[Enhancement][Security] Suspend NS Client on public WiFi

[dlvoy]

Temporarily suspend connection to Nightscout when detected, that current network connection is done over unsecured (WEP or non-password) WiFi

Background

Public, unsecured WiFi can be easily overtaken by rouge actors. While connecting via that channel attacker can disrupt or impersonate connection to NS (Man in the Middle attack), and potentially inject invalid data (when AAPS is configured for downloading data from Nightscout). Potential exploitation outcome is disruption of loop parameters, invalid CoB/IoB calculation or further attacks (like: attempts to exploit JSON parser bugs for remote execution etc.).

Solution draft (to discuss):

• add security features detection in networking part of app
• add flag that indicates that security issue was detected
• if flag is raised, block NS Client (by suspending it)
  • check checkbox "suspended" in NSClient
  • make checkbox not uncheckable (grayed out)
  • add small (i) icon next to checkbox, clicking it leads to confirmation dialog
  • add global warning (red notification) where dismiss leads to confirmation dialog
  • clicking on info icon will pop up security confirmation dialog:

    AAPS detected that you are connecting to Nightscout via unsecured WiFi. It may expose your API secret, private medical data and potentially allow attacker to disrupt your current loop status, which may be harmful!

    Please switch to secure network to resume NS synchronization, or disable this lock if you are ABSOLUTELY sure that this network is secure.

    ☐ I understand that it may be harmful, I've checked NAME-OF-WIFI-HERE network and want to allow connection trough it. checking that checkbox make ALLOW button enabled

    [ ALLOW that WiFi ] (disabled)                           [ UNDERSTOOD ]     DANGEROUS!

  • checking checkbox and allowing that network will exempt specific WiFi from check and resume NSClient sync
  • if network is switched to trusted one, flag is taken and sync can continue
• there should be configuration option to allow/disable that check (enabled by default)

Variants / Extensions / Ideas

• in first version: no option to allow (exempt) specific WiFi-s
• list of exempted network - to remove WiFi-s we no longer trust
• list of allowed WiFi-s + "connect only trusted WiFi" + prompt "new network detected, do you trust that WiFi". It will allow limit sync only to limited number of networks
• part of (new) Security plugin - showing list of allowed WiFi and trusted Nightscout server certificates

[dlvoy]

the purpose of that feature is not to distinguish if the WiFi is safe or not, only to exclude/block networks that are unsafe for sure, without claims about other networks security and - as always - it is only one simple countermeasure, that should be used with other to raise security, it is not silver bullet that protects about any attack scenario

[twain47]

All AAPS network traffic should be transported over https and as such I wouldn't expect this to matter.

In assuming you disagree, could you explain why?

[dlvoy]

@twain47 i agree it should, but currently it is not required/enforced by app configuration, http urls are accepted AFAIK (if not - point me line of code that do that, i have not found it yet)

Requiring https is even easier to do, and i agree it probably should be done first [maybe excluding engineering mode, for DEVs]

But i would like to still have option to allow/block certain network types (like you mentioned in #2440) - i know they do cert rewrite, i complied, i still need to use them, so i blacklist those networks and disable NSSync on them and revert to sync only on my home WiFi i allowed to.

[twain47]

@dlvoy enforcing https sounds like a quick mitigation to a lot of these issues. I'll create a pr for discussion.