Why is There No https in MIT App Inventor

Mar 25, 2022 jeff's Blog


People are asking “Why is MIT App Inventor insecure?” What they are typically referring to is the fact that the server at ai2.appinventor.mit.edu does not support the https (secure http) protocol. Attempting to browse to https://ai2.appinventor.mit.edu brings up the message “this site can’t be reached”. So people need to instead connect using http. But with Internet security becoming a larger and larger concern, browser vendors are increasingly encouraging switching away from http to https. An example, seen with http connections to ai2.appinventor.mit.edu, is to display the warning “your connection to this site is not secure.”

It should be safe to ignore this warning: MIT has implemented other security that mitigates the risks of using http as opposed to https, and we suggest using http for now. We are working on a solution to support https, but it is not yet in production.

If you simply must use https (perhaps a school policy requires it) you can use the server at https://ai2-test.appinventor.mit.edu. But this is a test implementation, not suggested for production use.

The technical reason for “Why no https” is a bit complicated. It is explained below.

TL;DR

If we serve MIT App Inventor over https, then our “Legacy Connection” on the MIT AI2 Companion cannot work due to security policies enforced by modern browsers. We have a solution, which you can try out on https://ai2-test.appinventor.mit.edu , but it is not without its own issues. If you want to test on ai2-test, but do not want to read this whole document, feel free to Skip to the Testing on ai2-test heading.

Introduction

If you use MIT App Inventor, then you know that one of its key features is the ability to incrementally develop an application and watch it unfold on a device in real-time. This is facilitated by the MIT AI2 Companion application which runs on the device. In order to work, there needs to be a way for your browser, which MIT App Inventor is running, to communicate your changes to your device.

Originally, the way we did this was to run a Web Server on your device. (Yes, you heard that right, a Web Server, on your device.) Your browser then communicates with this server like would communicate with any other Web Server.

However, this special Web Server does not use https. That is because to run a “secure” Web Server over https requires the server to obtain a “certificate” from a “Certificate Authority” (CA). However, only Web Servers with a permanent Domain Name System (DNS) name can obtain certificates, not to mention that obtaining a certificate is a bit of a process and has to be done periodically, no less frequently than once per year. DNS names are things like “appinventor.mit.edu” or “company.com.”

However, devices such as phones and tablets do not have permanent network addresses nor do they have a DNS name. Therefore, you cannot obtain a certificate for them, even if you were willing to do the paperwork necessary.

The March to Security

As the Internet has moved to using secure web services, aka “https”, some sneaky sites would serve their main page over https, but when you enter your username and password, they send that over a non-secure connection to avoid the processing overhead of the encryption. So people were fooled into believing their password was protected, but it wasn’t.

To counteract this approach, all browser vendors have implemented a rule inside the browser that if you served a page securely, aka over “https”, then it could not make insecure connections behind the scenes.

Unfortunately, that means that if we serve MIT App Inventor over https, then it would not be able to contact the Web Server running on your device because we cannot run a secure Web Server on your device. This has forced us to continue to serve MIT App Inventor over http, aka non-securely.

It is worth noting that we provide our own security layer (not https) in the connection between your browser and your device. The browser doesn’t recognize this and so displays the security warning.

Our first Attempt to improve things

Like many organizations, we would really like to serve MIT App Inventor over https. So, we need a different supported way to connect from the browser to a device.

In the years since MIT App Inventor first came into being, a new technology, WebRTC, has been added to browsers. Although it is intended for audio and video connections between two browsers, it can be adapted for our use.

We rolled out this new approach in November 2018. We kept the original Web Server based connection mode and labelled it “Legacy Mode.”

When you open the MIT AI2 Companion (as of this writing in 2022) you see a checkbox labelled “Use Legacy Connection.” If you check this box, we use the Web Server based approach. Otherwise, we use WebRTC.

However, WebRTC is not without its problems. In particular, it communicates over a wide range of “network ports” which we have no control over (they are chosen inside the browser, beyond our reach). This causes issues in environments with strict network firewalls, as is often found in schools. With legacy mode, we could tell school Information Technology (IT) administrators which ports they needed to permit for MIT App Inventor to function. With WebRTC, this is a scary large number of ports to unblock, and some schools may refuse to do that.

If we serve MIT App Inventor over https, then legacy mode no longer works and only WebRTC will work. So, in environments where WebRTC doesn’t work will be out of luck.

The bottom line for now is that if you cannot use WebRTC, then you must use MIT App Inventor via http. MIT is working on releasing a new version of legacy mode that will support both http and https.

Hope for the future

We have been working on a newer version of legacy mode that uses a pop-up helper window to communicate with the Web Server in the MIT AI2 Companion. This approach will work even when MIT App Inventor is served over https. The catch is that it involves a pop-up window, which can simply be ignored (pushed into the background). We are working on seeing if we can make this as non-annoying as possible. If you want to see this in action, you can test it out on our testing environment.

Testing on ai2-test

You can test our new legacy approach by going to https://ai2-test.appinventor.mit.edu. (Note the https). You will need to download a special testing version of MIT AI2 Companion directly from the testing site (use the Help⇾Companion Information menu item to see a QR Code to download it with, as well as a link to directly download it. You will have to “side-load” it, which will require you to have your device permit installations from “unknown” sources. The current version is 2.62t3u. If your copy of the Companion does not say “2.62t3u” (or a later version, such as 2.62t4u) then you do not have the correct Companion.

With his Companion, you can use “Use Legacy Connection Mode” and it should work over https (note: There is still a warning message telling you it won’t work, you can ignore that).

Keep in mind that ai2-test is a TESTING site. Projects that you upload or create there may not be compatible with our production sites, at least not until the various things being tested are put into production.

You are welcome to use ai2-test, but keep this TESTING notion in mind. We try not to put very broken things on it, but we offer no guarantee that we won’t (at least not intentionally!).