Why some SmartApps may not be publishable

Wouldn’t it make more sense to open these “certain parts of the platform” to all developers instead of making us jump through all sorts of hoops in order go build really awesome apps like SmartTiles and not just boring if-this-than-that “apps” that really should be handled by a built-in rules engine, which by the way is a standard feature of both Wink and Staples Connect, both of which are supposedly are “so much inferior” to the SmartThings?

1 Like

Quite a long and loaded sentence, Geko! It makes it unfortunately difficult to give a simple yes, no, or Like.

A lot of “missing” SmartThings features are confounding (simple rules engine being a particularly good example, though we’ve been told it’s on the way, so let’s just say SmartThings prioritized the SmartApp engine instead?).

The “certain parts of the platform” (i.e., API) limitations are less of a black & white example. From the outside, it does seem that only a few tweaks to the architecture could improve the flexibility of the Platform. But besides acknowledging that ST has undeniable Customer-facing priorities, we also know that what seem like small tweaks can and so have huge risks.

I wish it weren’t the case. I personally have presumed that evaluating, defining, and adding new official Device Type “Capabilities” would not be difficult and should be isolated impact, and therefore high benefit:cost ratio. But that’s a completely speculative presumption. There are several variables in my equation, any or all of which could be very wrong.

Wow, that conversation really side tracked… And what a condemning title!?

@brianjlambert expressed concerns about SmartThings security and somehow it degraded into discussing why SmartTiles may not be publishable…

@brianjlambert
Let me begin by saying something unexpected: you don’t have to use SmartTiles, third party apps or SmartThings. For compete security, don’t use credit cards. Internet. Eat sushi.

I cannot speak for other third party apps, but SmartTiles addresses some of your valid concerns. Check out the documentation here: Loading...

  • If you want secure access with a password, you may choose to omit access token from the dashboard URL. Simply delete access_token=abc-123-xyz portion of the URL. You will be prompted to login with your SmartThings account.
  • If you need to revoke access to a dashboard, you can reset access_token via the SmartApp preferences. Go to SmartThings Mobile App > SmartThings Labs > tap the instance you want to change > Preferences > Access and Authentication.
  • You may choose to temporarily disable a dashboard, or put it into read only mode by choosing appropriate setting at SmartThings Mobile App > SmartThings Labs > tap the instance you want to change > Preferences > Access and Authentication.

SmartTiles should be treated with same care like any other sensitive confidential information, just like wallet full of credit cards and IDs. What happens if you lose your phone with an active SmartThings session? At least with SmartTiles you don’t have access to credentials, configuration and your location coordinates.

I’m not claiming that SmartTiles is invulnerable, if someone wants to pitch in and make it better, please be my guest. This is an open source project. (For record, only 3 people have contributed code.)

Why did this even come up?

@johnwest80 see comment above.
The #1 priority of SmartTiles was accessibility. My goal was for anyone with no technical skills to be able to install the app in 30 seconds. If SmartThings API actually fully supported Android, the installation time could be cut in half.

SmartTiles is not for everyone. But it is, for example, for somebody who wants to create a temporary, virtual key in case of emergency.

You don’t need to share the URL if you don’t want to. Add a shortcut to the desktop to your daughter’s phone and she will never have the URL to share with her boyfriend. If you don’t want to see your ex anymore, just revoke the access token and avoid an awkward conversation. If your house keeper quits, she does not have to return the key.

SmartThings gave me sledgehammer and duct tape to build SmartTiles. Give me more to work with and I use it to create something more… refined.

Considering the lack of access to certain APIs and services, I think these calls are quite necessary. If there is another, less system taxing, way of doing what I’m doing please let me know.

“Extreme Solutions”, I like that!

I would welcome that! I’m always open for discussion.

8 Likes

Whoa. I am so late to this and I apologize. I got caught up in work.

I think I may have caused a meltdown here! I’m sorry, @625alex

First, let’s be clear here. I am a SmartTiles lover. Here’s where I had some hesitation: I used a URL shortener to make my SmartTiles easier to use. I then realized that anyone who got my shortened URL essentially could manipulate anything in my house I had connected to SmartTiles. I understood the risk and continued to use it. Furthermore, I disconnected my thermostat from SmartTiles, because that was too mission critical to leave open like that.

I am glad this discussion is going on. We need to have ways to secure our homes. This is important, and I think it’s something Apple has put a lot of thought into when creating HomeKit. However, this can completely cripple a platform and I absolutely do not want that!

Anyway, thank you guys for taking this matter seriously and having an open discussion about it.

1 Like

I guess one the most troublesome aspects of the apps like SmartTiles as far as SmartThings is concerned is that they have to rely on polling to emulate real-time status updates. Surely, it’s inefficient and unnecessary increases server load. That’s why WebSockets, CoAP and MQTT were invented. These protocols have been used successfully by less glamorous IoT platforms. Any chance SmartTings will deploy one of those and become a true IoT platform some day?

2 Likes
1 Like

I understand the issue, but wonder if this suggested method is a viable and practical solution or … not?

In my very limited understanding, the referenced “event push method” is viable, but must have some serious practicality issues? Does it require an intermediary server, or can AJAX (?) in the browser handle it, etc…, etc…?

Existing framework requires either background polling (e.g. using AJAX) or an external server to push status updates to. SmartTiles uses polling, AFAIK, while @florianz’s HAD (and few other projects) uses external server. Both methods are cumbersome and inefficient, but this is all SmartThings can offer today.

1 Like

In the current incarnation SmartThings can push events to a singular location. With some hacking you could make it push events to multiple locations, but it would not be a true push to the browser. What needs to happen is what others have mentioned. SmartThings needs some sort of pub/sub api for developers.

Want to build a real time SmartApp that shows a graph which updates every time a new event happens? You need to use a third party service like GroveStreams, ThingSpeak, or ThingLayer. None of these solutions are optimal or take 30 seconds to get going. Especially if you are less than technically inclined.

We really need real-time pub/sub like mqtt, websockets, etc. This would open up a whole new world of SmartApps that would not only ease the flow of data to the end user, but in fact bring more data into SmartThings.

Another thing that would make SmartApp development more accessible would be to allow the use of sane javascript and html5 web components. This would allow a SmartApp to become a true real-time client to its own endpoint api.

TLDR;

Polling is less than optimal. We need more real time access to the SmartThings API’s.

5 Likes

Astute observation (among many underrated intrinsic SmartTiles features you touch upon!)…

The SmartThings mobile App doesn’t even have a session timeout / expiration option to the user, nor a way to revoke login credentials remotely… Correct me if I’m wrong!?

Frankly, I don’t think it would be wrong to bet that additional enhanced security features (such as credential expiration or even two-factor authentication!) could be full added to SmartTiles long before such feature requests would even receive “serious consideration” for implementation in the native ST mobile app. Such is the advantage of an agile open source alternative with significantly smaller user base to impact.

I was wrong. I hadn’t delved into the security aspects of Smarttiles. I am going to use it now that I know I can just remove the access token! Thanks for clarification, and apologies for my being an idiot and not knowing what I was talking about :)!

The only further suggestion I might have, then, is to have an option to not create an access token.

1 Like

@florianz and his Home Automation Dashboard address the polling through an albeit, convoluted install/config process, especially for those not so technically inclined.

Recently though, @zpriddy has ported it to python instead of rails and now it can be run locally, within your own network, with a local IP. I guess to be fair, this could have been done in the original version as well, but possibly more involved.

1 Like

Running the server locally kind of defeats the purpose of the cloud-based system. Also, it would require punching a hole in the firewall to receive updates from ST cloud, unless a hub command is used for that purpose, which would also be a kludge, imho.

Everyone just has to be so negative in this thread, heh. You don’t have to run it locally, but that addresses security concerns people are having with external URLs, token or not. The original version had a completely “cloud” based install, which still works 100% fine. It also eliminates polling and has near instant updates. A couple people in the thread have it running on a Raspberry PI, which at least to me, doesn’t make it much different than any other smart device on your ST network. Meaning, small, lower power device, given a task. Anyway, aren’t we the same people that complained about everything being cloud anyway and demanded a V2 hub with local processing?

It does not require any open ports to function either.

The only downside is its complexity as it can be a little too difficult for the average Joe, but there is a lot of documentation in the thread and I’m not aware of anyone that actually failed the installation and gave up.

2 Likes

Of course all of these issues would be 100% solvable IF the hub was able to be queried locally for device status and local device changes.

I was really hoping for this to be a feature in Hub v2, but based on what I am hearing in the Hub v2 architecture, the hub may not have any real way to query the local hub without a cloud roundtrip and even send device commands locally all of these security issues go away.

Especially if SmartApps could be accessible locally since they can run locally. You could only allow local connections.

Anyway, I can dream… I only brought up this idea over a year ago. Would be nice to see if any progress or even answers exist as to if we will be able to query the hub locally or do we have to roundtrip a query to the cloud for a local device?

It’s not negativism, it’s realism. :slight_smile: There’s a lot of cool things you can do running local server. Heck, you don’t even need SmartThings hub and can connect your Zigbee and ZWave devices to RaspberryPi directly, but that’s not a task for an “average Joe”. SmartThings is supposed to be a plug-and-play, easy-to-use system that your grandma could set up, isn’t it?

One would think that SmartThings should embrace an app like SmartTiles that addresses a lot of shortcomings of their native mobile app, rather than brand it “unpublishable”.

1 Like

Yeah, I do agree with this. Hard to disagree really. The use of the word “unpublishable” was probably an unfortunate choice of wordsmithing and I’m sure it wasn’t meant to be taken so negatively.

He actually said, as the title of this thread, may not be publishable, which is quite different than saying it’s unpublishable!

I agree, I have never thought ST was intended for ease of use, for everyday consumer to install easily, and certainly not for grandma! Heck, the reason I bought it was because it offers an open development platform. Maybe if all you wanted were a few outlets to control a few lamps, it could be at that level of novice entry use. But that’s not the intent.

Said all pessimists ever.

As others have pointed out, you can load the title with whatever feelings you want. I never said it was unpublishable and I wasn’t directing this whole conversation to @625alex or SmartTiles. I am actually quite surprised how defensive the thread has become. I thought I was pretty clear that SmartThings recognizes the shortcomings of our current developer offerings and wants them to get better — to provide better tools and services to developers so they can make elegant and efficient solutions.

Also, @geko I thought you switched to Wink or Staples or something. Don’t they have a community somewhere? :smiling_imp:

6 Likes

I’m sorry your words were misunderstood, but I’m not the only one who interpreted them this way. Good to know you’re listening to our concerns.

Also, @geko I thought you switched to Wink or Staples or something.

Do you read all my posts, seriously? Anyway, glad to have you as my fan. :smiling_imp:

I’ve ended up with both Wink and Staples set up as secondary controllers. None of the platforms is perfect and it never hurts to have a backup considering occasional ST flakiness.