 2014 Posted December 20, 2014 So it seems to me that the only way to use Mobilinc app (or any app to connect to the ISY for that matter) and Android 5.0 is to upgrade to pro. At least at this time anyway. Michel, can you tell us if there are any plans to change the non-pro firmware to allow users to change those security settings? Or can the next firmware update make the default a configuration that works w/ the new Android OS? I would like to avoid upgrading to pro if I don't have to... Thanks, Jesse
G W Posted December 20, 2014 Posted December 20, 2014 Just downgrade your phone back to 4.4.4. Sent from my SM-N900P using Tapatalk
hoopty Posted December 20, 2014 Posted December 20, 2014 Yes, that is one option, but it's a band-aid at best. Besides, it's not even always possible. Nexus 6 owners can't.
TheGreek76 Posted December 20, 2014 Posted December 20, 2014 I don't seem to have these options on my 994i on 4.2.18. I was trying to change them to get mobilinc working again after my Android upgrade as well. I have verified that my model is a Pro (at least from the module management page). I also made sure to resize the window and they are still not there. I also have already cleared my java cache and verified that everything is showing as 4.2.18 in the dialogs. any ideas?
G W Posted December 20, 2014 Posted December 20, 2014 Yes, that is one option, but it's a band-aid at best. Besides, it's not even always possible. Nexus 6 owners can't. Every Android phone can downgrade. Use Odin to push 4.4.4 to the phone. Then just refuse any further upgrades to your phone. Sent from my SM-N900P using Tapatalk
hoopty Posted December 20, 2014 Posted December 20, 2014 Every Android phone can downgrade. Use Odin to push 4.4.4 to the phone. Then just refuse any further upgrades to your phone. Sent from my SM-N900P using Tapatalk What image would you even flash? There is no factory image below 5.0 for the Nexus 6 and 9. And I seriously doubt anyone is developing custom roms using an older version of android for those devices either.
G W Posted December 20, 2014 Posted December 20, 2014 I would flash stock KitKat. Sent from my SM-N900P using Tapatalk
MWareman Posted December 21, 2014 Posted December 21, 2014 I would flash stock KitKat. Sent from my SM-N900P using Tapatalk There is no stock KitKat for N6 and N9.
Michel Kohanim Posted December 21, 2014 Posted December 21, 2014 Hello hoopty, I am so very sorry to hear. Unfortunately we don't have any plans of including high security features in regular ISY994i . The reasons are: 1. You can use Chrome and https to get to ISY's default home page using Android 5.0. So I must conclude that the issue is not with security defaults but perhaps a library being used 2. High grade security is pretty much the main distinguishing factor between regular and PRO. It would be quite unjust for everyone getting auto upgrade to PRO while others actually paid extra for these features With kind regards, Michel
hoopty Posted December 21, 2014 Posted December 21, 2014 Hello hoopty, I am so very sorry to hear. Unfortunately we don't have any plans of including high security features in regular ISY994i . The reasons are: 1. You can use Chrome and https to get to ISY's default home page using Android 5.0. So I must conclude that the issue is not with security defaults but perhaps a library being used 2. High grade security is pretty much the main distinguishing factor between regular and PRO. It would be quite unjust for everyone getting auto upgrade to PRO while others actually paid extra for these features With kind regards, Michel I see. I've always thought the only difference was max devices/scenes & programs... Maybe something can be tweaked on the app side then.
Michel Kohanim Posted December 22, 2014 Posted December 22, 2014 Hi hoopty, Can you please verify that you can use Chrome on your device to get to ISY using https? With kind regards, Michel
hoopty Posted December 23, 2014 Posted December 23, 2014 Hi hoopty, Can you please verify that you can use Chrome on your device to get to ISY using https? With kind regards, Michel Hi Michel,Yes, I can verify that I am able access the ISY via https in Chrome from a device running Android 5.0 on an external network. It does warn that the connection is not private. "Attackers might be trying to steal information from domain.com (for example, passwords, messages, or credit cards)." Probably this is due to not having certificates installed. But there is a link to proceed to the site (unsafe) and it takes me to the ISY login. I am able to login and access my devices, programs, variables, etc... Regards, Jesse
Michel Kohanim Posted December 24, 2014 Posted December 24, 2014 Hi Jesse, Thank you. I think you may be correct: 1. In Chrome you get a chance to accept the warning 2. In the library there's no such a thing and it's quite possible that you may need to install ISY's certificate in your device. Alas, I just do not know how to accomplish this feat Does anyone? With kind regards, Michel
MWareman Posted December 25, 2014 Posted December 25, 2014 2. In the library there's no such a thing and it's quite possible that you may need to install ISY's certificate in your device. Alas, I just do not know how to accomplish this feat Does anyone? With kind regards, Michel Many, many threads are present on Googles forums on this subject. Bottom line, you can - but you'll be living with a warning on your phone 'Your network connections can be monitored due to the user supplied root CA. Copy the public key of the ISY certificate as a base64 encoded .crt to the android device, and import it via a file browser. More at http://wiki.cacert.org/FAQ/ImportRootCert. I wouldn't recommend it though. The alert is annoying and unnerving. Best to get a paid certificate on the ISY that is intrinsically trusted by the phone, until Google sees fit to allow custom root CAs without throwing a fit at you. Unless your phone is rooted, of course, in which case you can add the cert to the trusted system store.
Michel Kohanim Posted December 25, 2014 Posted December 25, 2014 Hi MWareman, I totally agree with your assessment. With kind regards, Michel
Recommended Posts
Archived
This topic is now archived and is closed to further replies.