cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: "Angel, Judy" <admyet4 AT herts.ac.uk>
- Cc: "cat-users AT geant.net" <cat-users AT geant.net>
- Subject: Re: [cat-users] Android App
- Date: Wed, 10 Jul 2013 14:25:41 +0200
- List-archive: <https://mail.geant.net/mailman/private/cat-users/>
- List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>
Hello,
> I am aware that the cat tool does not support android devices, and have
> been told of the app
>
> https://play.google.com/store/apps/details?id=com.cerdax.eduroam.mylogin
eduroam MyLogin is NOT endorsed by eduroam Operations. It is an effort
by a third-party with presumably good intentions, but has several
imperfections.
We have not yet taken steps to formally ban it from the app store
because there is no other, superior app on the market right now. eduroam
is working on an own app which can do a superior job at managing Android
devices; but until this has happened we are reluctant to take the
limited good that this app delivers away.
This does not mean we authorise the app to use the name and logo; we are
regularly in touch with the authors and have successfully requested the
removal of the eduroam logo a while back (they now have a "MyLogin"
custom logo).
There are two risks associated with the app:
1) it only configures the Certification Authority (CA) of the
authentication server, not the *server name*. If the server certificate
is from a commercial / mutli-purpose CA, anyone with any other
certificate from that CA could trick users into believing they are
connected to their proper RADIUS server.
This deficiency is common to all Android apps dealing with Enterprise
WiFi - Android APIs do not allow to set this security parameter. This API
deficiency is also the reason why we have not created an official app for
eduroam.
2) the app uses uncontrolled sources for its EAP configuration. I did not
try it myself, but it seems like the app developers expect Identity
Providers to submit their EAP details via a simple, unauthenticated web
form; with no authentication and authorisation checks taking place. That
leaves much room for fraud; some third party which is unrelated to an IdP
could mimick to be that IdP and upload and spread false EAP configurations
to end-user devices.
Greetings,
Stefan Winter
> _ _
>
> Have you seen or used it?
>
>
>
> Thanks
>
> Judy Angel
>
> University of Hertfordshire
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
Attachment:
signature.asc
Description: OpenPGP digital signature
- [cat-users] Android App, Angel, Judy, 07/08/2013
- Re: [cat-users] Android App, Stefan Winter, 07/10/2013
Archive powered by MHonArc 2.6.19.