SmartApp has access to unauthorized devices

I was just giving “Home Remote” a shot and decided not to allow it to control any devices (such as lights). After installing I noticed it somehow had access to my automation… including the automations that turn all lights on and off. I decided to see what would happen if I ran the automation and sure enough, the SmartApp was able to control my lights, even though I didn’t authorize the app to have access to those devices.

I’m guessing this is a loophole but nevertheless, the 3rd party app has access to devices when I explicitly denied its access.

I presume by “automation” you mean your Routine(s), right?

This is a known loophole / vulnerability for over 4 years. An installed SmartApp, even with no access to any Things still has full control of:

  • Routines
  • Location Mode
  • other Location attributes (including your Latitude and Longitude)
  • SHM (arm / disarm)

All of the above could have been rearchiteched to be encapsulated into “Thing Objects” and thus fit the same access control model as Things; but SmartThings has focused on stability and patched several non-public security issues of varying degrees of seriousness (I presume).

At this time, you can be fairly confident that if you do not authorize a SmartApp (i.e,. you can go to Automations / SmartApps and UNINSTALL), then that SmartApp will no longer have access to your Routine(s) or anything else. Web Services SmartApps have their permissions firmly revoked upon uninstall.


Wow, can’t get any worse than having access to SHM. That defeats the purpose of denying access to certain devices in my opinion.
Funny you responded to this as I was looking for an alternative to Actiontiles :grin:. I might just bite the bullet and go with your product.


I’m hoping that the few folks who have used this expression just prior to purchasing an ActionTiles License are just not aware of its meaning…

While many of our Customers find that ActionTiles is an indispensable part of their SmartThings homes, and perhaps thus “unavoidable”; I sure hope that the purchase or configuration experience is not “painful or otherwise unpleasant”. :grimacing: :gun:


Merry :christmas_tree: and Good Tilings to all!

Shhhh… :sushing_face:

If folks complain about this, SmartThings is likely to throw baby out with bathwater and disable all uncertified SmartApp access to SHM control, including WebCoRE and dozens of other useful Community SmartApps (instead of just offering a security enhanced API).

The current SHM control method used by all SmartApps is unpublished and unofficial. I’m thinking I probably ought not to have mentioned this at all :face_with_symbols_over_mouth:; but I don’t think security risks should be censored. As long as you trust the source of the SmartApps you install, you have nothing to worry about!