If I understand correctly, this only affects the “generic” root endpoint which was technically a security scope leak (along the lines of stuff researchers raised concern about in the U of Michigan study).
OAuth’d Web Services SmartApps should only be accessed by their explicit “mappings:” list, and only accept Commands and State requests for devices Authorized at the time of installation or user updating preferences.
i.e., This won’t give any result and should give an authorization error. This is calling the “root” of a SmartApp’s endpoints…
https://graph.api.smartthings.com/api/smartapps/installations/5750ee0d-cee5-66b5-af70-33c2cc34b6e4/<blank>
Result:
{
error: "access_denied",
error_description: "Access is denied"
}
But this, or many similar explicit endpoints as defined in SmartApp mappings: is still fine:
https://graph.api.smartthings.com/api/smartapps/installations/5750ee0d-cee5-66b5-af70-33c2cc34b6e4/TurnOn?switch=<switchID>
For example, SmartTiles has endpoints:
/css/tools/history/order
(and many more), such as:
https://graph.api.smartthings.com/api/smartapps/installations/6660ff0d-cee5-43b5-af70-33c2ee34b6e4/command?type=light&device=da282cd3-6bef-4620-8d4c-8f5f9d60a929&command=on