Removal of privacy-intrusive tracking + Security requests

[boomer41 3]

Good Day,
 
As I was reading through the code of the media server, I found the following privacy and security issues:
 
Unique device ids + user account names sent to mb3admin.com.
Each device is generating a unique device id, which is then sent to mb3admin.com. This does also include the server's unique key and the user's username. This allows per user and per device tracking including public ip adresses. I understand that this is used to verify premiere licenses. But please proxy these requests through your local emby server - or even better - check those licenses locally. If you want to say that this is then easily crackable, please read until the end.
 

"GET /admin/service/registration/validateDevice?serverId=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&deviceId=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY&embyUserName=XXXXXX&deviceName=Chrome&appName=Emby%20Mobile&appVersion=3.2.26.0 HTTP/1.1" 200 31
                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 
Removing mobile app statistics collection or implementing an opt-in/out feature

Please read ebr's answer to this point.

Currently the Android mobile app sends statistics to mb3admin.com, whereas there is no notice to the user that data is sent nor is there an opt-in/out setting. This is definitivly violating the user's privacy. Please create a setting to opt-in to send statistics. opt-out would also be ok if you inform the user before sending any data. And again, this leaks the user's public ip adress

"GET /admin/service/statistics/appAccess HTTP/1.1" 200 0

Emby server "registers" with Emby connect using the server's unique key
Please only register with emby connect when there are actual users with an emby premiere email attached. This also leaks the server's unique key and enables tracking.

Info HttpClient: HttpClientManager POST: https://connect.emby.media/service/Servers?id=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Info HttpClient: HttpClientManager GET: https://connect.emby.media/service/ServerAuthorizations?serverId=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Adding HTTPS certificate validation
Currently, the Emby-Server does not even bother to check the validity of the mb3admin.com-certificate. With that said, it is very easy to redirect victims to a malicious proxy, which then sends malware packaged in plugin updates. There is no validation of these plugins.
The Android-App asks me in this case to trust the new emby server? What the hell?
 
Some words about product piracy
As I already mentioned, you want people to support this product. This is absolutely fine! The only problem is your style of enforcing the restrictions. I understand that you don't want people to sell emby premiere to thousands of users, and thus need to check whether this is the case. But you can also do this locally, as both systems are easy(!) to crack.
 
People who want to support this software will buy it either, because it is freakin' awesome! And there will always be black-hats cracking it in 5 minutes.
Please focus on privacy, not on tracking the hell out of people.
 
Thanks.
 
Stephan

Edited August 1, 2017 by boomer41

[ebr 14910]

 

Removing mobile app statistics collection or implementing an opt-in/out feature

Currently the Android mobile app sends statistics to mb3admin.com, whereas there is no notice to the user that data is sent nor is there an opt-in/out setting. This is definitivly violating the user's privacy. Please create a setting to opt-in to send statistics. opt-out would also be ok if you inform the user before sending any data. And again, this leaks the user's public ip adress

"GET /admin/service/statistics/appAccess HTTP/1.1" 200 0

 

Despite the url, this is not statistics collection.  This is validation for people who purchased a previous developer's version of the app. It allows us to give them access without having to re-purchase.

 

Statistics collection does have an opt in/out setting on the server and is run through the server.

 

For more information on our privacy policy, please see here.

[boomer41 3]

Hi ebr,

 

Thanks for clarification, post edited.

 

Greetings

[Luke 37060]

For the android mobile one now that we are doing store vouchers instead, eventually that will be able to just go away, but not yet.

[Untoten 296]

+1

[Baenwort 97]

Any change in plug in validation and security certs?

[Luke 37060]

Yes, with the .NET Core version of the server it will be validating certs. It is only for linux and mac distributions based on mono that we've had to do that. over the next several weeks our releases will begin changing over from mono to .net core. thanks.