I'm working on a Chromecast custom receiver that shows private information on the TV. After building a prototype, we realized the client (web, phone, whatever) could connect to a rogue device acting as a Chromecast and intercept anything intended to be sent to our receiver. Is there a way to mitigate this kind of attack? Is there anything built into the platform we can use to get a secure connection between the client and the Chromecast?
First, the connection is secure (as long as it is done by Cast SDK) and secondly, cast SDK checks and validates that it is talking to a genuine Cast device.
Related
We are controlling the sonos via a small IOT device. This device will be placed at the homes of our customers.
In our home automation system we need to know the playbackstate + volume of the players/groups.
At which polling rate can we ask these parameters ?
We cannot use a cloud server to handle the subscription events.
I tried to put a https webservice in the IOT device with a self signed certificate but this doesn't work.
After I have posted the subscription I get a request in my webservice but the cloud sonos server disconnects immediately.
Probably because of the certificate is self signed - Or can there be another reason ?
Is there another way to recieve status events ?
During discovery In the players Json object there is a key 'websocketUrl'.
The documentation says "The secure WebSocket URL for the device. See Connect for details".
But I cannot find more info about this.
Can this be used ?
At which polling rate can we ask these parameters?
Consider using subscriptions instead of polling. See this answer for more: https://stackoverflow.com/a/60893119/4902948
We cannot use a cloud server to handle the subscription events...
Or can there be another reason?
Is there another way to [receive] status events?
You must host a service that satisfies a set of requirements to receive events. See this answer for more: https://stackoverflow.com/a/57189717/4902948
Also see Details on API credentials and events in New features in versions 11.1, 11.2 (S1), & 12.0 (S2).
Can [the 'websocketUrl'] be used?
This is not publicly available for use.
It would be a lot easier to use the (undocumented but more useful) UPnP APIs. You could simply Subscribe to the UPnP RenderingControl endpoint, then you will get an event every time the volume changes. To find when the track changes, subscribe to AVTransport endpoint.
You can do this with a local server (this is how every Sonos app works after all) and no special cert requirements either.
UPnP events are described in the UPnP spec.
Your question doesn't provide details about the language you're using, but if the device is powerfull enough to run node, you have a good change with my sonos library.
You can just pull the required information from the device as often as you like. Or use the build-in event subscriptions. If you use the events, it will automatically setup an http listener and automatically subscribe to all the events you're listening for.
Events are instant (as in 50ms-100ms after the event took place on the device).
If you request information it is send directly to the device and the device will respond with the answer. Pulling multiple data points per second has never been a problem to me.
Warning as stated above, this uses the undocumented local UPNP api, but since their own app also uses it, I'm guessing that won't change soon.
We're talking about BLE. Right now Im using the Plugin.BLE library and it's working quite fine. Now Im in the need of using the LE Secure Connection (with the "just works" method) in order to send/receive encrypted data.
I've read lots of documentation about how the protocol works, but have no idea of how actually implementing it in Xamarin and wasn't able to find anything on this.
With the Plugin.BLE one can take advantage of a very simple APIs to connect to a Device.
Is there any library that provides similar simplicity and enabling an LE Secure Connection?
If not, how can I connect in Android & iOS to a BLE device using a secure channel?
Thank you very much
The pairing is handled by the Bluetooth stack and not by the application, so you can't affect this in any way. However, from Marshmallow and onward, BLE pairing will use Secure Connections as long as the second device supports it. Not sure about iOS.
does anyone know if its possible to host the receiver app for chromecast in a remote host, such as heroku? Is it only possible to find my chromecast device if its in the same wi-fi network?
You've got two separate questions here.
1) Yes, the receiver app can be hosted anywhere, and the vast majority of them are on a remote host rather than served locally. When you register your app with the Chromecast SDK console, you will have to submit, with the appID, the URL where the receiver app is located. Keep in mind that if your app is 'published' (available to all rather than just to those Chromecasts you whitelist), then your host much be https:// enabled, whether it's local or remote.
2) I think you're asking whether or not a sender app can find a device that's not on the same wi-fi network? Generally, no ... but at Google I/O this summer they did discuss a feature that would allow people not on the network but close enough to the Chromecast (i.e. in the same room) to communicate.
If I'm misunderstanding question two, please clarify.
I've downloaded sender and receiver applications from GITHUB and try to run the same on my server. I've followed all the guidelines that are mentioned over there and on the developers site. But still i am not getting any result. I want to know that whether a receiver application is specific for the sender application or we can use any receiver application for my sender application provided that we use our application id that we got after publishing it on the Google Developers Console ?
If its not general.. can anyone provide a sender application and corresponding receiver application sample so that I can learn a bit. Thanks in advance.
The only "sandboxing" of receivers happens in the Chromecast SDK Console -- when you publish an app there and it's assigned an appID, it will be available to any sender that calls that appID (or, if it's an unpublished app, any sender that you've whitelisted to call that appID). You'll want to check all the settings in the SDK console; if the app is unpublished, make sure you've put the right serial number in for your devices to whitelist them and make sure that your device settings have the 'send serial number' option checked so they know they're whitelisted. But there is nothing right now, by default, in the receiver code that could stop other senders from connecting.
This doesn't mean, of course, that you couldn't write an authorization layer into your receiver app to prevent non-authorized senders from connecting.
Need to be able to continuously receive calls when a Chrome webpage is open. How do I do that even for users who are inside a strict enterprise network?
WebSockets? (but there's the proxy problems that doesn't know what wss:// is)
HTTP? (but will I have to poll?)
Other?
Since you included the "vLine" tag, I'll reply with some information on how our WebRTC platform will behave in an enterprise network. vline.js will use a secure WebSocket by default if the browser supports it and fall back to HTTPS long polling. As described here, the secure WebSocket may work depending on the exact proxy configuration. Feel free to test it out by using GitTogether or creating your own vLine service for testing.