@mcbay … Yup: This the situation we need to better understand as users now are experiencing this new authorization process in the real-world.
i.e., What type of “sleep mode” is typical of the “home control tablet” use case? How long do login sessions last after the tablet is no longer awake? The answer is likely “far too short”. This is quite _different_ than the behavior of SmartThings own mobile App (which “never” times out), and thus _SmartTiles’s users face a significant inconvenience_ compared to SmartThings App users.
We realize that a tablet at home is considered “secure” for 80%+ of use cases and a login shouldn’t be mandatory. Of course, we have had feature requests for PIN lock, especially for Smart Home Monitor “disarm” function, and we also emphasized that tablet/phone PIN or Pattern (or Touch ID fingerprint) locking of the device was a good option. We also continue to say that everyone should use a lockscreen on their mobile devices; particularly since even the login session on SmartThings App never times out and the session cannot be revoked remotely without the assistance of SmartThings Support.
##The real reason for Tokenized-URL concerns: awareness(?)
We’ve been informed by SmartThings that security researchers found a number of valid, fully-tokenized, SmartTiles URLs voluntarily publicly disclosed (e.g., perhaps on forums, blogs, Facebook, Twitter, etc.). Some of these may have started out or been intended as a private share (e.g., “Hey sis, can you watch my webcams while I’m on vacation? Here’s my SmartTiles link.”).
(Since some users are well-aware that a SmartTiles tokenized URLs are limited in scope to a single dashboard and are easily revocable, some portion of this sharing was certainly on purpose, with the user fully aware of what they were sharing and the scope of the share.)
In most cases, unfortunately, the SmartTiles users were not consciously aware that they were giving out full access to their entire dashboard by sharing the full URL with “access_token
” parameter, and would not have done so if they understood and gave it a second thought. In other words, such users would not have shared their SmartThings login email and password, but sharing a URL is not inherently or obviously analogous. If you share a link, Facebook turns the URL into its “Title”, and so it is easy to quickly forget that there is an access_token attached to that link.
So we are definitely not “shifting blame”, but it is not inaccurate to say: A relatively small number of publicly shared SmartTiles URLs are the primary reason we had to expedite disallowing the further use of access_tokens.