core: Life360 fails authentification again

Just want to say thank you @pnbruckner for all your hard work on this. Very much appreciate it, and it’s a shame they don’t want to offer an API we can use, even for a small payment.

I can confirm something did indeed change today that broke the integration again. Some investigation seems to imply it is more subtle than previous changes. It is getting too difficult to keep up. I’m personally giving up. It is very likely the integration will be removed.

We are aware that Life360 is broken. As reported above, using Cloudflare is not something that is worth fighting over with them. We’ve tried reaching out to them and have not heard back yet. We have one final lead we’re trying but I wouldn’t hold my breath.

Its’ time to look for alternatives (like the Home Assistant app itself) but our issue tracker is not the right place for that. Please use the community forums, Discord or Reddit. Thanks.

@danielbrunt57 you wrote “HERE are the top five alternatives to Life360 on iPhone and Android”

Where?

I humbly request we not keep discussing alternatives/opinions? This Github issue and discussion thread is specifically for trying to find solutions to the current integration problem in Home Assistant. If you want to discuss your opinions of Life360 in general, you can open a discussion on the Home Assistant community forums, or literally anywhere else. Every time someone posts here (including “Same for me”) then it pings that message to everyone that’s subscribed looking for a solution to the problem. Thanks. (rant over)

Hello everyone, some time ago I contacted the CEO of Life360 to show him some project of mine and ask him about a public API. Back then he reacted very positively. I have now written him again to inform him about the latest developments. Maybe he responds maybe not.

Until such time as Life360 officially supports our use of their system, if ever, the HA Life360 integration is effectively defunct.

All they need to do is provide an API key for paid users to allow (unsupported by them) API access. Block access for anyone else. I’m already a paid user (although considering cancelling now there’s no Home Assistant access) but this would at least be a consumer-minded approach. Shane.

I am a paying customer, although I have suspended payments while I evaluate alternatives. I contacted them via email. I got the same results as others, that they don’t support API access, and have no intention to. They did say that they will pass the message on to their team. I’m not optimistic.

life360+ app for Hubitat.

https://github.com/jpage4500/hubitat-drivers

The http requests used here are based on the previous fix, and also some newer changes to the user agent that I’ve already made (https://github.com/jpage4500/hubitat-drivers/pull/29 / https://github.com/jpage4500/hubitat-drivers/commit/9d082567b2b6ad7e282d70c11d80884bb9925b0a / https://github.com/pnbruckner/life360/pull/12 / https://github.com/pnbruckner/life360/pull/10)

I’ve got a suspicion that Life360 have enabled Cloudflare’s “enhanced bot protection” (I think thats what its called in the rules, but more info on their “bot” protection here https://www.cloudflare.com/en-gb/application-services/products/bot-management/).

To keep it as simple as possible, these fingerprints that Cloudflare goes on about are actually the fingerprints of the underlying https connection itself as far as I’m aware, which if that’s the case, these fingerprints can vary from client to client and can’t easily be spoofed as this happens after the TCP connection is established, but before the HTTP request is sent (https://developer.okta.com/books/api-security/tls/how/#tls-how).

That might even be why the hubitat integration is still working, because the fingerprint of that TLS session could be different to the one used in aiohttp

as @balloob has said, this is simply not worth fighting over at this point, we’d probably have to build a whole new http requests library from scratch, based from okhttp3 to spoof the fingerprint of those TLS sessions.

EDIT: uploading the full list of API endpoints that are within the latest version of the mobile app for other devs to explore (2.50.0)

MembersEngineNetworkApi.txt

I received this email, maybe it is the reason? I think “suspicious activity” is HA?

Dear Valued Member,

At Life360, the security of our products and services has always been among our top priorities. We are continuously monitoring and implementing features designed to enhance the security of our products and security for our members.

Recently, we identified suspicious activity in which an unauthorized person used credentials (email address and password) obtained from outside sources to attempt to access your account. Based on our investigation to date, we have no evidence of unauthorized access to Life360 user location information, payment card information, or physical addresses. To safeguard against further suspicious activity, we took the precaution of resetting your password.

Life360 has introduced a new way to further safeguard your account by using one-time-passcodes delivered to your verified phone number when logging into your account, instead of passwords. Enrolling in passwordless login is the best way to prevent password misuse and protect your personal information, so please take a few minutes to enroll now.

Take action to further safeguard your account now:

In the Life360 App, visit Settings → Account → Phone Number and verify the phone number associated with your account. Afterwards, you’ll log in by receiving a code delivered directly to your phone instead of using a password.

In addition to enabling passwordless login on Life360, we encourage you to change the password on any online service for which you have used the same or similar credentials at Life360 or elsewhere.

Security is an important part of our commitment to keep families safe online and in the real world. Thank you for taking the time to read this message and taking steps to protect your account.

Best regards, Chris Hulls, CEO

Thanks, Phil, for all of your work on this integration. I’ll miss it, but reverse engineering a protocol that’s actively trying to discourage people from using it is probably not a good idea from a usability POV! It was great while it lasted, and I appreciate all the time you put into this.

I just test OwnTracks with Home Assistant and it works perfectly !

Maybe you can figure out how you did this

@robertvanlienden He told you how he did it…

I did nothing

Here not! it still not passes authentication

We are aware that Life360 is broken. As reported above, using Cloudflare is not something that is worth fighting over with them. We’ve tried reaching out to them and have not heard back yet. We have one final lead we’re trying but I wouldn’t hold my breath.

Its’ time to look for alternatives (like the Home Assistant app itself) but our issue tracker is not the right place for that. Please use the community forums, Discord or Reddit. Thanks.

I have started replying to this post in the Home Assistant forum

Same here

Same for me. HA Core 2023.12.4

I’m not sure there is a fix for this… for the more technical minded - Life360 proxies its backend API for the mobile app via cloudflare. The source of all the 403 errors comes from cloudflare blocking the request (which will most likely be configured by Life360 themselves as some form of firewall / page rule - https://developers.cloudflare.com/rules/).

Watching the web requests the mobile app makes and then replicating them like for like (headers, urls, body, cookies etc.) outside of the app results in the above 403 error produced by cloudflare.

Pretty much all of the old v3 endpoints and newer v4/v5/v6 endpoints return the same problem. Further testing using 2FA also has produced the exact same result, although interestingly I can use other clients to send and issue an access token with SMS based OTP, just not directly with a username/password.

EDIT: v5 and v6 related endpoints are working, although to retrieve a list of circles (and consequently their IDs), you need to use the v4 endpoint as “circles” doesn’t exist as an endpoint outside of that)

For those ending up here, Life360 have offered me a refund on my three subscriptions.

Maybe this is because I’m in Australia with strong consumer protection, maybe not.

If you are in Australia or the EU, I would reach out and request a refund if you are a paying customer. You will need to demand (politely) but at least it means you aren’t paying for something you can’t use any more.

There are several. Here are a couple (one of which was mentioned above):

https://community.home-assistant.io/t/device-tracker-best-echange-for-life360/665944 https://community.home-assistant.io/t/looking-for-life360-alternative-for-presence-detection-for-home-alarm/664108

Response from Life360:

Thank you for contacting Life360 about your feedback and request to reconsider the Home Assistant functionality of the app. I will coordinate this with the appropriate team.

We understand the importance of using the Home Assistant program with Life360. However, please be aware that we no longer support home automation programs such as Home Assistant, Google Home, Alexa, IFTTT, and others, and Life360 is no longer compatible with these programs. Currently, we do not have any plans to reintroduce compatibility with these programs yet, we are constantly working to build products our members will love.

We appreciate your feedback and thank you so much for bringing this to our attention. I’ve recorded your feedback so that it can be reviewed and included in the planning of our development team for features to build next.

FYI, there is an active discussion on alternatives at: https://community.home-assistant.io/t/looking-for-life360-alternative-for-presence-detection-for-home-alarm/664108

I did nothing but IT WORKS now!!

I know not exactly the same thing, but I changed all my automations to use “Person” and have BOTH L360 and Home Assistant devices (with the Home Assistant App) to provide location information. It has helped weather the storms for the L360 integration blocks.

If there is a discussion on alternatives (other than the HA app) could you sob post it here?

Any developpement ? Do we need to consider alternative ?

No. Yes. The founder of Home Assistant already told everyone to look for alternatives.

So in this case I would like to ask to life360 team what’s the utility of their app! Ok you can connect iOS and Android devices… but it’s a limit since the app works fine and could be very usefull in automation. I remember when they left IFTTT… I disagreed then as I do now… but that’s their choice. It’s over

I would imagine that Life360 use for home automation is a very small percentage of thier user base, and they jkust don’t care

+1

I just test OwnTracks with Home Assistant and it works perfectly !

Give it time. I’ve tested OwnTracks 3 or 4 times over the past few years, hoping to replace Life360 and keep data in house. Every time after a week or so, it just stops updating location. Regardless of battery optimization settings and disabling them all, this has happened every single time on multiple versions of Android. Re-opening the app will get it updating again.

@pnbruckner , Take a look at the life360+ app for Hubitat. This guy has been able to keep up with the changes so it doesn’t go down, even when the regular hubitat life360 and HA life360 goes down. It may help…

https://community.hubitat.com/t/release-life360/118544

https://github.com/jpage4500/hubitat-drivers

Hey, I can confirm the same issue for the Life360 integration in ioBroker: Same problem since today: https://github.com/MiGoller/ioBroker.life360/issues/88

Problem is also persistent in HA 2024.1.0. I even created a special account with it’s own phone/email/password, but unfortunately that doesn’t work either.