Copyright ©

Mongoose OS Forum

ATTENTION! This forum has moved to:

Do not post any new messages.

Secure RPC

Hi everyone,

I am trying to find out a solution to establish a secure way to access RPC , that is , End user of my product can not use RPCs anyhow other than mobile/web interface provided by me , over local network.

also they should not be able to see the data transfer between mobile App and esp8266 running Mongoose ( I am thinking it may involve doing it over secure websocket / https ) but I have no idea where to start with.

it will be great if someone can point me to right direction and if there is an available example.


  • WSS/HTTPS - Perfect during development, not really suitable for production.
    Secure RPC - If you find a way to share the users credentials to the customer in a reliable and secure way, I am very interested.

    Thanked by 1Sergey
  • Valentin, My device setup is as follows -

    1. I need to use one built in RPC to set user wifi config - an android App will ask user to fill in wifi SSID and passkey - and set it on ESP device.
    2. one custom RPC that take JSON string from Android APP and accordingly set output on GPIO and UART

    my problems are :

    1. I want this to happen over secure connection - which I believe can be overcome by using HTTPS - encryption will stop any listener to know what raw data is being transmitted
    2. I do not want users to access any of the RPC without use of the android APP that we provide to our customers. i.e. they should not be able to use RPCs via Curl / html pages and hack in to ESP device

    why would you say that HTTPS is not suitable for production ??
    if My android APP has user authentication built in to it, I guess I can solve my problem number 2 - as my device will authenticate RPC use of Android App that has predefined user credentials.

    please let me know what do you think

    any other Mongoose-Os champion can feel free to help a newbie here..

  • Problem 1: For production you probably want mutual TL. One of the consequence is that you need to share the cert and key of your device with the Mobile app. Of course you do not want them to me the same for every of your devices so you need to find a way to give them to you mobile app without previous access to your device... In addition, this is self-signed certificates as a CA will not create a certificate without a registered domain name.
    Partial solution: set a unique password for your device AP and limit the number of connections to 1 ("wifi.ap.max_connections"). After connection, use a Cloud provider (mDash, AWS, MQTT broker...) to get encryption.
    If you find a better solution, let me know.

    Problem 2: Yes. Alternative is to use a Cloud provider and "kill" all RPC transports except the one you use and manage authentication on the Cloud side.

    Thanked by 1ankit_malpani
  • SergeySergey Dublin, Ireland

    @ankit_malpani does your mobile app join the device's wifi access point?
    what's your device hardware by the way?

  • @Sergey , the end user connects to the MOS-wifi-AP from available list of wifi on his phone's settings.

    Device hardware is ESP8266

  • @valentin , I do not want to kill RPCs as I want the mobile-app to control the esp8266 using RPC when there is not internet connectivity.

  • NeedlerpNeedlerp United Kingdom
    edited October 2018

    It would be really great if there was an ability, through the Vendor layer configs, to restrict the RPC functions that are exposed to the http protocol. That way, even if the user managed to access the esp8266 by connecting to it via either AP or STA mode, the only thing they'd be able to control are the elements that the Android app is updating anyway. I'm having a similar challenge on an ESP32 - I want to provision wifi STA via an iOS app with REST API calls but basically lock out all other RPC calls from the http protocol.

    And I've now realised that this is already possible! Create an rpc user with restricted access and put the username/password on the app. Lock out everything else for a different user which you keep the details to. Turn off rpc.http when not in 'provisioning mode' to add another layer of security. If necessary, also use https between device and app to avoid sniffing of username/password (but even if they do, they can only change the settings that they'd be able to change from the app anyway).

    Have I missed anything?

    Thanked by 1ankit_malpani
Sign In or Register to comment.