Security of Roon app on Android phone

I bought a new Android phone today. I just installed the Roon app (from the Google Play Store). I ran the app. It found my Roon server (running on Win10 Pro x64) and gave me some details about my library. No request for authentication, however.

Does all that mean that the Roon server trusts whatever comes over the local network? Or does it trust what comes in from anywhere?

I am willing to trust that ROCK as an OS and Roon server under ROCK are secure. I am concerned that Roon running on Windows will accept just anything, presumably anything coming in on a certain port. When Roon server is running on an OS other than ROCK, I don’t think Roon is taking security seriously. And please don’t reply with the “nasty things running on one’s computer” kind of argument. That’s not helpful. Windows doesn’t necessarily trust things running on itself, much less things coming in from the outside, and so Windows works hard to protect itself and its environment.

Pretty sure it trusts whoever tries to connect over the LAN. When I visit a friend who has Roon, once I’m on his WiFi network I can connect to his Roon core with no username/password (somewhat to his annoyance).

You are not ‘pairing’ your phone in the way you would normally so any authentication is done with the Wifi security settings. Below that you have the fact that the RAAT protocol Roon uses is unique to them so no one else will be connecting over that protocol. In essence you control who accesses your LAN physically (cables) or via Wifi and Roon takes care of the rest by using RAAT.

1 Like

The ignorance/secrecy approach doesn’t work in security. If there’s enough value in breaking security, someone will break it.

Actually it works very well. Hence the reason we would use a product like ROCK (minimalist Linux applications) on mission critical applications where I work in broadcast and telecoms but would never use Windows. The money is in Windows so that is where 99% of malicious activity is. Also the program is gatekeeper to music files, not financial details or sensitive passwords so the value angle is severely limited.

What is your actual concern? Roon will not “accept anything”, it only accepts connections to control itself.

Yes, someone who has LAN access can come play your music can manipulate your library.

Roon, like all software that accepts network connections, increases the attack surface of your machine for unintended uses.

This is true of all software, and if nefarious elements are on your LAN, there is a good chance you are owned anyway.

Can we discuss the issue offline?