Is SharpTools on Android "safe"?

When searching if there were integrations between SmartThings and Tasker, I found the SharpTools app from Boshdirect in google play store. So I installed it just to test it out. It migrated the database, but then to do anything it of course needs permissions. Any ideas if this is safe to login through their app? Am I just at the mercy of if they store my login info and get hacked someday?

It’s a very popular app and the developer, @joshua_lyon , is very active on these forums. I can’t speak to any specific security concerns, but certainly his reputation around here for the last two years has been good. :sunglasses:

My understanding was that like most of the other third-party integrations, SmartThings will only allow authorization through oauth, in which case your password is never revealed to the third-party app. Same way the IFTTT and Harmony integrations work. You get a screen where you enter your credentials, but they aren’t actually given to the requesting app.

But @slagle or @jody.albritton , who are both SmartThings staff members, could say more.

3 Likes

If the “OAuth login page” presented by SharpTools is being served from the SmartThings cloud (i.e., *.smartthings.com – and you can verify this by checking the certificate … the little https:// lock icon), then you can be very sure that SharpTools is not capturing your password.

The OAuth process (also used by the new version of SmartTiles, and @obycode’s SmartRules) never shares your SmartThings email and password, but rather only shares a link to the installed “connector” SmartApp and an “authorization / access_token”.

You can revoke any of these App’s access by just uninstalling the corresponding SmartApp, since the access_token is valid for that SmartApp instance and only that instance.

Details about the process are in the Developer Docs: http://docs.smartthings.com/en/latest/smartapp-web-services-developers-guide/overview.html

2 Likes

Ok unfortunately the login page they present is embedded in the app and I can’t see the HTTPS URL or any lock symbol. I could see if there is and thing in the Android logging…

Can I visit the SmartThings IDE to validate what apps have been served an oauth token like I can with my google account ?

Yup – that’s too bad…

Of course, I can assure you that SmartTiles, Sharp Tools and SmartRules are safe, but all OAuth login screens really ought to should show you the SmartThings https/SSL (lock symbol) so you can self-verify.

You can go to this page in the IDE to see your installed SmartApps, and then click on any one of them for “details”.

Unfortunately, those “details” do not inform you whether or not the SmartApp is a “Web Services SmartApp” that has issued an access_token.

Hopefully the SmartApp is named sensibly enough, so you can just uninstall it if you are nervous.

1 Like

Fact is that if after you only input your login information once and the App is able to access the Things you authorized, then that is nearly impossible to spoof… ie, cross-page scripting constraints make it very hard for an App to grab your password in this scenario.

You could change your Account password temporarily before authorizing such Apps and then change it back.

1 Like

Thanks for all the prompt help and info! I just logged in and unfortunately found that the major reason I wanted it doesn’t seem to be supported. I have a SmartThings shield controlling my garage doors and those work great with my own device driver. But I can’t see them to authorize controlling them from sharptools. I wanted a simple button (widget) on my Android home screen.

It looks like @JDRoberts and @tgauchat have you covered here, but I’m copying my reply to your email here as well:

SharpTools uses the industry standard OAuth workflow for authorizing users. The beauty of this approach is SharpTools never sees your username or password - you complete the authorization flow through a secure SmartThings webpage and an authorization code is then returned to SharpTools to use in place of your credentials. This means you can uninstall the SharpTools SmartApp from SmartThings at any time and it will revoke all access SharpTools had at any point.

You are the only person who has access to your SmartThings. The only time that SmartThings data is with a third party is if you opt to use push events (subscriptions) which uses Google’s cloud messaging platform to deliver the push events to your phone.

Regarding the unsupported custom device, the easiest way to get it added to SharpTools is to add Capability "switch" to your device type header. This will make it show up as a switch device card in SharpTools (with on/off buttons) and all of the available methods for the device will be available in Tasker and Widgets. I would recommend adding on/off commands to your DTH and mapping those to your preferred commands as well (eg. on/off)

Furthermore, if you also add the Garage Door capability to your device type, SharpTools will recognize it as such and will provide a garage door card with open/close buttons.

5 Likes

Just want to echo everything that was said by @JDRoberts, @tgauchat, and @joshua_lyon. They are 100% correct.

4 Likes

Awesome! Thanks so much @joshua_lyon and @tgauchat !! I’ll play around and see if I can get this going maybe this weekend. Note my drivers for the garage door can be seen here:

2 Likes

@joshua_lyon, so I finally got around to trying out your suggestions about adding the “switch” capability to my DTH and I realized that the way I’m doing the garage door may be a bit too custom. I have three doors, and so I made an arduino app that can “press” one of three gpio relays to simulate a press of a real garage door opener I opened up and soldered lines to. So what I do then with the smartthings shield is have it take commands from the DTH for one of the three doors. So when I did your suggestion, I did get SharpTools to show up my single smartthings shield as a garage door instance, but it was the wrong current state, and of course wouldn’t understand the way I was actually controlling them.

Here is my code for reference in the DTH. Any quick ideas if there is a way I could emulate these same type of smart things button presses in SharpTools?

/**
 *  Copyright 2016 Justin Eltoft
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
 *  in compliance with the License. You may obtain a copy of the License at:
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed
 *  on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
 *  for the specific language governing permissions and limitations under the License.
 *
 */
metadata {
	definition (name: "Garage Door Shield", namespace: "jdeltoft", author: "Justin Eltoft") {
		capability "Actuator"
		capability "Switch"
		capability "Sensor"
		capability "Garage Door Control"
		capability "Door Control"
        
        //attribute "door_one", "enum", ["door_one_open", "door_one_close"]
        //attribute "door_two", "enum", ["door_two_open", "door_two_close"]
        //attribute "door_three", "enum", ["door_three_open", "door_three_close"]
        attribute "door_one", "string"
        attribute "door_two", "string"
        attribute "door_three", "string"
        
        command "door_one_open"
        command "door_one_close"
        command "door_two_open"
        command "door_two_close"
        command "door_three_open"
        command "door_three_close"
	}

	// Simulator metadata
	simulator {
		status "on":  "catchall: 0104 0000 01 01 0040 00 0A21 00 00 0000 0A 00 0A6F6E"
		status "off": "catchall: 0104 0000 01 01 0040 00 0A21 00 00 0000 0A 00 0A6F6666"

		// reply messages
		reply "raw 0x0 { 00 00 0a 0a 6f 6e }": "catchall: 0104 0000 01 01 0040 00 0A21 00 00 0000 0A 00 0A6F6E"
		reply "raw 0x0 { 00 00 0a 0a 6f 66 66 }": "catchall: 0104 0000 01 01 0040 00 0A21 00 00 0000 0A 00 0A6F6666"
	}

	// UI tile definitions
    // Is there a way to prevent any tile press if one of the three tiles here is in the transition "next" state?  I know the given tile in that transition state is locked but the others aren't
	tiles(scale: 2) {
		standardTile("door_two", "device.door_two", width: 6, height: 3, canChangeIcon: true, canChangeBackground: true, decoration: "flat") {
			state "door_two_open", label: 'Main', action: "door_two_close", icon: "st.doors.garage.garage-open", backgroundColor: "#79b821", nextState:"closing"
			state "door_two_close", label: 'Main', action: "door_two_open", icon: "st.doors.garage.garage-closed", backgroundColor: "#ffffff", nextState:"opening"
            state("opening", label:'Opening', icon:"st.doors.garage.garage-opening", backgroundColor:"#ffe71e")
			state("closing", label:'Closing', icon:"st.doors.garage.garage-closing", backgroundColor:"#ffe71e")
		}
		standardTile("door_one", "device.door_one", width: 3, height: 2, canChangeIcon: true, canChangeBackground: true, decoration: "flat") {
			state "door_one_open", label: 'East', action: "door_one_close", icon: "st.doors.garage.garage-open", backgroundColor: "#79b821", nextState:"closing"
			state "door_one_close", label: 'East', action: "door_one_open", icon: "st.doors.garage.garage-closed", backgroundColor: "#ffffff", nextState:"opening"
            state("opening", label:'Opening', icon:"st.doors.garage.garage-opening", backgroundColor:"#ffe71e")
			state("closing", label:'Closing', icon:"st.doors.garage.garage-closing", backgroundColor:"#ffe71e")
		}
		standardTile("door_three", "device.door_three", width: 3, height: 2, canChangeIcon: true, canChangeBackground: true, decoration: "flat") {
			state "door_three_open", label: 'West', action: "door_three_close", icon: "st.doors.garage.garage-open", backgroundColor: "#79b821", nextState:"closing"
			state "door_three_close", label: 'West', action: "door_three_open", icon: "st.doors.garage.garage-closed", backgroundColor: "#ffffff", nextState:"opening"
            state("opening", label:'Opening', icon:"st.doors.garage.garage-opening", backgroundColor:"#ffe71e")
			state("closing", label:'Closing', icon:"st.doors.garage.garage-closing", backgroundColor:"#ffe71e")
		}
            
		//standardTile("refresh", "device.refresh", width: 6, height: 2, decoration: "flat") {
			//state "default", label: "", action: "refresh", icon:"st.secondary.refresh"
		//}
        
		main ('door_two')
		details (['door_two', 'door_one', 'door_three'])
		//details (['door_two', 'door_one', 'door_three', 'refresh'])
	}
}

def installed() {
	log.trace "installed function was called"
    //initialize()
}
def updated() {
	log.trace "updated function was called"
    //initialize()
}

def initialize() {
	log.trace "initialize function was called"
}

def refresh() {
	log.trace "refresh function was called"
}

// Parse incoming device messages to generate events
def parse(String description) {
    //log.debug "Parsing '${description}'"
    
	def value = zigbee.parse(description)?.text
	def name
	//log.trace "testing $value"
	if (value in ["door_one_open","door_one_close"]) {
       name = "door_one"
    } else if (value in ["door_two_open","door_two_close"]) {
       name = "door_two"
    } else if (value in ["door_three_open","door_three_close"]) {
       name = "door_three"
    } else {
       name = null
    }
	def result = createEvent(name: name, value: value)
	log.debug "Parse returned ${result?.descriptionText}"
	return result
}

def door_one_open() {
	zigbee.smartShield(text: "door_one_open").format()
}
def door_one_close() {
	zigbee.smartShield(text: "door_one_close").format()
}

def door_two_open() {
	zigbee.smartShield(text: "door_two_open").format()
}
def door_two_close() {
	zigbee.smartShield(text: "door_two_close").format()
}

def door_three_open() {
	zigbee.smartShield(text: "door_three_open").format()
}
def door_three_close() {
	zigbee.smartShield(text: "door_three_close").format()
}