Tigga5 39 Posted November 13, 2025 Posted November 13, 2025 Following up on the earlier thread Home button only pauses, I figured I'd post this separately since it's a related but distinct issue that still needs attention. When you press the Home button on Android, Emby doesn't actually end or time out the current session and just pauses playback instead. This means that if you later reopen the app (even a day later), you're still logged in. This completely bypasses the intended PIN protection and now gives any other user full access to your protected libraries, plus full access to the server configuration settings. In that previous thread, @Luke mentioned that Emby should automatically time out after 10 minutes, but that's not working as intended. I've confirmed this multiple times on different Android/Google devices. I can press Home and leave the app closed overnight, but when I open Emby again the next day I'm still logged in. Could we please get clarification on whether this behavior is expected, and if not, when a fix might be implemented? This seems like a significant security concern, especially on shared devices, and it's worked like this for well over a year now as far as I know. 2
Neminem 1518 Posted November 13, 2025 Posted November 13, 2025 13 minutes ago, Tigga5 said: plus full access to the server configuration settings Only if you logged in a as admin account.
Luke 42077 Posted November 13, 2025 Posted November 13, 2025 If it's been at least 10 minutes and you have your startup behavior option set to show login, then it will stop playing.
Tigga5 39 Posted November 13, 2025 Author Posted November 13, 2025 18 minutes ago, Luke said: If it's been at least 10 minutes and you have your startup behavior option set to show login, then it will stop playing. I think you're misunderstanding, playback isn’t the issue here The issue is the fact that if I use the home button, it's auto-logging me in when I come back. Even hours (or a full day) later, reopening the app brings you straight into the user account without asking for the PIN. This is despite always having the "Startup behavior" option set to "Show login screen".
kaj 316 Posted November 15, 2025 Posted November 15, 2025 I think the main problem here is your understanding of the Home button. It's not designed to log you out or end the app. It's designed to take you to the Home screen, leaving the app in memory. You can use an app switcher to quickly go back Better to actually exit the app, using the back button and the exit option. The security issue is actually how you are using the remote. 1
Gilgamesh_48 1240 Posted November 16, 2025 Posted November 16, 2025 Question for either @Luke or @ebr: Is there any way to make "home" actually exit the app? If I use the back button now it takes three keypresses and I have to change which button I am pressing since you foolishly added the exit dialog. I do not like the dialog and I detest the fact that there is no way to exit the app with a single keypress and I NEVER EVER want apps to keep playing after I exit but, apparently, Android likes forcing excessively convoluted things on users. I will soon, the way things are going, run out of devices that are both user friendly and functional. Maybe make a long press of back actually exit. I guess I "could" program a macro on my remote but I do not like that solution as macros miss a keypress much to often. A key that actually exits the app on one press might be a good solution key. I could go back to using my Rokus but the Roku company is changing and in a direction that will make using their products uncomfortable at best. I do not have more that a couple of years or maybe three, if I am lucky, left on this world but the current way apps work may make it very hard for me to watch my content.
rdhardi 42 Posted November 16, 2025 Posted November 16, 2025 (edited) 6 hours ago, kaj said: I think the main problem here is your understanding of the Home button. It's not designed to log you out or end the app. Thanks for your comment. At the risk of having my comment split yet again... I understand that the Home button doesn't log you out or end the app. I get that! BUT, shouldn't it stop Live TV playback/streaming and release the HDHomerun tuner channel...like it does in the AndroidTV app? It would be nice if the devs could explain the Home button and its behavior & how it behaves totally different in the universal and androidtv app. Edited November 16, 2025 by rdhardi
Happy2Play 9780 Posted November 16, 2025 Posted November 16, 2025 24 minutes ago, rdhardi said: At the risk of having my comment split yet again... I understand that the Home button doesn't log you out or end the app. I get that! BUT, shouldn't it stop Live TV playback/streaming and release the HDHomerun tuner channel...like it does in the AndroidTV app? It would be nice if the devs could explain the Home button and its behavior & how it behaves totally different in the universal and androidtv apps. It really depends on what signal the button actually sends to the Server. As the Roku isthe same way as the home button does not signal the server to Stop, so content can/will still be playing until the server kills the connect when actually identified. So could be as long as the Are you Still watching messaging. 1
rdhardi 42 Posted November 16, 2025 Posted November 16, 2025 (edited) 1 hour ago, Happy2Play said: So could be as long as the Are you Still watching messaging. Appreciate your reply! So, just to clarify, are you saying it could be if I have "Are you Still watching messaging" enabled? I'm one of the those people who sleep with the TV on for background noise...if the TV turns off, I wake up. I always have a Live TV channel on...so I've always had "Are you Still watching messaging" disabled for years. As for what signal the button actually sends to the Server...that's interesting. I'm using a Shield Pro remote. Apparently, it sends the correct signal when I'm using AndroidTV....but maybe not with the Universal Android app? I'll try to look into that, though I'm not really sure how to lol. For now, I've given up on universal app and gone back to AndroidTV (v2.1.28). Thanks for the update, @ebrworking as expected! Edited November 16, 2025 by rdhardi
Q-Droid 989 Posted November 16, 2025 Posted November 16, 2025 14 hours ago, kaj said: I think the main problem here is your understanding of the Home button. It's not designed to log you out or end the app. It's designed to take you to the Home screen, leaving the app in memory. You can use an app switcher to quickly go back Better to actually exit the app, using the back button and the exit option. The security issue is actually how you are using the remote. The AndroidTV and Universal Android apps behave differently in this regard. The ATV app stops streams, closes session and exits when you press the Home button on a remote. The Android app leaves a paused but active session behind. The issue reported in this thread is that anyone can resume a session that was closed using the Home button without reauth when the app is configured to show login and prompt for PIN. This can be a problem for users with different accounts and parental controls. It's not too much to ask the devs to make a new Android app they developed behave like the old Android app they developed, is it? 2
Tigga5 39 Posted November 16, 2025 Author Posted November 16, 2025 15 hours ago, kaj said: I think the main problem here is your understanding of the Home button. It's not designed to log you out or end the app. That's not the behavior on the old Android TV app, Plex, Amazon, HBO, or any other app that I'm aware of. If the app is not active and requires authentication, then you shouldn't be able to relaunch the app a day later and be automatically logged in. @Luke has also said in a different thread that it times out after 10 minutes and should require a login, but it's obviously not working the way he seems to think. 1
FrostByte 5392 Posted November 16, 2025 Posted November 16, 2025 Neither app closes when clicking Home and both continue to run in the background. Using Exit will close the new app. AndroidTV didn't have the ability to use PiP or play music outside of the app so it really didn't need to keep sessions open when clicking Home. The new app needs to be smarter though on when to close those sessions and not reauthenticating even after 10 minutes seems to be a bug if not working. Until then I would disable PiP (if not used) and force close the app after clicking Home by double clicking Home again. That should close the new app and hopefully force reauthentication.
ebr 16169 Posted November 16, 2025 Posted November 16, 2025 23 minutes ago, FrostByte said: or play music outside of the app Android TV can play music when the app is in the background. IMO, if you put the app in the background - by any method - and don't return "immediately" (within some reasonable timeframe like just a few minutes) and you have the PIN configured and you aren't actively playing something that is visible/audible, then the app should re-prompt for the PIN. 2
Q-Droid 989 Posted November 16, 2025 Posted November 16, 2025 10 minutes ago, FrostByte said: Neither app closes when clicking Home and both continue to run in the background. Using Exit will close the new app. AndroidTV didn't have the ability to use PiP or play music outside of the app so it really didn't need to keep sessions open when clicking Home. The new app needs to be smarter though on when to close those sessions and not reauthenticating even after 10 minutes seems to be a bug if not working. Until then I would disable PiP (if not used) and force close the app after clicking Home by double clicking Home again. That should close the new app and hopefully force reauthentication. Yeah, it's likely a combination of features in the new app causing the problem and the workarounds are no more than that. For some reason the devs still haven't acknowledged the problems and their response is to state how they think the app should work, not how it's actually working. This isn't helpful but that seems to be the usual approach whenever someone points out that the new Android app hasn't reached feature parity with the ATV app. There are other platforms, like Roku, for which they stated it wasn't an option available to the app and "proper exit" was the only way to avoid runaway sessions. But we know that the AndroidTV app can close cleanly with the Home button so the new Android app should be able to do the same. You also posted in this thread so you know the Home/Exit thing seems to affect more than PIP and session timeouts. 3
FrostByte 5392 Posted November 16, 2025 Posted November 16, 2025 3 minutes ago, ebr said: Android TV can play music when the app is in the background. IMO, if you put the app in the background - by any method - and don't return "immediately" (within some reasonable timeframe like just a few minutes) and you have the PIN configured and you aren't actively playing something that is visible/audible, then the app should re-prompt for the PIN. Agree, supposedly the new app should prompt after 10 mins like other apps, but it doesn't seem to be working for some.
FrostByte 5392 Posted November 16, 2025 Posted November 16, 2025 6 minutes ago, Q-Droid said: You also posted in this thread so you know the Home/Exit thing seems to affect more than PIP and session timeouts. True, but you do what you can until it gets fixed 1
Lessaj 467 Posted November 16, 2025 Posted November 16, 2025 You could always disable background applications in the developer options until the app is "fixed". Just enable don't keep activites and you could probably also set background process limit to no background processes.
Tigga5 39 Posted November 17, 2025 Author Posted November 17, 2025 19 hours ago, ebr said: Android TV can play music when the app is in the background. IMO, if you put the app in the background - by any method - and don't return "immediately" (within some reasonable timeframe like just a few minutes) and you have the PIN configured and you aren't actively playing something that is visible/audible, then the app should re-prompt for the PIN. Yes, that’s exactly the behavior I’d expect. If the app is not actively playing anything, it should re-prompt for the PIN after a short timeout. The problem is that this isn’t happening at all right now, and it hasn’t for a long time. So at this point I really hope someone with the ability to actually change that behavior will take a look at it. 1
Tigga5 39 Posted November 19, 2025 Author Posted November 19, 2025 @Luke Just checking back on this since it’s been a week, several other users obviously have the same concerns, and your only reply here clearly showed a misunderstanding the issue reported. This is a real issue for anyone using PIN protection, and it doesn’t seem like it’s getting acknowledged. Could you please address this directly so we know whether it’s being taken seriously? 1
Tigga5 39 Posted November 21, 2025 Author Posted November 21, 2025 (edited) @Luke You’ve been active all over the forum this week. Any chance you could actually address the part where the PIN system doesn’t work at all when the app is backgrounded? Or should we just assume the official stance is: "security feature doesn’t work, please stop noticing"? If the plan is to ignore this forever, just say so. At least then we know the PIN feature is just decorative. Edited November 21, 2025 by Tigga5
rdhardi 42 Posted November 22, 2025 Posted November 22, 2025 (edited) @Tigga5I can't remember, are you using Emby on a TV? If so, have you tried going back to using the Android TV app (recently updated to 2.1.28) instead of the Universal app? Search for Emby for Android TV (Beta) in Play Store. Edited November 22, 2025 by rdhardi
rdhardi 42 Posted November 23, 2025 Posted November 23, 2025 @Tigga5Too late to do an edit, but my first sentence should read: I can't remember, did you use the Android TV app and then “upgrade” to the Universal app?
Tigga5 39 Posted November 27, 2025 Author Posted November 27, 2025 @rdhardiThanks for the suggestion. That would be a good work-around if needed, but I haven't actually used Emby on a regular basis for at least 3 years now. I just want to see the current and future app become genuinely fit for purpose rather than moving to a deprecated app that's been losing features. I've tried a few times now over the last 2 years to make the switch back to Emby, but every time I try there are just more issues and a recurring theme of the devs trying hard to pretend they don't exist or shouldn't matter. It's starting to feel a lot like a loop.
FrostByte 5392 Posted November 27, 2025 Posted November 27, 2025 Until Luke looks at the problem you could also try double clicking Home and force closing the app after you clicked Home to exit. At least you wouldn't have to worry about someone opening with your account. At that point though you probably aren't savings yourself many clicks vs just using the Exit option from within Emby.
Tigga5 39 Posted January 11 Author Posted January 11 @LukeJust checking in to see if ignoring this indefinitely is the official Emby response? Curious if that’s the new approach to critical issues around here.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now