Login at Kodi Home

primaeval · (This post was last modified: 2016-05-03, 08:53 by primaeval.)

If you haven't been around the other forums recently you might have missed the big fight over addons "stealing" other addons illegal content.

The victim addon developers have modified their addons to delete the offending addons completely.

https://www.reddit.com/r/Addons4Kodi/com...mpetitors/

This is pretty scary stuff from a user perspective as Kodi addons have full access to the user's computer with the same access privileges as Kodi is started with.

They have also been obfuscating their code to prevent further "stealing" but it means the user can't see what they are doing to your computer.

A simple bit of python could wipe your hard disk or steal your passwords. This is virus behaviour.

Have Team Kodi got any plans to increase security for third party content? Sandboxing, guest user privileges etc?

I know there is a forthcoming switch to disable third party addon installation.

edit:
I have started a Feature Request to discuss the implementation of Addon Sandboxing (or at least better Kodi user security in general) to prevent identity theft and malicious or unexpected addon behaviour.
http://forum.kodi.tv/showthread.php?tid=272361

trogggy · 2016-05-01, 19:23

It's happened before, it will no doubt happen again.

Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.

**bry** · 2016-05-01, 19:26

(2016-05-01, 19:23)trogggy Wrote: It's happened before, it will no doubt happen again.

Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.

This. What do you expect from the asshats that code shit that is ethically questionable.

Sent from my XT1254

primaeval · 2016-05-01, 19:27

(2016-05-01, 19:23)trogggy Wrote: It's happened before, it will no doubt happen again.

Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.

Even the ones from here could hide something nasty. I think Kodi could do with more security for addons like Android's app separation.

**black_eagle** · 2016-05-01, 19:38

I'd trust an add-on that is in the official repository, because there are rules that the add-on has to adhere to. Anywhere else though.....I'd think at least twice and if the add-on has its code obfuscated, then no chance.

trogggy · (This post was last modified: 2016-05-01, 19:58 by trogggy.)

(2016-05-01, 19:27)primaeval Wrote:
(2016-05-01, 19:23)trogggy Wrote: It's happened before, it will no doubt happen again.

Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.

Even the ones from here could hide something nasty. I think Kodi could do with more security for addons like Android's app separation.

To save people from themselves?
If you're concerned stick to the official repo.
Edit: couldn't agree more re obfuscated code.

primaeval · 2016-05-01, 20:06

(2016-05-01, 19:57)trogggy Wrote:
(2016-05-01, 19:27)primaeval Wrote:
(2016-05-01, 19:23)trogggy Wrote: It's happened before, it will no doubt happen again.

Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.

Even the ones from here could hide something nasty. I think Kodi could do with more security for addons like Android's app separation.
To save people from themselves?
If you're concerned stick to the official repo.
Edit: couldn't agree more re obfuscated code.

The trouble for Kodi is if it gets smeared with the same brush. If Kodi is known as a potential virus infested application it is not going to help anyone here.

Your average Joe Nobody user is not going to de-compile an obfuscated addon and check everything is hunky dory in a low privileged sandbox.

Kodi is too high profile these days. Its not just us nerds that use it any more.

**DarrenHill** · 2016-05-01, 20:13

The add-ons in the official repo are vetted against this kind of malicious coding.

But this is the other reason why we have the banned add-ons (wiki) list that includes various of the "collection" repos.

Installing an add-on is exactly the same as installing an app or program on your device, with all the inherent risks. So you should only install add-ons and repos from sources that you trust. This is also why we don't allow 3rd party pre installed add-ons for exactly this reason.

trogggy · 2016-05-01, 20:19

(2016-05-01, 20:06)primaeval Wrote:
(2016-05-01, 19:57)trogggy Wrote:
(2016-05-01, 19:27)primaeval Wrote: Even the ones from here could hide something nasty. I think Kodi could do with more security for addons like Android's app separation.
To save people from themselves?
If you're concerned stick to the official repo.
Edit: couldn't agree more re obfuscated code.

The trouble for Kodi is if it gets smeared with the same brush. If Kodi is known as a potential virus infested application it is not going to help anyone here.

Your average Joe Nobody user is not going to de-compile an obfuscated addon and check everything is hunky dory in a low privileged sandbox.

Kodi is too high profile these days. Its not just us nerds that use it any more.

What do you want exactly?
To make it more difficult to install addons?

primaeval · 2016-05-01, 20:19

(2016-05-01, 20:13)DarrenHill Wrote: The add-ons in the official repo are vetted against this kind of malicious coding.

But this is the other reason why we have the banned add-ons (wiki) list that includes various of the "collection" repos.

Installing an add-on is exactly the same as installing an app or program on your device, with all the inherent risks. So you should only install add-ons and repos from sources that you trust. This is also why we don't allow 3rd party pre installed add-ons for exactly this reason.

True but the major operating systems have got much better at security and application separation these days. Even Windows apps have their own separate system libraries now.

Kodi is a similar platform in many respects as it gives full access to the complete user's file system.

primaeval · 2016-05-01, 20:21

(2016-05-01, 20:19)trogggy Wrote:
(2016-05-01, 20:06)primaeval Wrote:
(2016-05-01, 19:57)trogggy Wrote: To save people from themselves?
If you're concerned stick to the official repo.
Edit: couldn't agree more re obfuscated code.

The trouble for Kodi is if it gets smeared with the same brush. If Kodi is known as a potential virus infested application it is not going to help anyone here.

Your average Joe Nobody user is not going to de-compile an obfuscated addon and check everything is hunky dory in a low privileged sandbox.

Kodi is too high profile these days. Its not just us nerds that use it any more.
What do you want exactly?
To make it more difficult to install addons?

Yes. Addon security settings. What they have access to and where they can get data from. The same as Android for example.

**DarrenHill** · 2016-05-01, 20:24

User education may be a better or parallel route. But that of course requires the user to be willing to learn, and indeed to be the one who chooses and installed Kodi rather than using it pre installed on a device (legitimately or otherwise).

I don't disagree with your thoughts at all, I was just trying to add a little background and context.

primaeval · (This post was last modified: 2016-05-01, 20:58 by primaeval.)

(2016-05-01, 20:24)DarrenHill Wrote: User education may be a better or parallel route. But that of course requires the user to be willing to learn, and indeed to be the one who chooses and installed Kodi rather than using it pre installed on a device (legitimately or otherwise).

I don't disagree with your thoughts at all, I was just trying to add a little background and context.

You are right. All pre-installed device users won't have a clue where their addons come from.

I think what I would like to see as a bare minimum is write access only to the addon's userdata addon_data folder unless explicitly enabled to go further.

trogggy · 2016-05-01, 21:17

(2016-05-01, 20:21)primaeval Wrote:
(2016-05-01, 20:19)trogggy Wrote:
(2016-05-01, 20:06)primaeval Wrote: The trouble for Kodi is if it gets smeared with the same brush. If Kodi is known as a potential virus infested application it is not going to help anyone here.

Your average Joe Nobody user is not going to de-compile an obfuscated addon and check everything is hunky dory in a low privileged sandbox.

Kodi is too high profile these days. Its not just us nerds that use it any more.
What do you want exactly?
To make it more difficult to install addons?

Yes. Addon security settings. What they have access to and where they can get data from. The same as Android for example.

Hopefully that would be far too much of a PITA to implement, because frankly I think it's a terrible idea.
Don't install from a source you don't trust.

primaeval · 2016-05-01, 21:24

(2016-05-01, 21:17)trogggy Wrote:
(2016-05-01, 20:21)primaeval Wrote:
(2016-05-01, 20:19)trogggy Wrote: What do you want exactly?
To make it more difficult to install addons?

Yes. Addon security settings. What they have access to and where they can get data from. The same as Android for example.
Hopefully that would be far too much of a PITA to implement, because frankly I think it's a terrible idea.
Don't install from a source you don't trust.

I don't think some fairly simple file access rules would be too hard to implement for the talented coders here.

If you could only install addons from here it would be as restrictive as Apple's walled garden.
I prefer the freedom of Android and their security model. I know its not bulletproof but it has more freedom.