Home Assistant's Android companion app shipped a new beta build Thursday morning — version 2026.6.2 — that closes a security gap allowing external URIs to reach app components that were never intended to be publicly accessible, and adds a native barcode and QR code scanner directly inside the app's main interface. For a platform that controls physical home devices including smart locks, alarm sensors, and door contacts, the distinction between a software bug and a physical security risk is narrow: an attacker who could reach an unexported automation-triggering component via a crafted deep-link URI would not be limited to reading data — they could invoke automations connected to real hardware.
The build is available now through the Google Play Store beta channel and as a direct APK download from APKMirror.
URI Security Patch: Android's Export Model and What Bypassing It Enables
Android apps are collections of components — activities, services, broadcast receivers, and content providers — each of which can be marked as accessible to the outside world or restricted to the app's own process. This is controlled by the android:exported attribute in the app's manifest file. A component set to exported="false" is internal-only: the Android system's intent-routing logic is supposed to refuse any outside app's attempt to target it directly.
The vulnerability class addressed in PR #6994 — contributed by Timothy Nibeaudeau, also known as @TimoPtr, the Open Home Foundation's dedicated Android developer — exploits a gap in how apps handle externally-originating URIs. If an app processes a deep-link URI from outside its process without first verifying whether the target component is exported, an attacker can craft a URI that routes to an internal component the app owner never meant to expose. The technique, called intent redirection, has been ranked among the most impactful findings on Android bug-bounty platforms and has affected major apps including TikTok, where a 2022 chain of intent redirections reached unexported authentication-token handlers.
For a generic app, reaching an unexported component might mean triggering a hidden settings screen or leaking cached state. For the Home Assistant companion app, the stakes are different. The app's unexported components include automation triggers connected to the Home Assistant automation engine — the same engine that controls smart locks, motion sensors, IR blasters, and Z-Wave devices. PR #6994 adds an explicit export check: any URI arriving from outside the app's process is now validated against the component's manifest-declared export status before the intent is dispatched. If the target component is not exported, the URI is blocked.
This fix arrives against a backdrop of recent security activity for the same app family. Approximately two weeks ago, a separate high-severity vulnerability — CVE-2026-44698, rated CVSS 8.3 — was disclosed and patched in versions 2026.4.4 for Android and 2026.4.1 for iOS. That vulnerability allowed an iframe embedded in the Home Assistant frontend to execute arbitrary JavaScript and extract the user's long-lived access token via the app's WebView JavaScript bridge — a distinct attack class from the intent-hijacking risk addressed in 2026.6.2.
Native Barcode Scanner: From Third-Party Workaround to Automation-Ready Input
The 2026.6.2 build also introduces a native barcode and QR code scanner integrated directly into FrontendScreen — the primary WebView activity where users interact with their Home Assistant dashboards. PR #6964, also from Nibeaudeau, replaces the previous workaround approach, in which automations needing barcode input had to launch an external scanner app via an implicit Android intent and wait for the result to be passed back.
The new implementation uses Android's native camera stack to perform scanning in-process, without crossing app boundaries. This removes the inter-app trust boundary that the previous approach required and exposes barcode and QR scan results directly to Home Assistant's local automation engine as a native sensor input. Practical uses include inventory management automations, package delivery logging that triggers on a scan rather than a manual entry, access control systems using printed QR badges, and asset tracking for equipment in a home workshop or small office.
The distinction between an in-process scanner and a third-party app round-trip also matters for reliability: Android's inter-app result-passing mechanism can fail silently if the calling activity is destroyed while the external scanner is open. Running the scanner inside FrontendScreen eliminates that failure mode.
WebView Session Path Fix
A third change preserves the WebView activity path when the app transitions between URLs. Previously, certain URL changes — such as those triggered by redirect chains in external integrations or OAuth callbacks — caused the app's navigation state to reset, effectively reloading the session. The fix ensures the path parameter is correctly carried forward during URL switches, reducing friction when navigating between dashboards and external integrations.
Context: Home Assistant 2026.6 Core Platform
The Android beta follows the June 3, 2026 general-availability release of Home Assistant core 2026.6, which introduced a redesigned dashboard card picker, Z-Wave smart lock credential management, and bidirectional infrared support — meaning the platform can now both send IR commands and receive them from physical remote controls as automation triggers. The 2026.6.2 companion build extends that platform to the Android app while addressing security and stability gaps identified since the core release.
The Home Assistant companion app for Android has accumulated more than 6 million installs and roughly one million monthly active users, according to figures published by the Open Home Foundation. Stable promotion timing for 2026.6.2 has not been announced.
How to Get Home Assistant Android 2026.6.2 Beta
Beta access is available through the Google Play Store beta enrollment for the Home Assistant companion app. The build is also available as a direct APK download from APKMirror for users who prefer sideloading. It covers the standard companion app, the minimal variant, and both the Wear OS and Android Automotive editions.
Frequently Asked Questions
What does the URI security patch in Home Assistant 2026.6.2 actually fix?
It prevents external URIs — such as those arriving via deep links from other apps, notification actions, or automation webhooks — from being routed to app components that the Home Assistant app marks as internal-only in its manifest. Without the fix, a crafted URI could exploit Android's intent-routing system to reach those hidden components, potentially triggering automation actions connected to physical devices like locks and sensors.
What can I use the new barcode scanner for in Home Assistant?
The native barcode and QR scanner integrated into the companion app feeds scan results directly into Home Assistant's local automation engine. Common uses include scanning a product barcode to trigger an inventory automation, using a printed QR code as an access-control trigger, or logging package deliveries by scanning a shipping label — all processed locally on the device without sending data to a cloud service.
Is Home Assistant safe to use after these recent vulnerabilities?
Home Assistant patched the CVSS 8.3 token-exfiltration vulnerability CVE-2026-44698 in version 2026.4.4 for Android, and this 2026.6.2 beta addresses the URI intent-hijacking risk. Users running 2026.4.4 or later are protected from the access-token vulnerability; the URI fix is currently in beta only. Users who want that protection now should enroll in the Play Store beta or sideload the APK from APKMirror.
What is Android intent hijacking and why does it matter for smart homes?
Intent hijacking is a class of Android vulnerability in which a crafted URI or malicious app tricks a target app into delivering a message to a component that was never meant to be accessible from outside the app. In most apps, exploiting an unexported component means accessing internal settings or cached data. In a smart home app that bridges to physical devices, it can mean triggering automations connected to locks, alarm sensors, or other hardware — consequences that extend beyond the phone itself.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
