SmartThings Community

User-defined Access Control of SmartApps?


(amraoui) #1

OAuth-based authorization is an all-or-nothing approach that gives third-party Apps a constant access to user’s devices.

I want to implement an extra layer between ST API and third-party apps. After the App is granted permissions by the user (i.e., receiving OAuth token), this layer is responsible of enforcing extra constraints on what and when an App can access user devices, and allowing user to specify such restrictions that can be applied to all apps installed to his/her account.

However, ST is closed-source and I cannot implement such layer on ST platform itself. To overcome this, I want just to implement a poof-of-concept.

I want to develop the layer as a SmartApp that the user can install like any other app. This App needs to be trusted by the user and need be granted permissions to do its job (e.g., read details of all installed apps).
The other Apps installed for a given user account must route their API calls to the Access Control App. Upon receiving an API call, the AC App apply some AC rules and either reject the call or forward it to ST API. However, events dispatched from ST API to apps are not intercepted by the AC app.

The AC rules enforced by the AC app are specified by the user itself. For example, for all installed Apps, no App can access any device if Home Mode is Away.

So, how can I exactly implement the AC layer as a SmartApp (maybe in Node.js) and route API calls through it?

I know this will add some overhead to API calls, but I just want to give it a try and see how much it really costs.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #2

Aren’t you rehashing what we’ve already discussed in this thread below?

In other words, I believe I already argued pretty strongly that your idea is not feasible in any practical sense. I don’t understand your obsession with an idea that the industry isn’t interested in and won’t be for several more years.


(amraoui) #3

Thank you @tgauchat for your continuing help.

No, I’am just trying, here, to recapitulate answers and insights (especially yours) that I have got in my previous questions, to come up with a final idea.

No, I’m not looking for any industrial adoption of what I’am trying to do. I’am working on a project at university and I just want to show how current smart home platforms need to adopt more security mechanisms to give more confidence to their costumers, although my threat model is based on hypothetical scenarios.

So, I would like to implement a proof-of-concept prototype that works with ST platform to concrete the idea (described above) and evaluate it in terms of consistency and the additional overhead.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #4

The extra challenge with choosing SmartThings for this study is that the new SmartApp API is still immature and unproven.

You might save some overhead effort by sticking with the old API or using a different platform like OpenHAB, Home Assistant, Homey, or Hubitat (also new, but might choose to be enthusiastic about the concept).


(amraoui) #5

Actually, I was trying to make a security study on the old version of ST and I had some interesting ideas, and unfortunately, I was surprised, after a while, that a completely new platform has been developed using a different computing paradigm (executing apps on third-party servers instead of ST servers).

I was worried that the old version will soon be deprecated and, then, I will not be able to implement my idea. That’s why I switch my focus to the new API and, as you said, I really find it very challenging compared to the old one.

Have you an idea for how long the old ST will still be working, is there any information when it will be deprecated? I want to work on it but I still have this fear!

What are those things that encourage Samsung’s team not to deprecate their old platform, and what are those things that enforce them to look for a new paradigm? Are security problems among them (e.g., over-privilege problem stated before in a research study)?


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #6

No.

No clue and likely there isn’t anything logical or they would just tell the developer community and we could respond accordingly.

Put simply - there are pretty obviously zero human resources attached to the current App and legacy API. Meanwhile, there is definitely progress being made on the new ones, but no announced timeline.


(amraoui) #7

Hi @tgauchat,

Could you tell me, please, what are other smart home platforms that use the same computing paradigm as Legacy ST platform (i.e., executing SmartApp on their proprietary servers)? is Hubitat among them?


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #8

Hubitat runs the Groovy style SmartApps on the customer’s own hub. They use minimal cloud computing. They are the closest match to SmartThings at this time.


(amraoui) #9

I see… but what happens on the hub is under Hubitat control, i.e., SmartApps logic can be monitored?


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #10

I don’t know. Visit their Community Forum.