How safe are Community Apps/Drivers?

This thread was a good read. I've thought about most of the things mentioned not only third party but with HE itself. Vlans a good firewall and rules, monitoring can pretty much lock the hub down or if your really worried just block Wan out no internet required?

As someone who has written a number of apps/drivers for HE, sure there is a risk. Any time you let something written by someone else run on your network there is a risk. Heck, there is a risk in HE itself... how do you KNOW that the Hubitat itself doesn't do anything malicious? While sure you could do some network scans and such, on some level, we're trusting they're a legitimate business and wouldn't do that.

Yes, an app/driver could do some bad things if the dev wanted to. I could send any credentials you enter in it to my own server, I could remotely control any devices you give it access to, etc. Yes, that IS possible. But is it likely? I know many other devs have picked through my apps/drivers (because they've made changes and submitted patches). So now it's not just ME being a bad actor, it's a conspiracy of me and a bunch of other random people I don't know. I really have nothing to gain from doing it (it's not like you live near me and me unlocking your door lets me get in your house). Etc.

As far as "what is Hubitat doing?" Once you decide to run code written by some random person, you're taking a risk. Could they go down the road of mobile phones with a billion prompts of "this app would like to connect to the network" "this app would like to find devices on your network" "this app would like to connect to a zwave device" etc. Yeah I guess. I for one would find it pretty annoying and would hope there is a way to disable it I look at Hubitat as a bit of a pro-sumer device, so I expect it to protect me from outside bad actors (e.g. should have security to prevent it from being hacked), but much like if I install custom Linux apps on my pro-sumer Unifi router all bets are off, I feel the same way once I install custom code on my pro-sumer Hubitat. Just my 2 cents!

FYI: I should share, out of every community app/driver I have ever looked at I have never found any that was doing anything malicious or suspicious. The closest thing would be like @Cobra said that there are some apps that "phone home" to check for updates. I don't really consider that anything suspicious though, it's something most would consider a nice feature. Beyond that, I've yet to find anything that I think would even raise an eyebrow. Not saying they don't exist, just saying I've never encountered anything that I would call spyware or malware.

@habitat @Frenchish Thanks for starting the discussion. It is an interesting topic.

1. I do not think that there is any policies, processes, or procedures currently in place regarding community developed code beyond what is written in the Terms and Conditions (at least I haven't seen any).

2. There is not currently any type of confirmation or permissions related to external communications.

a. If you can think of an exploit you want to try, there probably is a way to accomplish it; just ask the community.

b. The inherent risk of installing unknown code from unknown developers (possibly from unknown locations) is probably higher than most people think it is. Of course, this is rather subjective; Objectively, I haven't seen any malware or reports of malware, so might argue the risk of it is pretty low.

c. There currently is not much mitigation, but I think this is something that could be improved. Interested in seeing what ideas people come up with here for this.
It would be great if there were people in the community reviewing code or providing independent verification (as some in this thread have suggested), but I haven't seen any evidence that this is actually occurring currently.

I am hesitant to be the first to install an app from a new or unknown developer. I don't know enough about code to tell if something bad is going to happen. I often wait days or weeks before trying code from new users here, and wait to see if someone smarter than me reports anything bad (never happened yet in 3 years). But I do try to review the code and see if I can spot any hidden URL's or something before install. Never seen anything hidden here either.

If you stick to the prolific and well regarded developers here, or from another place they published apps/drivers like Smartthings forum, I don't hesitate to install their stuff at all.

@Cobra thanks for piping up. I appreciate your thoughts and willingness to help someone modify your code to help them feel more comfortable, even though it is truly benign. You and @Royski definitely enhance our community.

Great comments @dman2306. Thanks for all you contribute to our community. HPM is a fantastic addition that makes code management easier for all of us.

@habitat more evidence for your friend that the community is the strength of HE. Admittedly it has a great foundation in the HE platform and team.

Honestly, of all the potential security issues in using a device like HE, community apps and drivers that are delivered to you in source form, and thus subject to easy inspection, are the least of the things you should be concerned with.

If you are concerned with security, and want something to worry about, think about the underlying JVM instead.

Well that generated a healthy discussion

My perspective is..

There is no reasonable defence against a well equipped and resourceful bad actor.

But

I do believe that while I do not need to be fastest gazelle on the savanna I definitely do not want to be the slowest, ie become predator food

So will use all reasonable, and convenient tools and processes to keep me and mine safe.

It is always a balance.

The bar is always rising, we are using stronger passwords, we are using 2fa and biometrics more.

I think it is time for HA to start thinking about improving its posture, building in the tools in to HE to assist community developers build a more secure platform.

Not radical, but incremental raising of the bar.

Very good point, and read, this thread. I don't really look through the code unless I have to (and I can understand it to a certain point - I am no dev that's for sure, but I can tweak).

That said, I do only install code from known and trusted providers. That's easier these days, having been here a few years now. I think that's the key, experience (IMHO). Also knowing a lot of the names of the devs here also came from ST, even easier. I've yet to have anything break on my hubs due to installing any drivers or code. In fact the only ones which have come close to that have been HE drivers or apps But then they are classed as bugs

I can vouch for @cobra without a shadow of doubt, not only having known him for so long, but nearly every piece of his code have been on (and still remain) my hubs.

But who can vouch for you mate?

My mum!!

Wow great discussion and input from the community, honestly makes me more comfortable just from the activity on this thread, think it will be valuable to anyone else joining @habitat thanks for raising it here.

I am moving from HA and others before that and completely agree with the tone of this thread, your downloading code from the public (sure there is also the vendor code, but that would have some reputational repercussions) so some sanity checking should be done or/and generally IOT should be sectioned off as much as possible, especially the bit with ethernet network access.

Am I worried about people turning lights on/off because of some backchannel? meh, I am a lot more concerned with that channel having access to my LAN, so section that stuff off.

Great community thanks all

Just because i'm watching old episodes of Big Bang Theory, your post made me think of this.

EDIT: If you look for a video about a minute longer than this one, they give access to people around the world, who can use their lights and control their RC cars with cameras.

Lmao

marktheknife's advice is good - the best advice is to use the apps/drivers which are most commonly used by the community and which the author posts regularly in the community.

I'm guessing you might be from Wink. There are certainly advantages to having a company release officially sanctioned drivers and applications, but to do so requires staffing and resources and even Samsung struggled in this regard. Also, as an aside, remember that the founders of Hubitat were some of the best community developers for SmartThings.

A good point well made.

Thanks for highlighting this issue.

As a complete aside, I'll throw out there that a fully curated app/driver repository is no guarantee of protection either. See Apple Store or Google Play store as case in point...

I am pretty sure both Apple Appstore and Google Play Store offer a higher level of protection.

Not about total security - that is painful.

But incremental improvement.

I am pretty sure a fast gazelle has a better chance that a slow gazelle, neither are totally safe but would be nice to be better.

Yes, of course they do.