Complete
over 5 years ago

Garmin Connect Mobile 4.22 for Android includes the changes to allow HTTP on 127.0.0.1.

Connect version 4.20 broke local http access?

Getting several reports of functionality no longer working, it looks like Android Garmin connect app version 4.20 may have broken web request to local host via urls like http://127.0.0.1:17580/sgv.json?count=3

Horsetooth
  • over 5 years ago

    One more vote for reconsidering the fix. Unencrypted http connections should be allowed to IP addresses. I'm all for https on the big wild internet, but in some cases it just does not make any sense.

    In my specific case, an option to allow https connection without certificate validation would probably also work, but again, it should not be necessary. Https connections to numeric IP addresses just doesn't make much sense.

    I've been working on a Hue app for a few days using the simulator without any problems. Then, when testing it on the watch, I'm hit with a big fat hammer. It's not working, and it's not going to work because of some policy that's not even being explained. Not in the documentation (which is a bit incomplete, on a more general note), and not here in the discussion. No reasoning behind the decision to only allow http access to 127.0.0.1, despite lots of comments asking for a reconsideration, or at least an explanation.

    This really took away a lot of the joy of my brand new top tier Garmin watch.

  • over 5 years ago

    So, the issue is that newer versions of Android have enabled https (encrypted) access by default but allow apps to override this to use http ("cleartext") access.

    App developers have lots of control over what they allow the override for.

    While it's reasonable to require https for public servers, it doesn't make sense for local (private) networks. No one really uses certificates for these and doing so creates other security problems.

    Every IoT app has to override https access. Garmin Connect Mobile is an IoT app that really has to do the same thing.

    Garmin should allow http (cleartext) access to local (private) networks for IQ apps. Given that it appears that Garmin allows cleartext access to their public sites (which makes no sense), they could allow it for private sites too.

    IQ developers writing apps that do home automation or IoT things either have broken apps or have the burden of writing extra Android apps.

    Cleartext access is allowed on iOS (for numeric IP addresses) but not on Android. That creates another problem where there's an inexplicable (to end users) difference in behavior.


    By blocking cleartext access to private networks, Garmin is doing a large disservice to the developers it wants to build IQ apps.

  • over 5 years ago in reply to jim_m_58

    I am having same problem, using makeWebRequest with an http-server in the internet returning an JSON, this since some weeks.
    How can I switch this Windows 10 IIS http server to https?

  • over 5 years ago in reply to Horsetooth

    Totally agree. That's exactly what's happening here.

  • over 5 years ago in reply to akamming

    I don't have any skin in the non localhost issue, but if I understand you  find right,I it very concerning that Garmin thinks it's ok to allow http traffic to their own domains but doesn't think anyone else should be using it.