Hello everyone,
I am wondering, with the new SmartThings API (Javascript instead of Groovy), do the problem of malicious third-party SmartApp still exist … if an end user installs such an app, will an attacker be able to manipulate the user’s devices and data ?
Under the new API paradigm, authorizing a SmartApp means authorizing some arbitrary code to access the devices and data that it requests from the Customer.
SmartThings has not stated how or if they will analyze the actual logic/actions of the code - and will technically have less control over this logic than in the legacy Groovy system because SmartThings had full ability to read, and certify the actual Groovy source code and the publisher could not change it without going through re-approval.
The new system puts more power into the hands of the Customer. Power comes with responsibility. If a Customer wishes to grant a SmartApp developer/vendor access to their specific devices, then the Customer is responsible for determining if that vendor is trustworthy.
This is no different than if you install an Android App that requests smartphone Camera & Microphone access. You have the choice whether or not to install such an App. Once you do, you have no control over how or when such Apps actually use you Camera and/or microphone.
As long as we don’t get to “great power”… I think it’s a little too early in the year for any of us to end up in red and blue tights… 
But it’s very different than the Apple ecosystem, where Apple does review the code for every app before it allows it into the App Store. And where it significantly limits the operating system functions that each third party app can access. And provides notification at time of install of any app which is going to use the camera or microphone. So it’s not that there’s an industry standard way of doing this.
From outside the Las Vegas exhibit hall for CES 2019:
Google Play also reviews App code before publication, though Apple is reputed to do a more thorough review.
Play and Android also makes it clear to the customer what exact permissions the App is or may request.
The difference with SmartThings:
Certified Device Handlers will have their code reviewed to a particular degree prior to publication with the Works With SmartThings designation.
Non-WWST Certified Device Handlers will be reviewed to a lesser degree: basic compatibility and stability only.
The review process for SmartApps has not been defined, but the situation is more comparable to a website rather than an App. Modern web browsers can now grant websites permission to use the camera and/or microphone - and the browser ensures that the user must explicitly give such permissions explicitly to each different website or domain. But nobody reviews what the website is actually doing once granted permission to use the resources.
If my info is right, SmartApps are no longer executed on ST Cloud but on the servers of their developers.
Is this the main problem that ST is not able to take control over the logic of third-party SmartApps?
Yeah it seems like this is moving towards something similar to what happened between the App Store and Cydia back in the day. Apple-blessed apps have to go through a painstaking process to get into the walled garden, and everything else is relegated to what seems like a back-alley stabby craigsilst risk prone marketplace.
I suppose it’s no different than trusting some github-hosted version of some app that could be compromised without notice.
SmartThings can’t take control over the logic in the new model, correct.
But why is this a problem?
Google/Chrome can’t control what web pages do (within the scope of the web page and any hardware permissions explicitly granted by the user) - and that’s a good thing. I don’t want SmartThings to limit what I allow 3rd parties to do with the devices that I authorize.
Well in a way it’s more like the Chrome extensions via the store, where you can go and install whatever you want, and (generally) Google will try to weed out bad actors, even though some rarely make it through, but it provides a centralized place where you can find cool stuff to extend the browser and add functionality.
If you tell Average Joe that he has to go to 17 different places to install apps, that’s not going to appeal to anybody except for us the crazy folks that don’t mind jumping through hoops, and people will generally stay within the ST ecosystem.
Then again, unless you review the code that you’re installing yourself, you don’t know if @RBoy is spying on you through your webcam while you cook. The issue of trusting code is always going to be there, but I think walling it off actually makes it easier for bad folks to do bad things, because the community as a whole would have to review every piece of code that makes it out there, and that’s not going to be easy – nor is it going to be fair for people that have revenue-based apps.
Are you attending this year?
Just virtually. 
I imagine there are some forum members going, though, there are most years.