I’d like to hear more of your thoughts on this (though this thread is now sufficiently hijacked - maybe @april can fix) - the 3rd party app you are referring to I think is SmartTiles and I would agree with you. SmartTiles - however great and cool it may be - is not written in such a way that it could pass our submission process and be published in the (nascent) SmartApps marketplace.
@Ben, could you elaborate at all on this? Could you explain what it is about SmartTiles that is a problem / weakness, if it’s obvious to you?
(And further to @bravenel…).
Definitely worth discussing the details, perhaps in a private area to help @625alex address the concerns.
And possibly the similar third-party broad access apos like @obycode’s Rules, etc.!
Spinoff Topic would be super appreciated! Please. Thanks!!!
My guess is that it’s because SmartTiles isn’t secure. It’s a strength from ease-of-use, but a weakness from a liability/security perspective. I thought about using it at my house, but then decided against because of its security weaknesses. If anyone gets the url, they are in. Period.
Don’t get me wrong - I think the app is AMAZING!!! It’s incredible. Again, period. It just depends on your needs.
But I wouldn’t thnk ST could put their official blessing on it with the security as it is.
For SmartTiles, if you leave off the
"?access_token=4544-234fsadf-sd4f6sd54f" off the URL you would need to
log into smartthings before the dashboard would show up.
I agree, and as @DarcRanger points out, all you have to do is leave off the access token for it to become relatively secure. So it would seem as though @625alex could address this, perhaps as an option with the default being “secure”. @Ben, would that be enough?
The short answer is we don’t give @625alex or any 3rd party developer access to certain parts of the platform that are required to do these sorts of apps efficiently and elegantly. Therefore this app makes unnecessary calls and taxes the system in ways that could be corrected with the right kinds of APIs and services available.
There are likely some security best practices that we would also recommend but I am mostly referring to the fact that, right now, in order to do some of these more “extreme” solutions people have to overload SmartApps to the point where they are being used in ways we never anticipated (which is sorta awesome - but also brings up things we should address)
That’s awesome information! Thank you!!
I guess that puts the monkey on your back then…
Thanks for the summary / quick answer, Ben…
Is there any way we the development Community can get more detail and thus be better prepared to:
-
Avoid the inefficient / inelegant methodologies except where absolutely necessary?
-
Develop a “Best Practices” guide for the stuff that you’ve seen in these “extreme” solutions, so as to mitigate the problem as much as possible? e.g., Security best practices that you mention in 2nd paragraph.
-
Understand the potential consequences and remediation steps that SmartThings may have to take and how soon this may occur (i.e., are current @625alex’s SmartTiles fan’s in “danger” of losing the application)?
-
Just wishful thinking, but: Are there any Platform enhancements on the road-map to address the concerns and still maximize functionality? Time frame?
This seems like a good point for @Jim and/or @unixbeast to jump in with some ideas. But not to put too much on those guys right now I will provide quick responses that will leave no one satisfied (in other words, my specialty).
- We are working towards documentation on this front
- Also underway
- I envision a world where developers can subscribe to any number of APIs as services so they don’t have to build so much of it themselves. I have not thought thru this enough to be articulate about it and so I want more time on this one.
- We’ve increased the capacity for our team (Developer Platform) a ton in the last couple months to address, in large part, the platform enhancements that we want to rollout. One of our team’s Q3 objectives is to share such a roadmap. Seems simple and shouldn’t take weeks but we’ve all seen what you guys do with promises and dates
That would be great!
Thanks for answering each of my points… except maybe you’ve misunderstood my Question #3.
I was specifically wondering if these “apps like SmartTiles” are in any danger of being banned due to the issues you presented and perhaps others. In other words, would you issue a warning, suggest minimum required improvements, and/or eventually outright block the offensive application(s)?
We want to collaborate with the developer community so any steps we would take to reduce the strain or security issues of 3rd party apps would be well communicated and preceded with interactions and potentially working sessions with the developer.
Thanks! I know @625alex and SmartTiles’ fans will appreciate that!
The Topic title is benign, but the nature and popularity of the app (and the few others with similar concerns), means that they are sometimes named as “bad examples” inevitably in conversations. “May not be publishable” is ambiguous, but, obviously, clarifying that is the exact purpose and value of this thread.
So appreciate pointing out the security issues, @ben! Is there any other alternative for us that you all suggest. ST mobile app on iOS at least is not an option for us as of now with due respect due to the reasons which Has been reported to support several times. So, what do you all suggest we do meanwhile?
PS: I am serious about the alternative part. I have total respect for SmartTiles. I have it installed though don’t use it much. Probably the best thing that has happened in ST world at least to get things working bypassing the ST iOS app.
If you delete what you have now, and reinstall it with the truncated URL (without the ?access-token), then when you go to use the dashboard, it will prompt you for your ST credentials.
EDITED TO ADD:
So if someone rips off the URL, they would still need your credentials.
Sorry! My bad English! my post was meant to be a total sarcasm on the ST iOS app dashboard. @625alex work is excellent and I would think that ST would work with him to get rid of any security concern as it is far more useful than the regular app dashboard.
My 2 cents I love the convenience but it does concern me. There needs to be a way these developers can issue a specific browser a token or cookie to stay logged on on that specific device.
Not a bad idea, though the risk of URL leakage over SSL isn’t that high, and the URL based tokens are easy enough to invalidate.
But, yes, I’ve been chatting with @625alex regarding Browser cookies.