Is Emby Theater for Linux phoning home?

[DWeiers 2]

Hi there,

I am using Emby for years now and am very fond of it. I have an Emby Server set up on my local network can can easily access it from within my network as well from outside. I do not use Emby Connect, I connect to the servers manually (i.e. by entering the address and portnumber of the server). Everything is working like a charm ... and it's been doing so for years now. I bought an Emby Premium lifetime subscription very early on (first and foremost to support this great software) and am still very happy that I did so. Why am I telling you this? Because I want to make clear that I am a longtime user who really likes this software and wants to continue using it. But recently I came across a behaviour of Emby Theater which I personally find a little disturbing. Let me explain:

In a move to enhance my personal cyber security I recently installed Safings Portmaster Firewall on my devices (one laptop and one desktop, both running linux). Emby Theater for Linux is installed on both devices and everything works fine but when I inspected the network traffic generated by Emby Theater I realized that every time it starts up it is initiating an outgoing connection to tv.emby.media (resolved as an IP located in the US). This connection is aparently encrypted (using port 443). I did not yet test this when connecting while being away from home, but when connecting from within my local network Emby Theater definitely behaves like this every single time.

I was a little suprised and somewhat concerned about that since the whole Emby stuff is supposed to exclusively run on my own devices an within my own infrastructure (at least while being in my local network). Since I'm not using Emby Connect it should not connect to any servers other than my owns (even when I'm not at home).

So I came up with the conclusion to just block access to tv.emby.media for the Emby Theater app. But once I did the app won't start up anymore. All I get is a black screen (or rather a black window without anything showing in it). The App is not exactly crashed (I can anytime just close it using ALT + F4), it's just not starting up completely. As soon as I remove the block from tv.emby.media the app starts up normally and works perfectly.

So my conclusion is that for whatever reason the Emby Theater App (at least the current version 3.0.19 for Linux) needs to contact tv.emby.media upon startup to work. I don't know why this is the case but I'm somewhat concerned about that. An App which is handling private data (and I consider my movies, musik and especially my pictures private data) should never contact some server without consent from the user. And if the user does not consent it should still work normally without contacting that server (there are after all some scenarios where such a contact is just not possible, e.g. if the ISPs connection is down).

So please dear Emby team I would like to know why Emby Theater is behaving like this, or better even, I would like to simply have this behaviour removed from the app completely.

Many thanks

Daniel

[GrimReaper 3294]

All client apps will occasionally have to "phone home" - Theater included. Moreover, Theater Desktop won't even start if no internet connection present, as you've found out already. 

[DWeiers 2]

What I am a little concerned about is what data is transmitted on this connection.

Is any usage data, or even personal data transmitted?

That means if there is no internet connection I won’t be able to use Emby Theater?

[GrimReaper 3294]

10 minutes ago, DWeiers said:

Is any usage data, or even personal data transmitted?

AFAIK not, it's for validation purposes only. @ebr

11 minutes ago, DWeiers said:

That means if there is no internet connection I won’t be able to use Emby Theater?

For the time being. IIRC there are some Theater upgrades in the works, Devs would have to revert on whether those changes are included. @Luke

[Luke 37068]

Hi, it periodically checks premiere status as well as checks for updates.

 If there is no internet connection you should be able to use it for a little while although not permanently.

[GrimReaper 3294]

6 minutes ago, Luke said:

If there is no internet connection you should be able to use it for a little while although not permanently.

Why would ET for Linux and ET for Windows behave differently then? 

[DWeiers 2]

17 minutes ago, Luke said:

Hi, it periodically checks premiere status as well as checks for updates.

 If there is no internet connection you should be able to use it for a little while although not permanently.

I thought premiere was a server thing. I.e. whether there are any premiere features present depends on the server. And the server has to have a valid premiere key. So if at all it would make sense for the server to check for premiere status, but not the client. Or am I getting something wrong there?

From my testing I can confirm that at least the Linux version seams to not work at all without internet connection.

[GrimReaper 3294]

1 minute ago, DWeiers said:

From my testing I can confirm that at least the Linux version seams to not work at all without internet connection.

Yep, hence the question above as same behavior is encountered under Windows (and there are numerous topics regarding same). UWP Theater (Theater Store) under Windows will run on cache for a while (a week, more or less) but Theater Desktop (downloaded from Emby website) never did (nor does the current 3.0.20).

[Luke 37068]

1 hour ago, GrimReaper said:

Why would ET for Linux and ET for Windows behave differently then? 

ET for linux and ET for windows desktop are the same. The Windows Store version is similar, it also checks Premiere status periodically, but the difference is that updates come from the store and not our servers.

The two windows apps are soon to be unified and everything will be coming from the store, so getting updates from our servers will no longer a thing on Windows.

For Linux, there's a strong chance we will revamp the app later this year after Windows, but that's still to be determined.

[GrimReaper 3294]

14 minutes ago, Luke said:

ET for linux and ET for windows desktop are the same.

That was my understanding through all these years, therefore the question as ET for Windows never worked without internet connection (at least as long I've been using it, better part of a decade) hence I was confused by your statement. Theater Store will run on cache - Theater Desktop won't. 

Edited February 27 by GrimReaper

[darkassassin07 423]

1 hour ago, DWeiers said:

I thought premiere was a server thing. 

Both the server AND the clients must check your license with embys public servers.

 

If the clients exclusively checked with your server, you would be able to spoof a response that would allow clients to bypass the premier device limits and the requirement for premiere altogether.

 

It would allow you to host a premier enabled server without actually buying premier at all.

[DWeiers 2]

On 2/27/2024 at 10:41 PM, darkassassin07 said:

[…]

If the clients exclusively checked with your server, you would be able to spoof a response that would allow clients to bypass the premier device limits and the requirement for premiere altogether.

[…]

I thought the Premiere Key for the server was some kind of certificate digitally signed by Emby Media that would enable the server to cryptographically prove its premiere status to the client without it having to check against an authentication server every time. That IMHO would be more robust than just a random “serial number“ which could be spoofed as you said. It would also work independent from any other infrastructure (e.g. no need for a n internet connection).

Many thanks for the clarification. Now I see why it is behaving like that (I understand the necessity of properly checking the premiere status, of course). I still don’t really like it, though. It still feels a little creepy to me and I would greatly appreciate if the premiere check could be done differently. But, maybe, that’s just wishful thinking.

Anyway, many thanks for your help and for creating and maintaining this awesome software. 

[darkassassin07 423]

It's not just a matter of proving you have a premier license, but also checking that you are within the limits of that license.

 

If your server is the only thing tracking how many devices are in use, it can just lie as you've got control over both the server and the client.

Edited March 1 by darkassassin07

[DWeiers 2]

As I said in the beginning I already got the premiere license straight at the beginning of my time with emby. I never encountered any problems so far, but now I am wondering about two things.

I now know that there actually is some kind of online-only restriction on the Emby Theater App. This restriction is based on the fact that an active emby premiere tier has to be confirmed. What I am wondering about now is:

1. Does this limitation apply the same way to the other apps (especially the ones for iOS and AppleTV)?

2. Does this limitation no longer apply, if I deactivate emby premiere? I still have the lifetime tier but I could of course just deactivate and reactivate it in the server anytime. I would like to know whether this would make Emby Theater (and the other apps) work offline.

Depending on the second point I might actually consider doing so (would have to check for the exact benefits of the premiere tier first, though). Another option would be to temporarily deactivate premiere for use cases where I don’t have an internet connection in order to make emby work offline.

I just looked up the benefits of emby premiere. Is it correct that all the apps only work with premiere ? Does that mean without premiere I could just use the webversion of the mediaserver?

Edited March 2 by DWeiers

[GrimReaper 3294]

1 minute ago, DWeiers said:

1. Does this limitation apply the same way to the other apps (especially the ones for iOS and AppleTV)?

In general: yes. You can check per platform/per client apps requirements here:

Emby Premiere Feature Matrix

2 minutes ago, DWeiers said:

2. Does this limitation no longer apply, if I deactivate emby premiere? I still have the lifetime tier but I could of course just deactivate and reactivate it in the server anytime. I would like to know whether this would make Emby Theater (and the other apps) work offline.

Nope, there's is no benefit in deactivating Premiere, number of client apps will offer only limited playback (and no LiveTV or other Premiere features) in that case. Theaters in particular require active Premiere subscription for Full Playback (as noted in the above matrix).