Firmware 7.0 Introduces ECP launch command bug

"EnTerr" wrote:
In this case he ummm, "embellished the truth" by conjecturing that showing info screen on a channel somehow places it in the official Channel Store context.

Less tech savvy users, arguably the larger percentage of the Roku population, could very easily be fooled by that, since there's no way to get to a channel details screen on the Roku aside from going through the channel store. I didn't even realize it was possible to point the channel store to a private channel like that, so it's even possible I'd fall for it.
Are there ways to prevent that while keeping the functionality? Of course there are, but that's not what was being discussed. I was just offering a suggestion, as you did as well, as to why Roku may have decided it was a security risk.

"roquoonewbie" wrote:
Only a malicious ECP could/would covertly launch the channel store screen for a private channel the user had not expressed any interest in installing.

That's my whole point. It sounds like maybe you think I'm accusing you of wanting to exploit it that way, which is about as far from my intent as you can get. The fact that a malicious ECP app (not yours!) could do it is exactly why it could be considered a security risk.

"roquoonewbie" wrote:
And again, if it could do that, it could equally launch the web browser to the add channel page as well...which looks just as "official" as the channel store screen.

There's a major difference there in that you have to be logged into the Roku website to add a channel via the web browser, and automating the install approval process in the web browser is much more involved than just sending a few remote commands via ECP.

Look, I get that you and EnTerr have a vested interested in having this functionality, and I'd likely be equally as upset if I were using it and it suddenly disappeared. Labeling me a Roku fan-boy/Roku apologist, however, doesn't diminish the validity of any of the points I've made. With that, I'm done with the conversation, and hopefully Roku will come along and clarify why they decided it required a "security fix" and possibly even be open to addressing it a little less aggressively than just killing it altogether as they have done.

TheEndless...I'm not accusing you of being a fan-boy at all. Just engaging in a healthy debate. You've made some reasonable points, but ultimately I don't think they pan out. The reason I stated that my ECP could not install such a malicious channel is because you implied that it could when you said "Your perfectly harmless ECP app could unknowingly allow the install of such a malicious channel." I was just pointing out that it could not happen with harmless ECPs. Only malicious ECPs would ever install such a channel (ie: it would never be by accident).

"TheEndless" wrote:
There's a major difference there in that you have to be logged into the Roku website to add a channel via the web browser, and automating the install approval process in the web browser is much more involved than just sending a few remote commands via ECP."

I still don't think there is much difference (security-wise) between the website add channel page, and the Roku store add channel screen. Both have the option of turning on or off authentication. With the website, you have the option to "Remember Me", which means no login would be required for malicious software to force an install of the malicious channel via the browser. From there, it is in fact just a matter of submitting a few key strokes to add the channel to the user's account. And conversely, the Roku Channel store would require a PIN if the user chose to have it there. In both cases, the user can choose to turn on or off authentication in order to add a channel. So again, I don't see how this poses an additional security risk beyond what already exists via the web.

But it really does come down to what Roku says. They asked to provide a business case for needing this. I have provided one above. I would also pose the opposite question to Roku...what is the business case of providing it for a public channel? And why does that same case not apply to private channels?

Can Roku reply here given that I provided the business case for preserving this years old capability? Also, some insight into what the security risk is?

"RokuJoel" wrote:
This is a security fix. You should not be able to install private channels via the ECP. If there is some business case for doing this let me know.

I already pointed out one use case of invoking the channel details (app info) screen viewtopic.php?f=34&t=90823#p510598 . That is broken now for some tens of thousands of installs of the app.

Here is another use case for invoking the channel info screen - on much smaller scale but perhaps this one will hit closer to home, given that once upon a time you (RokuJoel) were developing Roku apps outside RokuCo's citadel - which is the situation me and most developers are in.

So, what use do i have for the app details screen? -
I use a private channel's details screen to prepare a public channel for publishing. In particular, checking if the channel description fits the details screen or gets truncated (there is no other way to do that. NONE whatsoever!). Verifying that the screenshots and posters will display well when published in Channel Store. Double-checking that the (web store) metadata has the correct version number.

How do i do that? Well, app details screen is available only for published channels - but i want to see it before submitting the "public" channel for review. Sounds like Catch 22? "Private" channel to the rescue - it has been advocated before as good practice by the old-salts for beta testing and i have embraced the practice. I create a private "beta" channel and a public "release" candidate and populate their properties in the same way (copy&paste) - except: name and vanity-code (which must be different), as well as poster image (which i change so i can tell the 2 channels apart on the player home screen). I even use the same bundle/package, i.e. no different build for the "public" channel but instead copy the already tested app build from the beta/private channel to the public candidate.

So, back to our ECP app details screen. After populating the channel properties and publishing the private channel, to verify how the result may look one day in Channel Store, i'd do:

$ curl -i -d "" http://192.168.1.28:8060/launch/11?ContentID=75561

and get this on TV screen:

And from this screen i can check the description, version, poster and screenshots - and correct them as needed.

But now... now this has stopped working in fw 7 and there is no alternative to it! I took offline one of my players to keep it on fw 6 but that's not sustainable, sooner or later it will (have to) update.

No additional word from Roku on this?

We are working on addressing this issue, hopefully in the near future.

- Joel

Bless RokuCo's heart, this issue seems to be fixed in rOS 7.1 !

My RokuTV got infected with 7.1 around noon Wednesday, while my proper boxes remain immune against my better efforts (dang staggered release hash function!). So on that one 7.1 i notice the ability to summon the details screen via ECP has been restored (i.e. works for already installed channels too, as well as privates). The two specific cases i cared about are working again. What a pleasant surprise!

Just want to say "thank you!" again to those who helped to restore this feature -

and to show another real-life use case i had almost a month ago:

Basically app was broken (due to 3rd party), fix was submitted for review/public-ation - but in the mean time i was able to use my "outage notification" routine to show explanation and offer the most impatient ones the option to try the private/beta.

The neat thing i noticed, now adding pvt channel from the player asks the user to type a pseudo-random PIN, i.e. the install is "human-assisted", can't be done by a blind script