Is a temporary local hotspot on an Android device secure enough for my purposes?

Question

I intend to deploy some embedded software on Raspberry Pi devices. All will have WiFi capability, but not all will have internet access.

I want to occasionally be able to update the firmware in all, replacing a single executable (and, possibly, a single configuration file).

At the same time, I want those devices to report some information, probably daily.

For those with WiFi access, that seems straightforward enough, taking the obvious precautions of HTTPS, POST rather than GET, possibly even encrypting the data again, despite using HTTPS (any more?).

Now, for the devices which have no internet access, I could visit them with an Android device. My first thought was to code some Android app to mirror my server’s app, then I realized how silly that would be.

My next thought was simply to use the Android device as a hotspot, and just pass the traffic through from the embedded app to my server & back again – only for as long as the data transfer takes.

I don’t know enough about the security aspect of that. Does it sound like an acceptable solution? The data could be described as “commercial, in confidence”, so not life & death, but I would prefer to avoid man in the middle and reverse engineering of the data.

Answer 1

It is unclear why you would think a phone hotspot is any more or less secure then any other form of WIFI hotspot - thr risks are pretty similar.

I guess there is an additional risk of the phone falling into the wrong hands and the password extracted, but this is probably a relativrly small risk, and not that different from the passphrase being extracted/brute forced from decrypting over-the-air handshake data etc.

In both cases you still have protection of using HTTPS, which is likely a more effective security measure then trying to control the WIFI environment. Likewise, in both cades the security used to protect the WII setup is more important then the device providing it/upstream provider.

There are at least 2 fairly easy things you can consider to boost the security of your network -

1. Run a VPN between the devices and your server /server gateway and ensure data from the devices traverse that VPN.

2. Run your own CA and remove other root certificates, and, if you are worried about fakr/unauthorisrd data, use client side certificates to authenticate the client back to the server.