Disabling extra device capabilities for security

security
smartapp

(npg216@lehigh.edu) #1

Is there any way to disable the extra capabilities that are granted to a SmartApp when a user registers a specific SmartThings device with that app? For example, lets suppose that I want to create an app that only monitors the battery level of a music player and nothing else. Once the user syncs this app with the music player, my SmartApp will also receive all the other capabilities that the music player possess even though I only ask for capability.battery without the user knowing. Is there any way to disable all other capabilities except for capability.battery from potentially being executed in my program to keep it safe from a possible command injection attack. Let me know your thoughts and thank you in advanced!


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #2

Currently, no.

This is a limitation of the security granularity in the current SmartThings implementation and I’m sure there are folks at ST thinking of how to tighten this up – but it would break a lot of existing SmartApps.

If a SmartApp is submitted for publication, the QA process is supposed to identify if the SmartApp is using Capabilities other than those request for each device input.