I’m concerned about an app developed in China is receiving my WiFi password in unencrypted form! Couldn’t there have been a way to enable entry directly on the Meta Module? It appears you are asking us to trust an offshore 3rd party that is acting as man in middle. Ally my fears please 4ms, because I’m loving this Ecosystem.
2 Likes
I did monitor network traffic during provisioning and did not see anything leave my network, this doesn’t mean it can’t occur at some point in the future.
You can safely delete the app from your phone as soon as you’re done with it. You only need it to select your Wi-Fi network, and the network you choose does not have to be connected to the internet. At no point do you have to be connected to the internet to setup or use the Wi-Fi expander. For example, you could unplug your Wi-Fi router from the internet while using the app, then delete the app and connect your Wi-Fi router back to the internet.
I promise neither the MetaModule nor the Wi-Fi Expander are not sending any information over the internet. The source code is open, GitHub - 4ms/metamodule: MetaModule virtual patch module firmware, if you want to inspect it or ask a trusted third party to inspect it. If you are still unsure, you can even compile it yourself and use your own version. And if you still have doubts, you can use a cheap travel Wi-Fi device to make a Wi-Fi network that’s not connected to the internet, and use the Wi-Fi expander over that.
At one point we had the webpage for the Wi-Fi expander downloading a css style sheet (which is a common practice for websites to do), but I nixed that so that the page can work completely without the internet connected.
As for the app, I suppose one thing we could do is to make our own app, and publish the source on a GPL license for anyone to inspect (or compile themselves if they really are skeptical). The library source is available: GitHub - espressif/esp-idf-provisioning-ios
We thought about using the MetaModule to enter your WiFi ssid and password, but in my experience using a rotary encoder (or a TV remote or anything except a keyboard) to enter a (hopefully) long secure password is a terrible and frustrating user experience.
Thanks Dan, for this comprehensive answer. I ended up setting up a small WiFi network in my studio that is not connected to the Internet. One of your suggestions.