SmartTube Compromised
aftvnews.com163 points by akersten 3 days ago
163 points by akersten 3 days ago
Announcement from the dev, in the project GitHub and Patreon:
Friends, it seems that my digital signature has been exposed. This signature protects the app from fake and malicious updates, so there is a risk that someone may try to release counterfeit versions under my name.
To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates) — the new one will install as a separate app and will need to be configured again.
Thank you for your understanding and attention to security.[1][2]
---------------
There aren't any new apk releases on GitHub yet. However, concerningly, the SmartTube website (which I won't link directly) still offers undated "Stable" and "Beta" downloads.
It sucks to deal with security breaches as an indie or solo dev, but I'll be waiting for a more detailed postmortem before assessing whether to install a future release... Hopefully one that details new security procedures to guard both the dev's key and the production build environment.
Factory resetting my Shield as a precaution, but nothing sensitive was really on there, and Android's security model did exactly what it was supposed to and limited the damage. When using a third party app like this, it's prudent to use it signed out or else with a purpose specific Google/YouTube account which is connected to nothing else critical.
[1]: https://github.com/yuliskov/SmartTube/releases/tag/notificat...
> To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates)
I'm curious if this is the best idea? Like, if you don't read all the GitHub releases thoroughly or miss the HN material, and instead you just auto-install updates, you downloaded a malware-infested version which will be on your device until you learn otherwise?
At this point, Play Protect will remove the apks with the old signature because the developer marked the old signature as compromised. The developer acted correctly and responsibly in doing so, and seems to be working out establishing a new setup now, including a new signing key.
For those using sketchy devices without Play Protect and also installing random apks without an understanding of security or Android's trust-on-first-use model, there's not much anyone can do.
from my understanding, https://github.com/yuliskov/SmartTube/releases/download/late... links to 30.56, which the newest clean version. Old app stopped at 30.48.
I installed 30.56 from the git link on my Shield. It did not overwrite the old one, as it has the old signature. I manually uninstalled 30.48. I did not use the backup/restore option in either as I didnt want to dirty any data in the new app.
> SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware.
Seems it's lacking in information about how a malware manages to compromise supposedly signed releases? Do authors not have the production signing keys behind a password or similar, and review 100% of the changes before they deploy stuff?
I swear the more time goes on, the more I'm loosing faith in the entire ecosystem. People running random binaries on the same device they do banking on always surprised me, but now developers manages to get malware on their developer machine and are publishing random binaries to other strangers???
the malware need not actively create a release like a worm, it can just infect every build and if you don't check carefully, your next regular release will contain it.
is one of the reason we fight holy wars for SSO and strict login rules even for Dev or QA environments -- if you can get in during a dev build you can get stuff in there that carries through.
maybe QA will find it... but they're testing X number of JIRA tickets based on Y epics and if it's not on the list they're not looking...
I really hope Google doesn't pick this out (and similar events) as further justification for getting rid of APK-based installation.
Blocking file-based installations was never planned. It's fake news and always has been. It's all about requiring code signing for all code so that malware-spreading authors can be easily blocked by adding their signing key fingerprint to the blocklist.
It doesn't matter whether the app is installed via Play Store, Huawei's or Samsung's store etc., or from APK.
This is a drastic misrepresentation of the situation. All Android apps already have code signing, you cannot install an app unless it has a signature, and any future updates are blocked unless the signature matches. This is how it's been practically since the start of Android, it's part of the security model to prevent something like a malicious Firefox APK stealing your cookies.
What's new is that they were gonna block installations outside of Google Play, unless the developer has signed up for Google Play Console and has gone through a verification process there, whitelisting their signing key fingerprint. However, they've walked back on this and said they'll create a new "advanced flow" for "advanced users" that's "designed to resist coercion" to bypass this restriction. Door in the face technique IMO, the existing 12-step process to installing an app was already complicated enough.
So effectively the result is that file based installations will be blocked unless Google has specifically whitelisted their key through the Google Play Console verification process, or the user goes through this "advanced flow" which we're yet to see any details of
What an absolute boatload of lies.
I am currently in process of "verifying" my identity with Android Developer console.
In addition to proof of identity (e.g. passport/driver license) Google is demanding a proof of address, government registration, this month's rental agreement, foreign passport... The process is stuck in limbo because months-old documents are deemed "outdated", and I am constantly threatened that my verification request (!) will be denied because of "exceeding allowed number of attempts" (!!)
It shares the same principle as silent Discord account bans and other "verification" harassment schemes, such as Upwork account verification. The excess developers — Google's potential competitors — need to be banished from platform as quickly and cheaply as possible, so that Google can peddle their own spyware unimpeded.
"Malware spreading authors" or "ToS violating authors" or "authors of piracy apps"?
Ask your president. I suppose republicans will soon block VPN apps, adult apps and whatever comes to their minds as non-compliant with their medieval mindset.
> Do not download SmartTube from any app store, APK websites or blogs; these were uploaded by other people and may contain malware or ads. SmartTube is not officially published on any app store. Sadly, the Google PlayStore does not allow ad-free Youtube apps using unofficial APIs.
Maybe should actually switch to releasing via F-Droid.
It's kind of shocking to me that so many people would download an app like this and sign in using their actual YouTube account.
It's not just cost and ads. It's having the possibility to reduce attempts to manipulate my inner reptile brain. With various clients, you can disable shorts, recommended, you have sponsorblock, you can replace youtube-face-thumbs with actual thumbs and get crowd-sourced titles that better reflect the contents.
I also don't need to manually go set speed to 1.75x and enable subs in english, it's a one-time setting. _Further_ I can download a video locally, for whatever reason (later viewing, bw throttling, risk of deletion, etc).
As if that weren't enough, I don't have to watch videos logged in, my client is just set up to download my select channels.
I now see zero use of a youtube account.
It has a far better user interface than the official YT interface. And that interface can be heavily customized to your exact preferences.
My wife has YT Premium, and we find ourselves watching YT in SmartTube just because the interface is so much better.
Same here, we also both have YT Premium and use SmartTube. Our dislike of "Shorts" pushed everywhere in the YT app is what got us to switch to SmartTube. We watch Youtube on our 65" TV via Chromecast, so shorts are just really a crap experience and we do not want to see them at all. SmartTube lets us eliminate them, as well as all the other awesome UI customization makes it a far superior experience.
The cost of being brainwashed by ads and sponsor slots is also high.
Even with YouTube Premium you don’t get the feature set you get with SmartTube. The sponsor block integration on my TV is brilliant.
I think it's more shocking to people how much YouTube Premium costs.
Is $14 dollars for ad-free, unlimited access to literally billions of videos really a steep price? Personally if I were to get rid of all but one of my media subscriptions I would stick with this one, since it's got everything - entertainment, education, inspiration, you name it.
$14 is two days worth of living in my country for your average man on the street, among many other similar places. Imagine if you had to pay $200 to watch YouTube, that's how much these services cost for us.
They refuse to correct for purchasing power parity and are left with nothing in the end. Steam seems to do very well in comparison.
(I don't watch YouTube even for free, but practically everybody I know does without paying anything, and it makes a lot of sense).
There are a lot of things in this world besides YouTube Premium, which cost $14 or more. That some people in the world are very poor is no kind of argument as to how companies should price their products.
"Purchasing power parity" is a non-concept for almost 100% of companies and products. But YouTube Premium is priced differently in different regions. Sometimes much cheaper than $14.
The person you're responding to is not debating that the companies are setting the wrong prices, so no need to try to convince them that the companies are already setting prices "the right way".
They're explaining for people who don't seem to understand, why people are fine signing in to these kind of 3rd party apps in the first place, because the subscription price ends up being what these people earn in days, not hours.
A semi-successful YouTuber in a low-income country is basically an infinite money hack. Neat little form of advance scouting, like this forum.
Listen, I only make about $350-$400 a week after taxes and deductions. So, yes, $14 a month is a LOT. With my income, even $5 can and does break the bank if I'm not careful. Not everyone has a SWE's salary.
I am not going to watch billions of Videos.
Its not entirely ad free, just fewer ads, AFAIK sponsored segments remain so there are still ads, sometimes quite lengthy ones.
$14/month is $168 an year, and if you subscribe to multiple other video services the annual total is going to be quite high.
YouTube is 10x the quality and 10x the quantity than any other video service.
As for the ads, YouTube Premium now has built-in sponsor skip. They can't really block sponsored segments, as that is a freedom of speech issue and also something they can't easily determine. Creators can just omit that some product is sponsored.
> YouTube is 10x the quality and 10x the quantity than any other video service.
I guess you could say YouTube surfaces a larger span of quality, from really shit quality to incredible high quality, which I guess is cool. But since they provide zero tools to actually discover the really high quality, and on top of that decide they know better what I want to watch than me (like the subscriptions page not starting with the last published video), does that really matter?
> as that is a freedom of speech issue
It isn't. Freedom of speech in the US (since Google is based there, and maybe you too?) is about the government placing restrictions, not companies or individuals. As a individual (or company), you're free to limit the speech of anyone who want on your platform, for any reason. You might face public outcry, but it isn't a freedom of speech issue as it's on a private platform in the first place.
They provide all the tools to discover high quality videos and channels. It's called "like and subscribe". If you use those features, it doesn't take long before YouTube shows you only high quality videos. And there's also the dislike button and "Do not recommend this channel again", if you need.
> Freedom of speech in the US...
Freedom of speech is a subject which is much larger than the US constitution. I'm not saying YouTube isn't legally allowed to block sponsored segments. I'm saying that they might not want to because they don't want to limit their creators' speech in that matter. Especially considering how easy it would be to side-step. What would be their reason? They've already made it easy to skip sponsored segments.
>Creators can just omit that some product is sponsored.
Not true in the US, where the FTC requires (and has required for decades) disclosure by the creator to the viewer whenever a payment has been made to the creator to promote anything. On Youtube, this is typically done by the creator's saying (in the video) "this video is sponsored by Foo Corporation", or, "I wish to thank the sponsor of this video, Foo Corporation".
Personally, I'm unhappy with Premium's built-in sponsor skip. For one thing it becomes available to me only after enough previous viewers have manually skipped over the sponsored segment. For another, it sometime skips ahead too far (probably because the viewers who manually skipped weren't precise in skipping exactly to the end of the sponsored segment). I'd much rather Youtube allowed the uploader to declare (to Youtube) that the upload is free of sponsors (e.g., by checking a box) and then punishing the uploader somehow if he routinely declares falsely. With that information, Youtube could and IMHO should give me the option of telling Youtube somehow (e.g., by checking a box) that I prefer for sponsored videos to be omitted from my recommendations.
I don't think individual YouTube creators are too much concerned about FTC rules and regulations.
Although I like your idea about creators themselves having to declare to YouTube their sponsored segments.
Individual Youtube creators in the US most certainly are concerned about the FTC and about this rule specifically because they do not want to find themselves in court explaining to a judge why they shouldn't pay a big fine.
Also, if the creator doesn't follow the rule, the sponsor can be fined by the FTC, so even before the FTC notices the violation, the sponsor will probably notice and refuse to continue the relationship unless the creator's videos comes into compliance with the rule.
Again, this rule has been in effect for decades in the US. Advertisements in the US must be labeled as such. Ditto paid endorsements.
Youtube is both 10x and 0.1x the quality, and the official app has no way to filter it. They even removed the feature (downvotes) to let the user filter it.
And the proliferation of AI videoslop is only making the 0.1x side larger and larger
sponsored segments are skipped with a single button push, so they are negligible. it also comes with yt music
SponsorBlock helps with them.
I do not use it because I do want to support the people I watch. I just skip manually if it is of no interest.
I have YT Premium that pays much more than sponsors. That's also why I just use Firefox instead of third party apps to watch YT.
essentially every YouTuber I've watched who discussed their financials said that their sponsorships brought in several times more money than all forms of YouTube money.
which is a very niche slice, and I have no idea how representative it is in aggregate. but sponsorships happen because they pay well enough to annoy every viewer, not just ones that aren't using the better-paying Premium - they generally are not cheap, to say the least.
Linus Tech Tips disclosed their finances: https://www.reddit.com/r/LinusTechTips/comments/1jjplow/ltt_... - and their sponsorships are less than the YT ads income.
If you look at Premium, it's about 100x more lucrative than regular views. So I'm pretty sure I'm providing more money to creators than the skipped ads.