"roquoonewbie" wrote:
"TheEndless" wrote:
I'll take a stab/guess at that... since private channels aren't reviewed by Roku, it's possible someone could develop a malicious channel (e.g., a fake Netflix or Amazon channel with the sole purpose of capturing usernames and passwords.. or worse). Allowing a user to install those channels easily via a screen that makes it look like it's officially available in the channel store could lead to very bad things, for both unsuspecting users and Roku.
If such a malicious channel existed, and an attacker had gained access to the victim's PC (or other device), couldn't they just as easily launch the user's browser to the add channel screen there (eg: https://owner.roku.com/Add/ACETV)? ie: whether the malicious code launched the Add Channel screen on the Roku/TV, or launched the Add Channel screen on the PC/Browser, the risk is the same as far as I can tell. I don't see how launching the channel store screen poses any more of a risk. In both cases, the attacker has to first gain access to run code on a device on the user's network, present an Add Channel option to the victim, and get the victim to agree to do so.
Your example is more malicious than the one I suggested, which was more of a phishing attempt. But to answer your question, your use-case above where a mobile app is used to install private channels directly on the device could very easily be used to do the same, so the app is already running on the user's network. How can you be sure that every private channel installable via that app can be trusted? You and I are likely much more diligent in reviewing apps before we install them, but there's a large user population out there that isn't. Presenting the channel to the user via a channel store screen gives that user the impression that it's an official public channel, as there's nothing on the screen or during the install process that indicates otherwise. Presumably, your desire to have the feature available to you is for completely legitimate reasons, but that doesn't mean Joe Hacker won't use it more nefariously, and it only takes one bad apple...
