Hik-Connect Hikconnect vulnerability?

[fullboogie]

I've mentioned this for several years but now I'm making a dedicated thread.

On my Android phone, when I get a smart event notification I click on it. It takes me directly to that notification, which allows me to view the video, etc. However, I can now back out of that notification and I'm in the main Hikconnect app. Notice that nowhere have I been asked for credentials. To summarize, I can get get into my Hikconnect app/account by clicking on an event popup and then backing out to the main screen - all without logging into the app.

There's about a 1 in 10 chance that clicking the event popup will ask me for my fingerprint, but the rest of the time it just goes straight into the app. This seems serious to me.

 

[JB1970]

I've mentioned this for several years but now I'm making a dedicated thread.

On my Android phone, when I get a smart event notification I click on it. It takes me directly to that notification, which allows me to view the video, etc. However, I can now back out of that notification and I'm in the main Hikconnect app. Notice that nowhere have I been asked for credentials. To summarize, I can get get into my Hikconnect app/account by clicking on an event popup and then backing out to the main screen - all without logging into the app.

There's about a 1 in 10 chance that clicking the event popup will ask me for my fingerprint, but the rest of the time it just goes straight into the app. This seems serious to me.

I'm not sure about this one, but I'm probably not understanding the issue. I'm an iPhone rather than Android user, however it'll probably depend on whether the screen is locked. The phones Face ID will stop me getting into any app while the screen is locked (and how the notifications interact with the Lock Screen is configurable in iOS). Once you're logged into the Hik-Connect app it remains logged in regardless of whether the app is closed and reopened, phone is rebooted, app is updated. If you're not logged in then there is no notification in the first instance. I'll have to see next time I get a notification on the Lock Screen if I can get anywhere without first unlocking the phone with biometrics.

 

[fullboogie]

That's not what the problem is. Normally you cannot get into the Hik app unless you either sign in or, in my case, use a fingerprint. It's always been like that. You can't just click the icon and go straight into the app - just like banking apps, investment apps, etc. What cropped up with the Hik app several revisions ago is what I describe above, there is a way to bypass that login by clicking on an event popup.

 

[JB1970]

That's not what the problem is. Normally you cannot get into the Hik app unless you either sign in or, in my case, use a fingerprint. It's always been like that. You can't just click the icon and go straight into the app - just like banking apps, investment apps, etc. What cropped up with the Hik app several revisions ago is what I describe above, there is a way to bypass that login by clicking on an event popup.

Ok. I've never needed to sign in or use a fingerprint on iOS (you can turn Face ID on but it only applies to the initial log in to the app and it stays logged in permanently)

When I set Hik-Connect up for a customer on Android, we leave it (biometrics) off within the app as well (as if the phone is locked there's no access to any app without unlocking with Face ID/Fingerprint) So they only ever log into the Hik-Connect account once within the app. What's secure on the locked screen is dependant on my iOS settings. I imagine there's a similar setting in Android that prevents interaction with the notification without first unlocking the phone with your fingerprint. That would prevent what you're seeing. As said, I'm not an Android user so I've no idea what may have changed in the app ...

 

[fullboogie]

I will give this one more try since you still do not understand. There are apps that always require authentication when using that app, whether it is a password or biometrics (fingerprint in my case). I am quite sure you cannot simply tap on your banking app and go straight to your accounts, right? Hikconnect is one of those apps. One cannot tap the icon and get into the app. It requires either: (1) a password be typed in; or (2) fingerprint. There are no options to set it any other way. You either enter a password or you enter a fingerprint, Period.

I am not talking about logging into my Hikvision account through the app. I am, once again, talking about logging into the actual app.


That has now been broken by Hik for 2 years.

 

[JB1970]

I will give this one more try since you still do not understand.

Thanks so much, I'm so grateful for that

There are apps that always require authentication when using that app, whether it is a password or biometrics (fingerprint in my case). I am quite sure you cannot simply tap on your banking app and go straight to your accounts, right?

Correct, no argument there.

Hikconnect is one of those apps.

No it isn't - unless you set it up that way

One cannot tap the icon and get into the app.

Yes one can. It's how it works on every instance I ever installed whether on iOS, Android or Fire OS

It requires either: (1) a password be typed in; or (2) fingerprint. There are no options to set it any other way. You either enter a password or you enter a fingerprint, Period.

Nope...The option to use Face ID with iOS or biometrics with Android is initially given as a prompt when installing the app. If it's rejected at that point the app can be accessed single click on the icon. Period.

If it's been disabled and I wanted to re enable it. In the app I click:

Me > Tap the account icon at the top (Account Management) > Face ID Authentication. It can be enabled or disabled. If it's enabled and the app is fully closed Face ID is required to open it, otherwise the app can be opened with a single click. That's in iOS. There may be something similar in Android but as I reject it during app installation on Android I can't confirm. The option is missing on my Fire HDs but they're in Tablet mode and have no security enabled.

As for it being broken by Hik for 2 years, they chop and change things and tell you it's by design, that's their way. In your scenario the issue seems to be that you have biometrics enabled and you're prompted to use that when you open the app. However when you get a notification, biometrics is not required to open the event notification and you can get from that point into the main app and its settings without biometrics - I understood that from your original message. I was merely pointing out that it may be possible to stop the event notification being acted upon in the first instance using security settings in the Android OS.

 

[fullboogie]

Thanks so much, I'm so grateful for that


Correct, no argument there.

No it isn't - unless you set it up that way

Yes one can. It's how it works on every instance I ever installed whether on iOS, Android or Fire OS

Nope...The option to use Face ID with iOS or biometrics with Android is initially given as a prompt when installing the app. If it's rejected at that point the app can be accessed single click on the icon. Period.

If it's been disabled and I wanted to re enable it. In the app I click:

Me > Tap the account icon at the top (Account Management) > Face ID Authentication. It can be enabled or disabled. If it's enabled and the app is fully closed Face ID is required to open it, otherwise the app can be opened with a single click. That's in iOS. There may be something similar in Android but as I reject it during app installation on Android I can't confirm. The option is missing on my Fire HDs but they're in Tablet mode and have no security enabled.

As for it being broken by Hik for 2 years, they chop and change things and tell you it's by design, that's their way. In your scenario the issue seems to be that you have biometrics enabled and you're prompted to use that when you open the app. However when you get a notification, biometrics is not required to open the event notification and you can get from that point into the main app and its settings without biometrics - I understood that from your original message. I was merely pointing out that it may be possible to stop the event notification being acted upon in the first instance using security settings in the Android OS.

This is where we have the disconnect. This is what is broken as of two years ago. Before that, when enabled (which I thought I'd explained but apparently did not), tapping an event notification required the same level of access as tapping on the app icon. At some point about two years ago that feature was broken, so that if you elect to have that feature enabled for app access it no longer worked for notification access. I consider it a flaw that if a user wants the extra protection of having secondary authentication to enter the app, no such protection is required when accessing an event - it defeats the purpose when viewing an event bypasses that security and allows access to the main app features. This was not the case until an update a while back. I've raised it probably 4 times since then and it's never gotten a response. If you're comfortable with it that's fine - I am not. No more so than if I received a daily notification from my banking app about an account balance and it lead me directly into my banking app without any authentication required. It's a security risk.

 

[JB1970]

This is where we have the disconnect. This is what is broken as of two years ago. Before that, when enabled (which I thought I'd explained but apparently did not), tapping an event notification required the same level of access as tapping on the app icon. At some point about two years ago that feature was broken, so that if you elect to have that feature enabled for app access it no longer worked for notification access. I consider it a flaw that if a user wants the extra protection of having secondary authentication to enter the app, no such protection is required when accessing an event - it defeats the purpose when viewing an event bypasses that security and allows access to the main app features. This was not the case until an update a while back. I've raised it probably 4 times since then and it's never gotten a response. If you're comfortable with it that's fine - I am not. No more so than if I received a daily notification from my banking app about an account balance and it lead me directly into my banking app without any authentication required. It's a security risk.

Fair enough. Perhaps having the security setting on for the app, is fudging up Androids own security settings and I agree - that would be a Hik bug. Try installing the Hik-Connect app without security (if there's no way to disable it in the app - reinstall the app and don't elect to use biometrics when prompted). When the phone is locked, for any notification that pops up on the screen (in any app) Android security settings alone should protect all notifications from being expanded/opening their respective app. After all, if you can't open any notification on a locked phone without biometrics/pin/pattern being used (standard setup), then there should be no need for biometrics to be turned on also individually for the app. The only risk I can see would be that if I get a notification and tap on it, use a fingerprint to unlock the phone, then the phone is snatched from my grasp....I'll leave it there as without a phone to test with I'm only surmising...

 

[Ianc]

I'm at a loss here. I have NEVER needed to enter a password (or any other authentication) to access the HikConnect app?
I am using an iPhone and as JB has said, if the phone is locked I am prompted to unlock it when trying to access the app via an event push notification but if the phone is already unlocked then tapping the event push notification takes me directly into the app.
I've been using HikConnect for four years now and it has always been like this (for me)??