I agree with you on all three points. When Ben labeled SmartTiles “non-publishable” (with a qualifying “may be”), we had an extensive discussion and his rationale was that it’s not because the app is bad, but because the platform need a few changes for the apps like SmartTiles to become officially approved. So, it’s a simple choice really: fix the platform or keep using the security backdoor.
It means they get to appear on this “SmartApp MarketPlace” screen of the SmartThings native mobile App, without remuneration of any sort (plans for a payment system like Apple App Store or Android Play, have effectively been abandoned).
Publication requires a submission through a review process with nebulous criteria: The documentation and process are improving, but the processing queue is up to several months long; repeadtedly if a SmartApp needs to be resubmitted due to a rejection or even a hot bug-fix.
NB: Acceptance and publication of web services SmartApps does very little to increase their security. The submission process does not require an audit of the service provider’s external services linked to SmartThings. For more details, please read and contribute here:
1 Like
As they say, “the road to hell is paved with good intentions”. Everyone has its own agenda, and there’s no guarantee that a seemingly useful SmartApp that’s not been officially reviewed and approved by SmartThings won’t abuse access to security system or other critical components inside my home. Most customers don’t have sufficient knowledge or ability to assess the risks, particularly if the source code is closed. That’s why the official review process is absolutely critical in this case.
The “official” SmartThings review / publication process does not address the security of external services.
Please see details and direct the relevant discussion over to this existing Topic, thanks!
I actually have 2 IFTTTTs in my SmartApps now. I’m sure it will work twice as fine!
4 Likes
It has nothing to do with “external services”. A SmartApp can disarm the Smart Home Monitor with a single line of code or push its armed/disarmed status to a rogue server. I can think of dozens of both explicit and covert abuse scenarios a malicious SmartApp could do. SmartThings approval process includes a code review that ensures that things like that don’t happen.
Quite incorrect, Geko: The review process absolutely does not prevent that from happening even via fully approved and published web services SmartApps.
For example, nothing prevents IFTTT, Amazon Echo, InitialState, or The Ubi (all are “approved web services SmartApps”) from doing anything at all with the devices you authorize. They could purposefully or accidentally unlock all your doors, for example, or flood your lights in a denial-of-service attack type scenario; collect the event data on all authorized devices and sell it to marketers…
Please, please, please move, follow, and continue this discussion on the thread Topic I directed you to: SmartTiles (& "other" External Services) Security
So, @slagle - is there any estimate of a resolution here? Or are we to consider this “loophole” closed?
Hey guys,
We are reverting the change we made today. The developers of these apps have been notified and I will be working with them to get them back up and running.
We truly do apologize for this, and any inconvenience we cause anyone.
5 Likes
Thanks, Tim…
Apologies for nitpicking here, but any particular reason the SmartThings Status Page doesn’t indicate a problem? We have users and/or customers who are affected, but can’t direct them to the official status…
3 Likes
Put it this way - If you hadn’t have done this I think a lot of people would have been thinking “Well it cant be a priority as we’ve not even seen any forward motion” so the fact it didn’t work doesn’t matter… You’ve shown the public some progress with the problem… Which to me, means a hell of a lot more than "“We’re working on it” every 7 days…
So from me… Thank you for trying!
1 Like
It’s not that it “didn’t work”; it had serious negative repercussions on functionality that did work, with no warning.
New features should never be at the expense of existing stability.
The “new feature” here is the launch of SmartThings in the UK in early September prior to it being thoroughly tested. Without that flawed launch, there wouldn’t be “lots of people” complaining about OAuth services not working in the UK, and this impactful failed fix would not have… existed.
SmartThings is not a “beta testing platform”… Or is it?
1 Like
I’m afraid you’ve answered your own question. 
1 Like
Oh no - I didnt mean it in any way to say it had the right platform effect. However it did have a mental affect on us UK members in a good way (yes at the expense of the US members).
However, launched right or wrong in the UK, it was launched. I’m a UK member having spent (with conversion of currency) more on a device than a US member would have. As a normal consumer, I expected it to work. So when we found out it didn’t perform the advertised functions I was a bit disappointed.
I’m a realist however and understand these things “can” happen. I’ve been waiting now 4 weeks for even the slightest show of progress on the issue beyond “Its coming soon” or “It’s weeks away rather than months or days”. This hickup was the first sign of “progress” if you can call it that, no matter the detrimental effects on others.
I agree it should be rolled back, and I’m glad they have the ability to do that otherwise from a company operating point of view, you might as well call it a day now.
I’m sorry it had this effect of the US members, however from a UK point of view, we needed this to show it was actually being worked on.
2 Likes
Is this stuff tested? I don’t mean that in any sarcastic or offensive way. I’m genuinely curious is there is any group of beta testers who are first to be exposed to platform updates via an opt-in.
1 Like
Update:
We found a problem. Hot fix was pushed to tomorrow morning. I will keep you all updated here with every new piece of information I get.
Thank you for any patience you can offer us, and again I apologize the the inconvenience.
9 Likes
Well…it looks like I stumbled on a big one…
I’m chomping at the bit here 
Any news on if the hot-fix was deployed this morning? Also if it worked as intended?
Hi @slagle whose morning are you referring to here? It’s afternoon in the UK already 
I’m going to assume you meant your time but a declared time zone would be helpful on global communities (especially with how many of us Brits are watching this issue / fix in regards to the underlying OAuth issue).Thx Ant
Morning in context will almost always be US time. Deployments are usually (but not always) done by people in Minneapolis (central time), but there isn’t a set time. I don’t know anything more specific for this specific case.