SmartTiles v5.8: Deployed to Blue & Green Editions. Release notes, etc. (follow this Topic for updates...)

Continuing the discussion from SmartTiles Dashboard v5.7: Release March 2, 2016:

##We have posted an important Announcement regarding the release of SmartTiles v5.8…

We have be released SmartTiles v5.8 to Blue edition users this week. Here’s an outline of the changes to expect. Questions are welcome, but stay tuned to this Topic for more details and updates.

SmartTiles v5.8 was updated to the Green (“published”) edition on Tuesday June 21st, 2016.

(Below is a copy of most of the post from our website.)

SmartTiles now “Published”: What is the “Blue edition”?

• SmartTiles was officially “reviewed and published” by SmartThings in mid-April to prepare for the disablement of the shared OAuth install method.

• SmartTiles does not appear in the App “Marketplace” yet, but can be installed using SmartTiles.click/install

• Users who installed prior to publication are actually still running against the shared OAuth edition/stream. We changed the icon and added a “-Blue” suffix to the version number. Blue edition users will receive new versions (like this v5.8) up to 3 weeks ahead of other users. More details in this Post.

Command calls all verified against device Tiles’ Capabilities.

• In response to one of the concerns reported by security researchers, we made sure that only REST Endpoint calls (commands) which match the authorized Tile Capability type (e.g. lock/unlock, but not lock PIN code update…) are accepted by the SmartTiles SmartApp. In fact, only the Music Player Tile did not already have explicit command validation.

###WeatherStation Tile scheduled refresh re-enabled.

• Since the SmartThings Scheduler has been stabilized, we have re-enabled periodic refreshes of the SmartWeatherStation Tile. Users had reported that the Tile often showed stale information.

Addition of a Tools Tile for links to special functions.

• It is no longer necessary to manually modify your dashboard URL with “css” or “list” to get web browser access to the Customize CSS and** Arrange Tiles (Tile Order)** functions. We have added a new Tools “…” Tile that will pop-up a menu of these functions and more. It looks like this:

Password login sessions: Phasing out use of Access Tokens.

• Use of the access_token= parameter in the URL for SmartTiles dashboards has always been a great convenience that comes with a bit of security compromise.

• We emphasize that users should not use or bookmark a tokenized URL on insecure devices. While folks avoid sending passwords in email, it is nearly as important to avoid sending tokenized URLs. We also remind users that they can invoke the “Revoke Access Token” function from the dashboard configuration Preferences / Security page in the SmartThings App at anytime, and users can also choose to leave off the access_token from their URLs to force require an SmartThings login.

• Out of an abundance of caution, particularly due to the recent extra attention and response to SmartThings security researchers, we decided it is best to completely phase out the ability to use OAuth access tokens with SmartTiles. Existing tokens will be automatically invalidated (revoked) within as little as a few days after the release of v5.8. We have worked closely with SmartThings (thanks, @slagle @jody.albritton!) to come up with the most practical alternative way to authenticate dashboard access. Our options were limited by the SmartThings platform and the design of SmartTiles V5.

• Instead of the access_token based URL, dashboards will be given a new format of URL that will automatically redirect through a SmartThings IDE Login webpage. Any userid (email) + password linked to the same Account as your Dashboard will be valid – i.e., any login that is valid for the SmartThings native mobile App.

• The unfortunate consequence of the elimination of access_token support is that you will no longer be able to share a dashboard without also creating or sharing a “Managed Account User”; i.e., an email and password. You may consider using a password manager (such as those built into your browser or an add-on like LastPass) to help make this a little less inconvenient.

• The login session will remain active: (a) until you Logout (using the Tools Tile shown above), (b) until the browser exits, or © until the session times-out due to inactivity. We have no control over the longevity of login sessions and apologize for the burden this may impose. (SmartTiles V6 will have an independent external login mechanism with configurable extended login durations and secure login cookies, etc… We’re excited to provide these convenient features - and much, much more - in a few months!)

• Please note that the login session for a SmartTiles Dashboard will have full IDE/API access (i.e., full “logged-in” permission to access everything under http://graph.api.smartthings.com or your equivalent shard. This is an ironic increase in permissions that we have made SmartThings (@slagle @dlieberman) aware of. Granular security by individual users on an Account is a long outstanding feature that we hope comes to SmartThings soon; in the meantime, we have built this function into SmartTiles V6.

• Users will have to update their URLs, bookmarks, home screen and/or desktop shortcuts accordingly. The URL for the SmartTiles Launcher with parameters for your Dashboard will be provided in the usual way from within the View Dashboard and URL page in the SmartTiles SmartApp configuration and on the new Tools Tile as shown above.

• The SmartTiles Launcher URL will look similar to this. This will be the new page that you bookmark, pin, or share…

http://smarttiles.me/?app=5750ff0d-cff6-42a5-af70-33b2cc34b6f5&shard=na01&label=Kitchen

@625alex and I thank-you for your continued support and love of SmartTiles!!!

To get the latest SmartTiles News alerts (like this one), add the news feed to your favorite RSS tracker/reader!

If you don’t have a favorite RSS reader; click this direct link to the use the free feedly service.

Ouch on the login impact. But thanks for the security and time spent.

Our dash powers up via outlet turned on by motion when we walk into the kitchen. Then Tasker loads Android Web View with dashboard url and no borders after screen wakes, then tears down when no motion turns off the outlet and screen goes dark. I’m thinking should be easy to add a login step in Tasker before calling the url.

I appreciate the attention to security (as a security professional myself). Chances are Glimpse which I use as an iOS widget to display my Smarttiles won’t work any longer as it doesn’t allow you to enter in data, only a url, but I will test when 5.8 is released. Anyway, I can certainly understand why this change was made.

What if I don’t want the extra security that comes with the login inconvenience?

Since this is going to be a published app sanctioned by ST, I highly doubt ST would allow it any other way. However, I am not the expert.

Well…, for better or worse, as @Mbhforum guessed, SmartThings won’t allow certain possibly risky practices to continue, even if users are fully informed of the exact risks and compromises involved.

We are in goal alignment to be constantly vigilant and steadily reduce vulnerabilities, and we are grateful that SmartThings (@slagle @jody.albritton @dlieberman) are providing continuous transitional options and assistance.

@625alex and I are definitely aware this particular implementation is not an optimal solution, but it is temporary; SmartTiles V6 will restore (and add) a lot of convenience in a way that we are confident will pass the SmartThings vetting process, as well as “white-hat” vulnerability testing.

I play the balancing act 9-5 and it’s not a fun job sometimes as I often have to make or influence decisions either way.

I can’t see how you have a choice here. Every time I’m on hotel wifi I struggle to remember which geek stuff I shouldn’t use. People forget warnings and companies or developers take the wrap.

Those who are willing to sacrifice security for convenience deserve neither security, nor convenience.

Nice quote, appropriate for that time, but not these days. I don’t walk out of my house in medieval armor or with musket in hand. Our world is full of over-reaction, and I hate to see products ruined by lawsuits and even worse, fear of lawsuits. If someone wants to play with my lights, power to them, won’t bother me much. But hearing the moaning from my family about having to sign in will be unbearable. Lawyers and scare mongers are why we can’t have nice things.

I can totally appreciate what you have to do, even if I don’t like it. Keep it up, love the product even if you have to remove some of the shine.

Thank you for the update and for addressing these security concerns.

Quick questions…how many instances of the SA are allowed to be created?

You might find it acceptable to turn on “Save Passwords” for the affected but otherwise secure browsers.

Actually, that’s not a quote. I’ve totally made it up.

Only 2 instances of “SmartTiles (Connect)” are possible at this time (actually, only 1 unless you already have the Blue shared OAuth edition installed).

You can create 5 Dashboards under (Connect). This is a limitation we implemented to help avoid rumored server load impact. SmartTiles V6 will not have this limitation, we hope, provided scaling testing goes well.

Thought you were updating a famous Ben Franklin quote, goes something like: Those who give up liberty to purchase safety deserve neither liberty nor safety…

And by golly, Ben is on my side! The quote is reversed. I think this is where I drop the mic…

Yup… Which is, ironically, the exact opposite sentiment that @geko’s quote expressed.

You got it. I just flipped the coin. Like @bridaus said, the original quote was appropriate for that time, but not these days.

Awesome! Thanks…I can’t wait for no limits.

I think that these upcoming security measures are the modern-day equivalent of medieval armor and musket.

After all, as you so deftly pointed out - in real life, there be things lurking outside that are much scarier than Grues and White Walkers.