[atomicmcbomb]

The more I delve into the innards of Kodi and how the add-ons actually work, the more concerned I get about the potential for installing malicious code disguised as add-ons.
If you think about it, the majority of the Kodi installations reside on people's home networks which makes all of the data on their home machines potential security breach targets.

One add-on written by an experienced hacker that gets installed in Kodi attached to the home network could provide Internet access to the shell and make Kodi a jumping off point for the rest of the home network.

Another concern I have is the possibility of a virus infecting Kodi installations and rendering them unusable. The way things are with add-ons these days, people often Google for an add-on that sounds great, follow the link and just install it, there doesn't seem to be any way to check to see if the add-on is safe or of it is the correct version. I recently had a bad installation of SportsDevil, not sure where I got it from but I eventually found the correct package which actually works and updates correctly.

I would like to get some feedback on ways to safeguard Kodi add-on files, possibly using at least an online MD5 hash database so that the community is not just installing add-ons in willy nilly fashion.

I am also interested in getting suggestions on security measures that can be taken to better secure Kodi running on the Amazon FireTvStick platform as well as Rasberry PI.

Atomic

[negge]

If you install addons from outside the official repository you're obviously on your own, the same you're on your own if you install random software you found on the Internet.

I don't think there are any general guidelines regarding securing Kodi. Normally you don't expose Kodi to the Internet (i.e. its web interface or API) in any way so the attack surface is fairly small.

[ironic_monkey]

you can safely consider kodi unsafe. treat it thereafter.

even if addons are md5'd on install. that doesn't hinder the server being compromised.

edit: awesome typo there! added *even if*

[wason92]

Doesn't matter where you install addons from.
The best way to safeguard users from malicious software is for users to be responsible for what code they run on their system.

[atomicmcbomb]

I agree but most users want to maximize their Kodi install and wind up installing a lot of add-ons that aren't from the official repository, take SportsDevil for instance, I don't believe that comes from the official repository yet a very large proportion of users are running it.
I'm thinking there needs to be some custom code developed that acts as a type of anti-virus for Kodi.

[atomicmcbomb]

you can safely consider kodi unsafe. treat it thereafter.

even if addons are md5'd on install. that doesn't hinder the server being compromised.

edit: awesome typo there! added *even if*

Having a webpage of the latest addons that are not in the official repository and a count for each MD5 hash reported would give users a good sense of which is the safest package to install.

[atomicmcbomb]

Doesn't matter where you install addons from.
The best way to safeguard users from malicious software is for users to be responsible for what code they run on their system.

I agree but most end users have no idea about code and how things work behind the scenes.

[atomicmcbomb]

If you install addons from outside the official repository you're obviously on your own, the same you're on your own if you install random software you found on the Internet.

I don't think there are any general guidelines regarding securing Kodi. Normally you don't expose Kodi to the Internet (i.e. its web interface or API) in any way so the attack surface is fairly small.

One easy safeguard is to put Kodi or the FireStick running Kodi on a separate wireless segment in your house and not on the same wireless segment as the rest of the home computers.

[wsnipex]

you can safely consider kodi unsafe. treat it thereafter.

even if addons are md5'd on install. that doesn't hinder the server being compromised.

edit: awesome typo there! added *even if*

Having a webpage of the latest addons that are not in the official repository and a count for each MD5 hash reported would give users a good sense of which is the safest package to install.

If those addons were condoned by us, they'd be in the official repository. Then they also have an md5 that is automatically checked on install.

[Ned Scott]

I agree but most users want to maximize their Kodi install and wind up installing a lot of add-ons that aren't from the official repository, take SportsDevil for instance, I don't believe that comes from the official repository yet a very large proportion of users are running it.
I'm thinking there needs to be some custom code developed that acts as a type of anti-virus for Kodi.

Do you know that SportsDevil breaks our rules and we actually distance ourselves from such add-ons? If SportsDevil users get exploited then I don't think any of us will feel bad about it. Not only do add-ons like that give us a bad name, but many pirate/bootleg add-ons do not come from trustworthy sources. It's like when people would pirate software and it would be infected with malware. The black/gray market is not regulated, and that is not our problem.

That being said, we're all for improvements in the areas of security, but we're not losing any sleep over the way things work today.

[RockerC]

See one feature suggestion for adding a warning when sideloading addons/repos http://forum.kodi.tv/showthread.php?tid=229648

Having a warning when sideloading addons/repos from untrusted repos could go a long way to keep users informed about the risk they are willing taking.

While not a sandbox solution it is simple to implement and educating users can be a a good first line of defence.