+- Kodi Community Forum (https://forum.kodi.tv)
+-- Forum: Discussions (https://forum.kodi.tv/forumdisplay.php?fid=222)
+--- Forum: Kodi related discussions (https://forum.kodi.tv/forumdisplay.php?fid=6)
+--- Thread: Addons that delete competitor's addons (/showthread.php?tid=272175)
Addons that delete competitor's addons - primaeval - 2016-05-01
If you haven't been around the other forums recently you might have missed the big fight over addons "stealing" other addons illegal content.
The victim addon developers have modified their addons to delete the offending addons completely.
https://www.reddit.com/r/Addons4Kodi/comments/4h1syy/addons_that_delete_competitors/
This is pretty scary stuff from a user perspective as Kodi addons have full access to the user's computer with the same access privileges as Kodi is started with.
They have also been obfuscating their code to prevent further "stealing" but it means the user can't see what they are doing to your computer.
A simple bit of python could wipe your hard disk or steal your passwords. This is virus behaviour.
Have Team Kodi got any plans to increase security for third party content? Sandboxing, guest user privileges etc?
I know there is a forthcoming switch to disable third party addon installation.
edit:
I have started a Feature Request to discuss the implementation of Addon Sandboxing (or at least better Kodi user security in general) to prevent identity theft and malicious or unexpected addon behaviour.
http://forum.kodi.tv/showthread.php?tid=272361
RE: Addons that delete competitors - trogggy - 2016-05-01
It's happened before, it will no doubt happen again.
Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.
RE: Addons that delete competitors - bry - 2016-05-01
(2016-05-01, 19:23)trogggy Wrote: It's happened before, it will no doubt happen again.This. What do you expect from the asshats that code shit that is ethically questionable.
Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.
Sent from my XT1254
RE: Addons that delete competitor's addons - primaeval - 2016-05-01
(2016-05-01, 19:23)trogggy Wrote: It's happened before, it will no doubt happen again.
Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.
Even the ones from here could hide something nasty. I think Kodi could do with more security for addons like Android's app separation.
RE: Addons that delete competitor's addons - black_eagle - 2016-05-01
I'd trust an add-on that is in the official repository, because there are rules that the add-on has to adhere to. Anywhere else though.....I'd think at least twice and if the add-on has its code obfuscated, then no chance.
RE: Addons that delete competitor's addons - trogggy - 2016-05-01
(2016-05-01, 19:27)primaeval Wrote:To save people from themselves?(2016-05-01, 19:23)trogggy Wrote: It's happened before, it will no doubt happen again.
Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.
Even the ones from here could hide something nasty. I think Kodi could do with more security for addons like Android's app separation.
If you're concerned stick to the official repo.
Edit: couldn't agree more re obfuscated code.
RE: Addons that delete competitor's addons - primaeval - 2016-05-01
(2016-05-01, 19:57)trogggy Wrote:(2016-05-01, 19:27)primaeval Wrote:To save people from themselves?(2016-05-01, 19:23)trogggy Wrote: It's happened before, it will no doubt happen again.
Simple solution - don't use add-ons coded by immature dicks.
Use ones from here or from somewhere / someone you trust.
Even the ones from here could hide something nasty. I think Kodi could do with more security for addons like Android's app separation.
If you're concerned stick to the official repo.
Edit: couldn't agree more re obfuscated code.
The trouble for Kodi is if it gets smeared with the same brush. If Kodi is known as a potential virus infested application it is not going to help anyone here.
Your average Joe Nobody user is not going to de-compile an obfuscated addon and check everything is hunky dory in a low privileged sandbox.
Kodi is too high profile these days. Its not just us nerds that use it any more.
RE: Addons that delete competitor's addons - DarrenHill - 2016-05-01
The add-ons in the official repo are vetted against this kind of malicious coding.
But this is the other reason why we have the banned add-ons (wiki) list that includes various of the "collection" repos.
Installing an add-on is exactly the same as installing an app or program on your device, with all the inherent risks. So you should only install add-ons and repos from sources that you trust. This is also why we don't allow 3rd party pre installed add-ons for exactly this reason.
RE: Addons that delete competitor's addons - trogggy - 2016-05-01
(2016-05-01, 20:06)primaeval Wrote:What do you want exactly?(2016-05-01, 19:57)trogggy Wrote:(2016-05-01, 19:27)primaeval Wrote: Even the ones from here could hide something nasty. I think Kodi could do with more security for addons like Android's app separation.To save people from themselves?
If you're concerned stick to the official repo.
Edit: couldn't agree more re obfuscated code.
The trouble for Kodi is if it gets smeared with the same brush. If Kodi is known as a potential virus infested application it is not going to help anyone here.
Your average Joe Nobody user is not going to de-compile an obfuscated addon and check everything is hunky dory in a low privileged sandbox.
Kodi is too high profile these days. Its not just us nerds that use it any more.
To make it more difficult to install addons?
RE: Addons that delete competitor's addons - primaeval - 2016-05-01
(2016-05-01, 20:13)DarrenHill Wrote: The add-ons in the official repo are vetted against this kind of malicious coding.
But this is the other reason why we have the banned add-ons (wiki) list that includes various of the "collection" repos.
Installing an add-on is exactly the same as installing an app or program on your device, with all the inherent risks. So you should only install add-ons and repos from sources that you trust. This is also why we don't allow 3rd party pre installed add-ons for exactly this reason.
True but the major operating systems have got much better at security and application separation these days. Even Windows apps have their own separate system libraries now.
Kodi is a similar platform in many respects as it gives full access to the complete user's file system.
RE: Addons that delete competitor's addons - primaeval - 2016-05-01
(2016-05-01, 20:19)trogggy Wrote:(2016-05-01, 20:06)primaeval Wrote:What do you want exactly?(2016-05-01, 19:57)trogggy Wrote: To save people from themselves?
If you're concerned stick to the official repo.
Edit: couldn't agree more re obfuscated code.
The trouble for Kodi is if it gets smeared with the same brush. If Kodi is known as a potential virus infested application it is not going to help anyone here.
Your average Joe Nobody user is not going to de-compile an obfuscated addon and check everything is hunky dory in a low privileged sandbox.
Kodi is too high profile these days. Its not just us nerds that use it any more.
To make it more difficult to install addons?
Yes. Addon security settings. What they have access to and where they can get data from. The same as Android for example.
RE: Addons that delete competitor's addons - DarrenHill - 2016-05-01
User education may be a better or parallel route. But that of course requires the user to be willing to learn, and indeed to be the one who chooses and installed Kodi rather than using it pre installed on a device (legitimately or otherwise).
I don't disagree with your thoughts at all, I was just trying to add a little background and context.
RE: Addons that delete competitor's addons - primaeval - 2016-05-01
(2016-05-01, 20:24)DarrenHill Wrote: User education may be a better or parallel route. But that of course requires the user to be willing to learn, and indeed to be the one who chooses and installed Kodi rather than using it pre installed on a device (legitimately or otherwise).
I don't disagree with your thoughts at all, I was just trying to add a little background and context.
You are right. All pre-installed device users won't have a clue where their addons come from.
I think what I would like to see as a bare minimum is write access only to the addon's userdata addon_data folder unless explicitly enabled to go further.
RE: Addons that delete competitor's addons - trogggy - 2016-05-01
(2016-05-01, 20:21)primaeval Wrote:Hopefully that would be far too much of a PITA to implement, because frankly I think it's a terrible idea.(2016-05-01, 20:19)trogggy Wrote:(2016-05-01, 20:06)primaeval Wrote: The trouble for Kodi is if it gets smeared with the same brush. If Kodi is known as a potential virus infested application it is not going to help anyone here.What do you want exactly?
Your average Joe Nobody user is not going to de-compile an obfuscated addon and check everything is hunky dory in a low privileged sandbox.
Kodi is too high profile these days. Its not just us nerds that use it any more.
To make it more difficult to install addons?
Yes. Addon security settings. What they have access to and where they can get data from. The same as Android for example.
Don't install from a source you don't trust.
RE: Addons that delete competitor's addons - primaeval - 2016-05-01
(2016-05-01, 21:17)trogggy Wrote:(2016-05-01, 20:21)primaeval Wrote:Hopefully that would be far too much of a PITA to implement, because frankly I think it's a terrible idea.(2016-05-01, 20:19)trogggy Wrote: What do you want exactly?
To make it more difficult to install addons?
Yes. Addon security settings. What they have access to and where they can get data from. The same as Android for example.
Don't install from a source you don't trust.
I don't think some fairly simple file access rules would be too hard to implement for the talented coders here.
If you could only install addons from here it would be as restrictive as Apple's walled garden.
I prefer the freedom of Android and their security model. I know its not bulletproof but it has more freedom.