It’s well-known: Often one forgets to ventilate – lack of concentration and tiredness are the result. Air quality sensors can help here – we took a look at the weather station and the Home Coach from Netatmo and put it on the security test bench.

At first glance, Netatmo Weather and Home Coach look very similar, except for the case color. The features are similar as well, but the purpose is slightly different. The Netatmo Weather has been on the market for several years now and provides the user with all kinds of useful sensor data thanks to its thermo- and barometer, moisture and CO2 meter, and noise measurement. Among other things, the CO2 concentration (in ppm) is used to display the air quality in the room. This is where the Netatmo Home Coach steps in and actively notifies about the current air quality.

© Netatmo


Even though Netatmo Weather and Home Coach are very similar, two different apps are needed to access them. The Netatmo Weather app (Android, iOS) displays all data of the weather station, Netatmo Healthy Home Coach (Android, iOS) allows you to access the watcher of the indoor climate.

Netatmo Weather and Home Coach (Different rooms)

Both apps were subjected to a static and dynamic analysis. They did not reveal any critical weaknesses, even though there were some minor points in both that the manufacturer should take a look at. These include compiler flags that should be set to prevent buffer overflow attacks. Overall, however, the security concept of the apps can be considered solid.

Online communication

The Netatmo devices are completely cloud-based and can therefore only be accessed via the Internet. We did not detect any local communication after setup.

The internet communication of both Netatmo devices and apps was encrypted at all times. While the apps use standard protocols (TLS1.2), the communication of the Netatmo devices with the manufacturer’s cloud seems to use proprietary encryption. Even if the data transmitted in this case is not highly confidential, we would recommend encryption using standard protocols.


Netatmo’s privacy policy (as of 27.07.2020) fills about 21 A4 pages with its approx. 7000 words. It provides very detailed information about the most important topics, but according to the Flesch-Kincaid readability index, the comprehensibility is rather at university level (Grade Level 13.4).

Due to its length and complexity, we advise the manufacturer to simplify the privacy policy and additionally provide a shortened version/overview, so that one can inform oneself about the most important privacy-related topics in a short time.

When setting up the app, the requested location permissions attracted our attention. On the one hand, this is required for the setup of the Netatmo Weather/Home Coach devices, since due to the Android permissions structure, this is the only way to communicate via Bluetooth. According to the privacy policy, the location of the device is also transferred to Netatmo, for example, if the app crashes. The position of the weather station is determined even if the data is not shared with Netatmo Weathermap – the manufacturer should take further action here.

The static analysis has identified trackers from Google Firebase and Crashlytics in the Netatmo Weather App and additionally Google Analytics in the Home Coach App. However, Google Analytics is not mentioned in the privacy policy. The Home Coach App cannot be found under its own name, but in the “Air Care” section.

What surprised us very much was that according to the terms of use, access to Netatmo services is at “own risk”. (“The Services are hosted in the following countries: France, Ireland, Germany, The Netherlands, The United States, Japan and for Russian users, cloud hosting servers in Russia. If you access the Content or Services from inside or outside of France, you do so at your own risk.”). In the German version, only usage outside of France is at own risk.  The translation should be checked at this point.


Both Netatmo solutions (Weather and Home Coach) scored a lot of points in our test, even if here and there little things came up. The most noticeable aspect is the very long privacy policy, which informs about all important aspects, but needs to be revised due to the complicated wording.