Summary: I do not seem to be able to prevent a remote device/app from controlling my Roku Express. This is not an issue of my not understanding how to configure the Express, it's that the configuration options are not working. This appears to be the exact security problem that 2 years ago Roku denied that is had in https://blog.roku.com/consumer-reports-got-wrong
Here are the details:
I have a Roku Express, and have
I then install the Roku Mobile App on my iPhone, and then select the Express as a device to control, and voila!, I can control the Roku Express. I'm not even prompted to pair the app with the Express, nor does the Express show the iPhone as a paired device. It just works, and nothing I do stops it from working. I have tried rebooting the Roku, the settings remain as they should be, but the app can still control the device.
What gives? Seems like a security problem to me...
@AbeSinger Thanks for letting us know. Had you previously connected to your Roku device using that mobile phone, prior to disabling 'Control by mobile apps' on your Roku device?
I will pass this along to the team to take a closer look and share any updates that I hear.
I believe "Control by Mobile Apps" was disabled, but I'm not entirely sure.
However, I tested again using a different phone, with both "Control by Mobile Apps" and "Network Connect" disabled and got the same results -- the app on the phone was able to connect immediately, without any need to authorize the pairing on the Roku Express, and without any indication on the Roku that the phone/app is paired.
This is definitely a reproducible bug.
@AbeSinger Thanks for the follow-up. A quick update with further clarification to share here. This feature is designed to allow you to prevent 3rd party mobile apps from being able to connect to your device, such as other remote apps. It does not prevent the Roku mobile app from connecting to your device. We appreciate you reaching out!
okay, so what you're telling me is that anyone on the network with the Roku can install the Roku App and take over control of the Roku Player, there is no way to identify what devices are doing so, and there is no way to stop them. Did I get that right?
Assuming I did get that right, then you definitely have a security problem. On its face, not being able to detect or deny access is a problem.
But more importantly, if your app can control a Roku device without authorization, someone can reverse engineer the app and create a malicious app that can do the same.
Do you have any plans on fixing this issue? I live in a college dorm and just had someone use the app to connect to my tv and start playing aggressive porn super loudly on my TV while I'm doing homework. Maybe a password needed to connect to the TV each time? I don't have the option of using a private network up here but my friends and I are now scared to leave out TVs plugged in since anyone can access it at any time.
How to I block someone from accessing the remote off their phone because I have a Roku but my sister has the app on her phone and can connect to my tv anytime and change what I’m watching without my permission so how can I turn it off or disable it from her phone
I can’t believe this has not been addressed or fixed. Not only can anyone take control of your Roku with an app on their phone, but they can now wreak havoc with your attached credit card. Roku, wake TF up and fix this incredibly unnecessary security deficit. This should have never been a “feature” in the first place. Unbelievable.
You can use a WiFi extender that feed off your home WiFi to create your own extended network with a different password, and then just connect your RokuTV to the extended network. Unfortunately, I don't think Roku intends to fix this vulnerability since they seem to be pretty proud of this "feature." This is very irresponsible of them. That's why some people are moving to Chromecast.