SmartTiles v5.8: Deployed to Blue & Green Editions. Release notes, etc. (follow this Topic for updates...)

I’ve got it working with several clicks in between. I copied the URL with the wait on the end and after several attempts was able to create a shortcut that loads the launch page for two seconds then takes me to the IDE login page. After I login there it takes me to my dashboard.

I’m still not happy with this and my wife won’t even use any of the means of access. She has regressed to using switches! {gasp}

I really liked the way it worked before. I guess I will go and donate again to help speed up the next level to help @625alex fix more of Smartthings issues.

@slagle I appreciate the offer of assistance. I don’t think there is any further help you can offer unless you have a way to get the dashboard open with a single click.

Please don’t hesitate to reach out to me with any other concerns.

I am on 5.8 blue na1 but my old dashboards still work. Not complaining, but curious why?

All existing v5.8.0 Dashboards will continue to function normally (unless a bug slipped in the changes made related to authorization or the new features like the Tools Tile…), until you use the Revoke Access Token function, after which the new SmartTiles Launcher (& SmartThings login process) must be used. We are not permitted to issue new Access Tokens.

Important to note: Version 5.8.1 will force revoke all remaining Access Tokens.

We really appreciate your support… Thank you!

Be sure to take note of the red “STOP” button that appears on the Launcher if the &wait parameter is in the URL. Hopefully even with 1 second (maybe even 0?) users can hit STOP and then you have unlimited time to bookmark or add to Home / Desktop.

1032×1359 172 KB

Let me see if I understand this. I’m mainly using green version so this hasn’t hit me yet. But if we have a wall mounted iPad for smarttiles. Even after the initial login, the sessions will expire. Does that mean having to login again daily? Weekly?

The session should renew itself indefinitely, as long as your device stays awake the whole time.

Thank you for your support, Michael. We really appreciate it!

@mcbay … Yup: This the situation we need to better understand as users now are experiencing this new authorization process in the real-world.

i.e., What type of “sleep mode” is typical of the “home control tablet” use case? How long do login sessions last after the tablet is no longer awake? The answer is likely “far too short”. This is quite ​_different_​ than the behavior of SmartThings own mobile App (which “never” times out), and thus ​_SmartTiles’s users face a significant inconvenience_​ compared to SmartThings App users.

We realize that a tablet at home is considered “secure” for 80%+ of use cases and a login shouldn’t be mandatory. Of course, we have had feature requests for PIN lock, especially for Smart Home Monitor “disarm” function, and we also emphasized that tablet/phone PIN or Pattern (or Touch ID fingerprint) locking of the device was a good option. We also continue to say that everyone should use a lockscreen on their mobile devices; particularly since even the login session on SmartThings App never times out and the session cannot be revoked remotely without the assistance of SmartThings Support.

##The real reason for Tokenized-URL concerns: awareness(?)
We’ve been informed by SmartThings that security researchers found a number of valid, fully-tokenized, SmartTiles URLs voluntarily publicly disclosed (e.g., perhaps on forums, blogs, Facebook, Twitter, etc.). Some of these may have started out or been intended as a private share (e.g., “Hey sis, can you watch my webcams while I’m on vacation? Here’s my SmartTiles link.”).

(Since some users are well-aware that a SmartTiles tokenized URLs are limited in scope to a single dashboard and are easily revocable, some portion of this sharing was certainly on purpose, with the user fully aware of what they were sharing and the scope of the share.)

In most cases, unfortunately, the SmartTiles users were not consciously aware that they were giving out full access to their entire dashboard by sharing the full URL with “access_token” parameter, and would not have done so if they understood and gave it a second thought. In other words, such users would not have shared their SmartThings login email and password, but sharing a URL is not inherently or obviously analogous. If you share a link, Facebook turns the URL into its “Title”, and so it is easy to quickly forget that there is an access_token attached to that link.

So we are definitely not “shifting blame”, but it is not inaccurate to say: A relatively small number of publicly shared SmartTiles URLs are the primary reason we had to expedite disallowing the further use of access_tokens.

Just to share a bit of my situation. I use smarttiles on my phone, my wife’s phone and a couple tablets at home. Having to log in will basically ends its use for my wife. She may log in once, but after timing out its not something she will continually do.
I also have smartthings installed at my elderly parents house. It’s used as a basic security system, to automate lights and help check on them. I got smartthings for them as a security system because precense detection meant they never needed to bother with a keypad, and it’s been reliable for them. They have zero tech ability despite the fact they have iPhones and an iPad. All they do is make calls, use email and smarttiles. I setup everything for them. They don’t use the smartthings app, just smarttiles occasionally. They use smarttiles because it’s dead simple easy to use. Just push a bookmarked icon on iPhone or iPad and they then easily use smarttiles to turn off a light or silence an alarm the few times that something goes wrong. It’s easy enough that they can use, which is what I love about. Adding a log in basically makes it an extra step that they won’t be able to deal with. And for me I keep smarttiles on my phone for my house and theirs. Easily jumping between the two. So for me and my very specific use case these changes are a major issue.
Regardless you guys have done a great job with smarttiles and wish you continued success. I’ll look towards version 6, and it hopefully having some easier solutions to my issues.

Have you tried the option of allowing your browser to save the login/password?

I don’t know how practical this is in every situation, which is why I’m asking and exploring.

It seems that if the user is redirected to the SmartThings Login Page, the browser will completely fill in the saved email & password and the user has to only click the “Log in” button… ie, no typing is required. If the “&wait=2” parameter is used, then the dashboard may only be one extra click away from the Home screen icon?

What is making this more confusing for us and users, is that I’m not 100% sure that the web browser automatically returns to this login screen if the login session expires. We direct users here if they hit “Logout” in the Tools Tile, but don’t have control of what happens at session expiration…

Its my security! I can leave my car unlocked in the parking lot if I want to! Grr.

I agree.

The difference, according to SmartThings and we can’t strongly disagree, is that the average user knows what a car key is and the implications of not locking their car, front door, or giving away copies of their keys.

They also, for the most part, understand the implications of giving away their user id / email / password combination (though may still use very poor passwords…).

But, apparently – and I think you have to agree? – they do not understand the implications of sharing a tokenized URL.

With V6, we are solving this using industry standard secure mechanisms (web session cookies and so on). V6 does not use tokenized URLs; but you will be able to use long-lived authenticated sessions (like gmail and many other services do; but banks do not).

In the meantime, I don’t know if there is any way to convince SmartThings to allow us to issue URL usable access_tokens for users ever again – even if we make them go through some explicit complicated process to acknowledge the risks…? Well – if it was made that complicated, then it wouldn’t serve the purpose of making it convenient anyway. .

Unfortunately I don’t agree. First, I don’t think the average user is using SmartTiles. It’s not hard for most reading this, but it still takes some skill. We trust 16 year olds with car keys, I think adults programming their home should be expected to know this.

Mostly I believe that there are easier ways to solve this. Couldn’t we have put a one time pop-up warning “sticker” telling users this? Or force revoke tokens monthly by default in the app UNLESS in expert mode?

I make these points in the hope that @slagle @Ben @jody.albritton can convince ST to please balance security with common sense, otherwise the terrorists win.

If I post my vacation plans and dates on Facebook, I hope I am robbed because that is the ONLY way I’ll learn not to do those things. Companies not allowing people to make mistakes just keeps people ignorant. The more people expect security to be handled by others, the less responsible they are for their own security. I’ll stop now, just hoping ST finds reasonable compromises, and does not overreact like most companies do.

We are still hoping SmartThings considers more options for SmartTiles and it’s large number of users. But it is essential that SmartThings Customers directly express their opinions and requests because SmartTiles has no choice but to follow SmartThings’s SmartApp approval process, subject to limited room for negotiations.

And frankly, since SmartTiles has no revenue, we don’t have any resources to divert from V6 development to fight a battle on this now. V5.8 was a non-trivial amount of work with “arguable” benefits.

I knew something like this was coming when I started seeing those stupid “SmartThings security issues” posts on here. Big ole fat thumbs down to the perpetuation. Let’s just spread panic and fear until we paint ourselves in a corner and end up with Wink’s bastard cousin Blink.

I have to admit ST’s hand was forced. They had to react to the vulnerability issue. Way to go hacker Bob out there…you ruined it for those uber smart lazy nerd thieves that are going to hack my SmartThings in the middle of the night to come in and search for Star Trek memorabilia and watch reruns of Big Bang Theory on my Fire TV.

…I’m sure the multitudes of windows they could break instead will detour them! I won’t know…I’ll be too busy trying to long in to whatever gets ruined next.

While were at it…go convert your car over to an old fashioned carburetor…or ride the trusty John Deere mower for nachos ala Beavis & Butthead…because hacker Bob is gonna get into your Toyota.

Yes…I know it’s cynical and over the top…but I’ll race ya on my mower if there’s any takers!

smoke/carbon monoxide detectors… please, thank you

Absolutely! Already built in SmartTiles V6. We are holding back on implementations of features for V5 as much as possible so that we can be “laser focused” (copyright - Alex Hawkinson, CEO SmartThings) on V6. Thanks for your patience and support. More news … soon.

Terry.

Love the ability to reconfigure tile order, etc from the web app itself. I am oldschool. I loathe using the phone/tablet interface when I can use a real computer.

now… about security…