New iOS app released

just noticed that there is gl.inet app available on the appstore since 3 days ago:

just reading the blog post about goodcloud and new app and i noticed these errord in the english (https://www.gl-inet.com/solutions/app/
):

“Security your data by Tor”
should be:

“Secure your data with Tor”

Also:

“One Hand Setup on Any Mobile Devices”
should be :

" One Handed Setup on Any Mobile Device"

“Manage your GL.iNet devices in difference ways, Anytime and Anywhere”
should be:

“Manage your GL.iNet devices in different ways, Anytime and Anywhere”

“Track the history of the device activities, including upgrade date, who and when connected to your device, and etc.”
Should be:

“Track the history of device activities, including upgrade date or who connected to your device and when”

Also “APP” and “App” should just be “app” or “application”.

There are lots of little issues here and there, but these are the most obvious.

Thank you for your feedback, fixed.

Be aware, that local device management (option ‘Control a local device’ on start screen) will only work via port 80 (HTTP) effectively bypassing any encryption. Device passwords are transmitted in clear over the network. You can check this with:

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i any

This is by design, as device discovery is using the device’s IP address for API requests and one will hardly get a commercial certificate for this private IP. Such requests cannot easily translate into valid https requests.

Thus, while the Web interface works fine with e.g. Let’s Encrypt certificates, the app does not. Redirecting http traffic to https in lighttpd breaks the app (‘Response error’) and not redirecting the traffic will reveal passwords in clear on the local network.

To fix this, the app would have to look up the hostname of the router and then use that for the http request. This could then be redirected to https by lighttpd provided the app supports an SSL stack. The router would have to show a valid certificate for the name returned by the lookup.

This is a non issue since you are connecting internally in the LAN. If there is a rouge agent or device on your local LAN sniffing passwords you have bigger issues on your hands.

The only time you need HTTPS is when accessing the UI from a remote location over the internet.