Security and API (if any)

Sorry in advance if this has already been covered somewhere, but I’ve not been able to find anything meaningful on the things that interest me. I’ve just bought a 8TB My Cloud Home Duo and it looks like it’s not what I’ve expected but I’m willing to give this a go. I’m trying to get a complete understanding of how it works and I’d really appreciate any info on the following:

  1. I’ve created an account on https://home.mycloud.com and can browse files on device via browser. Is it possible for someone outside my network to access my device? And if so what mechanisms are available to prevent unauthorised access?

  2. Who manages my credentials? What I mean is: are they stored by WD, or on my device? If they are stored by WD, is there any publicly available information on the security auditing procedures (as in, do they know to hash and salt passwords)?

  3. What would prevent WD from scanning my device in the background and snooping on content like Amazon drive does? The entire system seems to be geared towards this.

  4. From what I was able to find it is not possible to simply map it as a network drive (other than perhaps public space for time machine) and the only way to have a GUI is to use a browser or some iffy app. Do es WD provide any API reference I could use to access files programmatically? Intention here is to encrypt sensitive files before putting them on a network device.

Thanks in advance. Any info greatly appreciated.

Upon further digging I’ve found answers to some of my questions. In case anyone else has similar questions or concerns.

  1. The home.mycloud.com can indeed be accessed from anywhere (and so are your files) but there appears to be protection from password guessing in the form of a (temporary?) IP ban upon X number of failed attempts. That being said there is no two factor authentication. So don’t store your credit card data on it in plain text.

Plus, keep in mind this is essentially a computer on your internal network capable of accepting inbound connections 24/7. Even though it runs Linux it’s by no means unbreakable.

  1. I’m still unclear as to where my access credentials are stored. Could use some clarification on this.

  2. So far I maintain that a third party could hypothetically have access to this machine, so encrypt sensitive files.

  3. There appears to be a REST API https://developer.westerndigital.com/develop/wd-my-cloud-home/api.html.