Roku Developer Program

Developers and content creators—a complete solution for growing an audience directly.
cancel
Showing results for 
Search instead for 
Did you mean: 
roquoonewbie
Level 7

Re: Firmware 7.0 Introduces ECP launch command bug

"TheEndless" wrote:
"roquoonewbie" wrote:
You were saying that could be done by abusing the ECP launched channel store page. That can only be done if there is malicious software already running on the network.

Not necessarily. Your perfectly harmless ECP app could unknowingly allow the install of such a malicious channel. Have you reviewed the code of every private channel that your app installs? There's no way for you to know if a developer has hidden something in their channel that looks completely innocuous on the surface.


My perfectly harmless ECP (or any of the examples I provided above) could not unknowingly install such a malicious channel. An ECP app typically only installs it's own companion app. And only does so when a user requests it. Only a malicious ECP could/would covertly launch the channel store screen for a private channel the user had not expressed any interest in installing. And again, if it could do that, it could equally launch the web browser to the add channel page as well...which looks just as "official" as the channel store screen.
0 Kudos
TheEndless
Level 7

Re: Firmware 7.0 Introduces ECP launch command bug

"EnTerr" wrote:
In this case he ummm, "embellished the truth" by conjecturing that showing info screen on a channel somehow places it in the official Channel Store context.

Less tech savvy users, arguably the larger percentage of the Roku population, could very easily be fooled by that, since there's no way to get to a channel details screen on the Roku aside from going through the channel store. I didn't even realize it was possible to point the channel store to a private channel like that, so it's even possible I'd fall for it.
Are there ways to prevent that while keeping the functionality? Of course there are, but that's not what was being discussed. I was just offering a suggestion, as you did as well, as to why Roku may have decided it was a security risk.

"roquoonewbie" wrote:
Only a malicious ECP could/would covertly launch the channel store screen for a private channel the user had not expressed any interest in installing.

That's my whole point. It sounds like maybe you think I'm accusing you of wanting to exploit it that way, which is about as far from my intent as you can get. The fact that a malicious ECP app (not yours!) could do it is exactly why it could be considered a security risk.
"roquoonewbie" wrote:
And again, if it could do that, it could equally launch the web browser to the add channel page as well...which looks just as "official" as the channel store screen.

There's a major difference there in that you have to be logged into the Roku website to add a channel via the web browser, and automating the install approval process in the web browser is much more involved than just sending a few remote commands via ECP.

Look, I get that you and EnTerr have a vested interested in having this functionality, and I'd likely be equally as upset if I were using it and it suddenly disappeared. Labeling me a Roku fan-boy/Roku apologist, however, doesn't diminish the validity of any of the points I've made. With that, I'm done with the conversation, and hopefully Roku will come along and clarify why they decided it required a "security fix" and possibly even be open to addressing it a little less aggressively than just killing it altogether as they have done.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
roquoonewbie
Level 7

Re: Firmware 7.0 Introduces ECP launch command bug

TheEndless...I'm not accusing you of being a fan-boy at all. Just engaging in a healthy debate. You've made some reasonable points, but ultimately I don't think they pan out. The reason I stated that my ECP could not install such a malicious channel is because you implied that it could when you said "Your perfectly harmless ECP app could unknowingly allow the install of such a malicious channel." I was just pointing out that it could not happen with harmless ECPs. Only malicious ECPs would ever install such a channel (ie: it would never be by accident).

"TheEndless" wrote:
There's a major difference there in that you have to be logged into the Roku website to add a channel via the web browser, and automating the install approval process in the web browser is much more involved than just sending a few remote commands via ECP."


I still don't think there is much difference (security-wise) between the website add channel page, and the Roku store add channel screen. Both have the option of turning on or off authentication. With the website, you have the option to "Remember Me", which means no login would be required for malicious software to force an install of the malicious channel via the browser. From there, it is in fact just a matter of submitting a few key strokes to add the channel to the user's account. And conversely, the Roku Channel store would require a PIN if the user chose to have it there. In both cases, the user can choose to turn on or off authentication in order to add a channel. So again, I don't see how this poses an additional security risk beyond what already exists via the web.

But it really does come down to what Roku says. They asked to provide a business case for needing this. I have provided one above. I would also pose the opposite question to Roku...what is the business case of providing it for a public channel? And why does that same case not apply to private channels?
0 Kudos
roquoonewbie
Level 7

Re: Firmware 7.0 Introduces ECP launch command bug

Can Roku reply here given that I provided the business case for preserving this years old capability? Also, some insight into what the security risk is?
0 Kudos
EnTerr
Level 9

Re: Firmware 7.0 Introduces ECP launch command bug

"RokuJoel" wrote:
This is a security fix. You should not be able to install private channels via the ECP. If there is some business case for doing this let me know.

I already pointed out one use case of invoking the channel details (app info) screen viewtopic.php?f=34&t=90823#p510598 . That is broken now for some tens of thousands of installs of the app.

Here is another use case for invoking the channel info screen - on much smaller scale but perhaps this one will hit closer to home, given that once upon a time you (RokuJoel) were developing Roku apps outside RokuCo's citadel - which is the situation me and most developers are in.

So, what use do i have for the app details screen? -
I use a private channel's details screen to prepare a public channel for publishing. In particular, checking if the channel description fits the details screen or gets truncated (there is no other way to do that. NONE whatsoever!). Verifying that the screenshots and posters will display well when published in Channel Store. Double-checking that the (web store) metadata has the correct version number.

How do i do that? Well, app details screen is available only for published channels - but i want to see it before submitting the "public" channel for review. Sounds like Catch 22? "Private" channel to the rescue - it has been advocated before as good practice by the old-salts for beta testing and i have embraced the practice. I create a private "beta" channel and a public "release" candidate and populate their properties in the same way (copy&paste) - except: name and vanity-code (which must be different), as well as poster image (which i change so i can tell the 2 channels apart on the player home screen). I even use the same bundle/package, i.e. no different build for the "public" channel but instead copy the already tested app build from the beta/private channel to the public candidate.

So, back to our ECP app details screen. After populating the channel properties and publishing the private channel, to verify how the result may look one day in Channel Store, i'd do:
$ curl -i -d "" http://192.168.1.28:8060/launch/11?ContentID=75561
and get this on TV screen:

And from this screen i can check the description, version, poster and screenshots - and correct them as needed.

But now... now this has stopped working in fw 7 and there is no alternative to it! I took offline one of my players to keep it on fw 6 but that's not sustainable, sooner or later it will (have to) update.
0 Kudos
roquoonewbie
Level 7

Re: Firmware 7.0 Introduces ECP launch command bug

No additional word from Roku on this?
0 Kudos
MaddyGTV
Level 7

Re: Firmware 7.0 Introduces ECP launch command bug

Loading a "Companion" Channel is the point, and as it's already been noted, the ECP creates a 'seamless user experience'.

In our case of MaddyGTV, we offer several 'Companion' Channels to our network, like Space Opera Channel, MaddyMation, and BoomTV.

Having these Companion channels as 'Private' allows us to be very responsive with updates and changes. It enables us to 'market test' new channel ideas,
and still enable our viewers a quick and seamless way to add the channels they want to add.

What's happened now, is a flood of email and social network commentary saying / asking "Your Channel doesn't work..." and a lot of time in explaining
the process of going back to your Roku account and adding it. It's quite a pain for the users / viewers.

If this is a security issue, it seems easy enough to have a 'stop' screen that says "You are about to add a Private Channel - Roku does not monitor or approve
this channel, so proceed with caution." (or something like that). "Click here to continue - Click here to go back".

- Paul Gorman
MaddyGTV Networks
MaddyGTV Streaming Networks
Find us on Roku in 'Special Interest' or ask for us in 'Search'
0 Kudos
Roku Employee
Roku Employee

Re: Firmware 7.0 Introduces ECP launch command bug

We are working on addressing this issue, hopefully in the near future.

- Joel
0 Kudos
EnTerr
Level 9

Re: Firmware 7.0 Introduces ECP launch command bug

Bless RokuCo's heart, this issue seems to be fixed in rOS 7.1 !

My RokuTV got infected with 7.1 around noon Wednesday, while my proper boxes remain immune against my better efforts (dang staggered release hash function!). So on that one 7.1 i notice the ability to summon the details screen via ECP has been restored (i.e. works for already installed channels too, as well as privates). The two specific cases i cared about are working again. What a pleasant surprise!
0 Kudos
EnTerr
Level 9

Re: Firmware 7.0 Introduces ECP launch command bug

Just want to say "thank you!" again to those who helped to restore this feature -

and to show another real-life use case i had almost a month ago:

Basically app was broken (due to 3rd party), fix was submitted for review/public-ation - but in the mean time i was able to use my "outage notification" routine to show explanation and offer the most impatient ones the option to try the private/beta.

The neat thing i noticed, now adding pvt channel from the player asks the user to type a pseudo-random PIN, i.e. the install is "human-assisted", can't be done by a blind script
0 Kudos