Apologies for delay on this - I missed this post!
Is the PiFi app for iOS also open source? Is it possible to view the source code somewhere. That would be good for data privacy.
- You can view info on plans to open source the apps here. It’s coming but it needs to be documented extensively - our firmware is based on OpenWrt so is pretty well documented already but that needs to be done from scratch for the apps.
- If I have now set up a VPN profile, are all PiFi updates also routed via the VPN, or is the network outside the VPN used for updates. (or rather, are there any connections at all that go out without VPN)
- If you are connected via VPN then all web traffic, including updates, is routed via VPN so until you disconnect it should be that all traffic is routed via VPN
- Let’s assume that you connect the PiFi on an untrusted WLAN. Then it would theoretically be possible for an attacker to manipulate the Raspberry in a malicious way via SSH. Is it possible to change the SSH password? Can an attacker access the PiFi at all?
No, when you first use the app, you set the admin (SSH) password, which is encrypted and can’t be manipulated over an untrusted network. Even before that, PiFi broadcasts wirelessly with a preset password, which is overwritten during initial setup. At no point is there an exposed root account or unsecured SSH access.