Security section does not address if there are any defaults for publishing #45
Comments
|
Can you clarify the problem? |
gdt
changed the title
|
It seems that some other apps do report to demo servers by default. So adding a line in the security section that says: "Both the Android and iOS apps will not report location to anywhere until the user explicitly configures a server to publish location to." would address what I am asking. I'm glad to hear that this sounds true. |
|
Which 'some other apps'? This is OwnTracks. There are no surprises. You get what you ask for when you configure it, and you get it where you tell the apps to send it to. |
|
See the text at https://apps.apple.com/us/app/traccar-client/id843156974 That's great that there are no surprises. I would just like to see affirmative documentation of security properties, and nothing configured by default seems on a par with TLS and access control. |
|
Why do you bring Traccar into this? This is OwnTracks. |
|
I avoided doing so until you asked. Once one is aware that an app might have a preconfigured server, it is a fair question to ask if owntracks does. Many people in the world seem to think that convenience and immediate demo are a good thing. Obviously you think that sending data without permission isn't ok, and owntracks behaves correctly. I am simply asking that the security documentation, which has the purpose of explaining the security properties of the system, note that this desirable security property holds. (Most of my motivation is to understand owntracks behavior, but I also would like the app world to have security specifications.) I don't understand why asking for a sentence to be added where it might help others is an objectionable request. |
It is not, we were just a bit puzzled about the issue. It read as if we were sending location data without the user consent ;) |
|
Thanks - see #47 |
|
Merged, thanks. |
|
Thanks for the discussion and for merging my change. Sorry if I sounded accusing -- I was just trying to point out something missing from the docs without presuming which way it actually was. |
https://owntracks.org/booklet/features/security/
I have the impression that at least one other location reporter might have a default configuration to use a demo server. It seems clear to me, but not clearly obvious to everyone, that a location reporting program's default configuration must be to NOT report location at all until one has affirmatively configured/enabled a destination.
The README.md for the android app points to the booklet, and while the security section says a lot of useful things, it doesn't address this default configuration issue. (The ios README.md ought to point to the booklet too.)
Overall, having actual documentation for apps is really nice to see, and I appreciate it being there.
The text was updated successfully, but these errors were encountered: