Announcement from the dev, in the project GitHub and Patreon:
Friends, it seems that my digital signature has been exposed. This signature protects the app from fake and malicious updates, so there is a risk that someone may try to release counterfeit versions under my name.
To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates) — the new one will install as a separate app and will need to be configured again.
Thank you for your understanding and attention to security.[1][2]
---------------
There aren't any new apk releases on GitHub yet. However, concerningly, the SmartTube website (which I won't link directly) still offers undated "Stable" and "Beta" downloads.
It sucks to deal with security breaches as an indie or solo dev, but I'll be waiting for a more detailed postmortem before assessing whether to install a future release... Hopefully one that details new security procedures to guard both the dev's key and the production build environment.
Factory resetting my Shield as a precaution, but nothing sensitive was really on there, and Android's security model did exactly what it was supposed to and limited the damage. When using a third party app like this, it's prudent to use it signed out or else with a purpose specific Google/YouTube account which is connected to nothing else critical.
> To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates)
I'm curious if this is the best idea? Like, if you don't read all the GitHub releases thoroughly or miss the HN material, and instead you just auto-install updates, you downloaded a malware-infested version which will be on your device until you learn otherwise?
At this point, Play Protect will remove the apks with the old signature because the developer marked the old signature as compromised. The developer acted correctly and responsibly in doing so, and seems to be working out establishing a new setup now, including a new signing key.
For those using sketchy devices without Play Protect and also installing random apks without an understanding of security or Android's trust-on-first-use model, there's not much anyone can do.
I installed 30.56 from the git link on my Shield. It did not overwrite the old one, as it has the old signature. I manually uninstalled 30.48. I did not use the backup/restore option in either as I didnt want to dirty any data in the new app.
> SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware.
Seems it's lacking in information about how a malware manages to compromise supposedly signed releases? Do authors not have the production signing keys behind a password or similar, and review 100% of the changes before they deploy stuff?
I swear the more time goes on, the more I'm loosing faith in the entire ecosystem. People running random binaries on the same device they do banking on always surprised me, but now developers manages to get malware on their developer machine and are publishing random binaries to other strangers???
the malware need not actively create a release like a worm, it can just infect every build and if you don't check carefully, your next regular release will contain it.
is one of the reason we fight holy wars for SSO and strict login rules even for Dev or QA environments -- if you can get in during a dev build you can get stuff in there that carries through.
maybe QA will find it... but they're testing X number of JIRA tickets based on Y epics and if it's not on the list they're not looking...
Blocking file-based installations was never planned. It's fake news and always has been. It's all about requiring code signing for all code so that malware-spreading authors can be easily blocked by adding their signing key fingerprint to the blocklist.
It doesn't matter whether the app is installed via Play Store, Huawei's or Samsung's store etc., or from APK.
This is a drastic misrepresentation of the situation. All Android apps already have code signing, you cannot install an app unless it has a signature, and any future updates are blocked unless the signature matches. This is how it's been practically since the start of Android, it's part of the security model to prevent something like a malicious Firefox APK stealing your cookies.
What's new is that they were gonna block installations outside of Google Play, unless the developer has signed up for Google Play Console and has gone through a verification process there, whitelisting their signing key fingerprint. However, they've walked back on this and said they'll create a new "advanced flow" for "advanced users" that's "designed to resist coercion" to bypass this restriction. Door in the face technique IMO, the existing 12-step process to installing an app was already complicated enough.
So effectively the result is that file based installations will be blocked unless Google has specifically whitelisted their key through the Google Play Console verification process, or the user goes through this "advanced flow" which we're yet to see any details of
I am currently in process of "verifying" my identity with Android Developer console.
In addition to proof of identity (e.g. passport/driver license) Google is demanding a proof of address, government registration, this month's rental agreement, foreign passport... The process is stuck in limbo because months-old documents are deemed "outdated", and I am constantly threatened that my verification request (!) will be denied because of "exceeding allowed number of attempts" (!!)
It shares the same principle as silent Discord account bans and other "verification" harassment schemes, such as Upwork account verification. The excess developers — Google's potential competitors — need to be banished from platform as quickly and cheaply as possible, so that Google can peddle their own spyware unimpeded.
> Do not download SmartTube from any app store, APK websites or blogs; these were uploaded by other people and may contain malware or ads. SmartTube is not officially published on any app store. Sadly, the Google PlayStore does not allow ad-free Youtube apps using unofficial APIs.
Maybe should actually switch to releasing via F-Droid.
It's not just cost and ads. It's having the possibility to reduce attempts to manipulate my inner reptile brain. With various clients, you can disable shorts, recommended, you have sponsorblock, you can replace youtube-face-thumbs with actual thumbs and get crowd-sourced titles that better reflect the contents.
I also don't need to manually go set speed to 1.75x and enable subs in english, it's a one-time setting. _Further_ I can download a video locally, for whatever reason (later viewing, bw throttling, risk of deletion, etc).
As if that weren't enough, I don't have to watch videos logged in, my client is just set up to download my select channels.
Same here, we also both have YT Premium and use SmartTube. Our dislike of "Shorts" pushed everywhere in the YT app is what got us to switch to SmartTube. We watch Youtube on our 65" TV via Chromecast, so shorts are just really a crap experience and we do not want to see them at all. SmartTube lets us eliminate them, as well as all the other awesome UI customization makes it a far superior experience.
Is $14 dollars for ad-free, unlimited access to literally billions of videos really a steep price? Personally if I were to get rid of all but one of my media subscriptions I would stick with this one, since it's got everything - entertainment, education, inspiration, you name it.
Sometimes people download it because there's no alternative. E.g. the YT app is not available in the play store in their country on that specific hardware, so the only way to be able to view YT is to use an alternative app like this one.
Its such a good client. With the YT Roku app, if you change playback speed, quality will drop to 720p or lower. SmartTube lets me watch at full 1080p with 1.5x speed.
I can't help but think that this is a "I have nothing to hide" argument. It's quite sisyphean to keep accounts perfectly segregated, therefore there's always a chance that personal information can be traced back and pieced together; which, in turn, has "boring-old security" implications: i.e., now someone possibly knows your habbits and times when you are at work
Technically correct but somewhat misleading. The app in question only asked for the following Google account permissions:
1. Manage your YouTube account
View and manage your videos and playlists
View and manage your YouTube activity, including posting public comments
2. View and manage your [YouTube] rental and purchase history
Your rental and purchase history may be displayed and accessible on this device.
This will inevitably be used as ammunition against sideloading, but it’s really a lesson in supply chain trust.
When we move away from walled gardens (which I support), the burden of verifying the "chain of custody" shifts to the user. Installing an APK that auto-updates with root/system privileges is essentially giving a single developer the keys to your living room.
We need better intermediate trust models—like reproducible builds signed by a quorum of maintainers—rather than just "trust this GitHub release."
The official announcement is very sparse on details. If the developer doesn't know how his digital signature (and update infrastructure?) was compromised, how does switching to a new signature help? It could get compromised in the exact same way.
The article linked here brings some more details, but also, the official statement doesn't use the word "compromised". If it did, well it would be a statement with different meaning than the one that was released for us to read.
A lot of people installed malware and, to be honest, nothing really happened. They might have had to change their passwords, but it could have been much much worse if Android didn't have good sandboxing.
I hope that Flatpak and similar technologies are adopted more widely on desktop computers. With such security technology existing, giving every application full access to the system is no longer appropriate.
You don't, but as far as I know, Flatpak or Snap are the only practical, low-effort ways to do it on standard distros. There's nothing stopping flatpak-like security from being combined with traditional package management and shared libraries. Perhaps we will see this in the future, but I don't see much activity in this area at the moment.
That's refering to Play Protect (virus scan-ish thing on Google branded Android) and whatever Amazon's equivalent is, not an app requested force uninstall of some kind.
I'm a happy YouTube Premium customer too, as well as a happy SmartTube user. The UX is just so much better in SmartTube than the Youtube app. So much customization is possible, and we can completely eliminate every bit of "Shorts".
Most likely load arbitrary binary code and execute it. Which also makes it really hard to figure out what it actually did.
Among the options of what could be pushed:
- proxyware, turning your network into a residential proxy that can then be sold to anyone willing to pay for them to commit crimes, send spam, scrape, ... with your IP [I believe this is the primary suspect here]
- other standard botnet crap like DDoS bots
- exploits that try to break out of the sandbox to establish persistence, steal other data, or steal your Google account token
- code that steals all data/tokens that the app itself has access to
- adware that shows ad notifications etc.
- ransomware that tries to prevent you from leaving the app (of course this works best if they get a sandbox escape first, but I'm sure you can get pretty close with just aggressive creative use of existing APIs)
The internal auto updater of the app directly use github as source, was this also compromised ? If malware was only on some random apkmirror upload then it should probably be fine for most users.
I think this comment relates to the fact that article mentions AFTNews Updater app as a way to install SmartTube... not yet released version of software?
That's exactly why I didn't want to trust this app with a google account, it's mandatory to use it. SmartTube also requires permission to install applications for it's updater feature so it's also possible if the attack was targeted for the malware to install another app to get persistance.
Although it's very unfortunate this happened, and it shows a lack of security practices, this could happen to any all developer. Compromising other apps you do install.
On my TV the app vanished and after some searching, it was disabled. I was kinda afraid Google had finally (ab)used it's Play Services power to ban it. But luckily it was because the developer marked it as compromised. All and all impact was minimised this way.
I doubt your statement about requiring a Google account to be connected, as you can also import subscriptions instead of granting access to your account.
Announcement from the dev, in the project GitHub and Patreon:
Friends, it seems that my digital signature has been exposed. This signature protects the app from fake and malicious updates, so there is a risk that someone may try to release counterfeit versions under my name.
To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates) — the new one will install as a separate app and will need to be configured again.
Thank you for your understanding and attention to security.[1][2]
---------------
There aren't any new apk releases on GitHub yet. However, concerningly, the SmartTube website (which I won't link directly) still offers undated "Stable" and "Beta" downloads.
It sucks to deal with security breaches as an indie or solo dev, but I'll be waiting for a more detailed postmortem before assessing whether to install a future release... Hopefully one that details new security procedures to guard both the dev's key and the production build environment.
Factory resetting my Shield as a precaution, but nothing sensitive was really on there, and Android's security model did exactly what it was supposed to and limited the damage. When using a third party app like this, it's prudent to use it signed out or else with a purpose specific Google/YouTube account which is connected to nothing else critical.
[1]: https://github.com/yuliskov/SmartTube/releases/tag/notificat...
[2]: https://www.patreon.com/posts/important-144473602
> To completely eliminate any threats, I’ve decided to stop using the current signature and switch to a new one. Because of this, the app’s identifier will also change. You don’t need to delete the old app (but it will no longer receive updates)
I'm curious if this is the best idea? Like, if you don't read all the GitHub releases thoroughly or miss the HN material, and instead you just auto-install updates, you downloaded a malware-infested version which will be on your device until you learn otherwise?
At this point, Play Protect will remove the apks with the old signature because the developer marked the old signature as compromised. The developer acted correctly and responsibly in doing so, and seems to be working out establishing a new setup now, including a new signing key.
For those using sketchy devices without Play Protect and also installing random apks without an understanding of security or Android's trust-on-first-use model, there's not much anyone can do.
from my understanding, https://github.com/yuliskov/SmartTube/releases/download/late... links to 30.56, which the newest clean version. Old app stopped at 30.48.
I installed 30.56 from the git link on my Shield. It did not overwrite the old one, as it has the old signature. I manually uninstalled 30.48. I did not use the backup/restore option in either as I didnt want to dirty any data in the new app.
For me, the link to just the releases returns an empty list at present:
https://github.com/yuliskov/SmartTube/releases/
Backup/restore is just XML files that you can open and inspect
> SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware.
Seems it's lacking in information about how a malware manages to compromise supposedly signed releases? Do authors not have the production signing keys behind a password or similar, and review 100% of the changes before they deploy stuff?
I swear the more time goes on, the more I'm loosing faith in the entire ecosystem. People running random binaries on the same device they do banking on always surprised me, but now developers manages to get malware on their developer machine and are publishing random binaries to other strangers???
the malware need not actively create a release like a worm, it can just infect every build and if you don't check carefully, your next regular release will contain it.
is one of the reason we fight holy wars for SSO and strict login rules even for Dev or QA environments -- if you can get in during a dev build you can get stuff in there that carries through.
maybe QA will find it... but they're testing X number of JIRA tickets based on Y epics and if it's not on the list they're not looking...
I really hope Google doesn't pick this out (and similar events) as further justification for getting rid of APK-based installation.
Blocking file-based installations was never planned. It's fake news and always has been. It's all about requiring code signing for all code so that malware-spreading authors can be easily blocked by adding their signing key fingerprint to the blocklist.
It doesn't matter whether the app is installed via Play Store, Huawei's or Samsung's store etc., or from APK.
This is a drastic misrepresentation of the situation. All Android apps already have code signing, you cannot install an app unless it has a signature, and any future updates are blocked unless the signature matches. This is how it's been practically since the start of Android, it's part of the security model to prevent something like a malicious Firefox APK stealing your cookies.
What's new is that they were gonna block installations outside of Google Play, unless the developer has signed up for Google Play Console and has gone through a verification process there, whitelisting their signing key fingerprint. However, they've walked back on this and said they'll create a new "advanced flow" for "advanced users" that's "designed to resist coercion" to bypass this restriction. Door in the face technique IMO, the existing 12-step process to installing an app was already complicated enough.
So effectively the result is that file based installations will be blocked unless Google has specifically whitelisted their key through the Google Play Console verification process, or the user goes through this "advanced flow" which we're yet to see any details of
What an absolute boatload of lies.
I am currently in process of "verifying" my identity with Android Developer console.
In addition to proof of identity (e.g. passport/driver license) Google is demanding a proof of address, government registration, this month's rental agreement, foreign passport... The process is stuck in limbo because months-old documents are deemed "outdated", and I am constantly threatened that my verification request (!) will be denied because of "exceeding allowed number of attempts" (!!)
It shares the same principle as silent Discord account bans and other "verification" harassment schemes, such as Upwork account verification. The excess developers — Google's potential competitors — need to be banished from platform as quickly and cheaply as possible, so that Google can peddle their own spyware unimpeded.
"Malware spreading authors" or "ToS violating authors" or "authors of piracy apps"?
1 reply →
> Do not download SmartTube from any app store, APK websites or blogs; these were uploaded by other people and may contain malware or ads. SmartTube is not officially published on any app store. Sadly, the Google PlayStore does not allow ad-free Youtube apps using unofficial APIs.
Maybe should actually switch to releasing via F-Droid.
It's kind of shocking to me that so many people would download an app like this and sign in using their actual YouTube account.
It's not just cost and ads. It's having the possibility to reduce attempts to manipulate my inner reptile brain. With various clients, you can disable shorts, recommended, you have sponsorblock, you can replace youtube-face-thumbs with actual thumbs and get crowd-sourced titles that better reflect the contents.
I also don't need to manually go set speed to 1.75x and enable subs in english, it's a one-time setting. _Further_ I can download a video locally, for whatever reason (later viewing, bw throttling, risk of deletion, etc).
As if that weren't enough, I don't have to watch videos logged in, my client is just set up to download my select channels.
I now see zero use of a youtube account.
It has a far better user interface than the official YT interface. And that interface can be heavily customized to your exact preferences.
My wife has YT Premium, and we find ourselves watching YT in SmartTube just because the interface is so much better.
Same here, we also both have YT Premium and use SmartTube. Our dislike of "Shorts" pushed everywhere in the YT app is what got us to switch to SmartTube. We watch Youtube on our 65" TV via Chromecast, so shorts are just really a crap experience and we do not want to see them at all. SmartTube lets us eliminate them, as well as all the other awesome UI customization makes it a far superior experience.
The cost of being brainwashed by ads and sponsor slots is also high.
Even with YouTube Premium you don’t get the feature set you get with SmartTube. The sponsor block integration on my TV is brilliant.
I think it's more shocking to people how much YouTube Premium costs.
Is $14 dollars for ad-free, unlimited access to literally billions of videos really a steep price? Personally if I were to get rid of all but one of my media subscriptions I would stick with this one, since it's got everything - entertainment, education, inspiration, you name it.
78 replies →
I have premium but also this app. It has SponsorBlock and better UI customization than the official one.
Sometimes people download it because there's no alternative. E.g. the YT app is not available in the play store in their country on that specific hardware, so the only way to be able to view YT is to use an alternative app like this one.
> the only way to be able to view YT
Surely you can use a web browser?
1 reply →
Its such a good client. With the YT Roku app, if you change playback speed, quality will drop to 720p or lower. SmartTube lets me watch at full 1080p with 1.5x speed.
No ads is of course a big plus too.
You can install it on Roku?
1 reply →
I really couldn't care less about me youtube account
I can't help but think that this is a "I have nothing to hide" argument. It's quite sisyphean to keep accounts perfectly segregated, therefore there's always a chance that personal information can be traced back and pieced together; which, in turn, has "boring-old security" implications: i.e., now someone possibly knows your habbits and times when you are at work
1 reply →
YouTube accounts and Google accounts have been one in the same since 2009.
12 replies →
thats super cool! some people care a lot, some people dont care at all. what a strange world.
Google Account.
Not Youtube account.
Technically correct but somewhat misleading. The app in question only asked for the following Google account permissions:
Why?
This will inevitably be used as ammunition against sideloading, but it’s really a lesson in supply chain trust.
When we move away from walled gardens (which I support), the burden of verifying the "chain of custody" shifts to the user. Installing an APK that auto-updates with root/system privileges is essentially giving a single developer the keys to your living room.
We need better intermediate trust models—like reproducible builds signed by a quorum of maintainers—rather than just "trust this GitHub release."
The official announcement is very sparse on details. If the developer doesn't know how his digital signature (and update infrastructure?) was compromised, how does switching to a new signature help? It could get compromised in the exact same way.
The article linked here brings some more details, but also, the official statement doesn't use the word "compromised". If it did, well it would be a statement with different meaning than the one that was released for us to read.
A lot of people installed malware and, to be honest, nothing really happened. They might have had to change their passwords, but it could have been much much worse if Android didn't have good sandboxing.
I hope that Flatpak and similar technologies are adopted more widely on desktop computers. With such security technology existing, giving every application full access to the system is no longer appropriate.
Why do you need Flatpak for sandboxing?
I really dislike Flatpak for installing multiple identical copies of the dependencies.
Just give me some easier to use tools to configure the access that each application has.
> Why do you need Flatpak for sandboxing?
You don't, but as far as I know, Flatpak or Snap are the only practical, low-effort ways to do it on standard distros. There's nothing stopping flatpak-like security from being combined with traditional package management and shared libraries. Perhaps we will see this in the future, but I don't see much activity in this area at the moment.
Really hate this "something was found" announcements
Which channel distributed the compromised apk? What is the signature of the payload injected? What is the payload, what does it do?
>>"It is likely the presence of this malware that caused Google and Amazon to forcibly uninstall SmartTube on some devices, ... "
Where can I read more about *unrequested uninstalls*? Google search only shows results about how impossible it is to remove phone default apps.
That's refering to Play Protect (virus scan-ish thing on Google branded Android) and whatever Amazon's equivalent is, not an app requested force uninstall of some kind.
Thought it was worth mentioning the developer is Ukrainian. If it was a targeted attack, certainty could be state-sponsored by Russia
[dead]
Happy YouTube Premium customer here
I'm a happy YouTube Premium customer too, as well as a happy SmartTube user. The UX is just so much better in SmartTube than the Youtube app. So much customization is possible, and we can completely eliminate every bit of "Shorts".
What can malware in an apk do?
Most likely load arbitrary binary code and execute it. Which also makes it really hard to figure out what it actually did.
Among the options of what could be pushed:
- proxyware, turning your network into a residential proxy that can then be sold to anyone willing to pay for them to commit crimes, send spam, scrape, ... with your IP [I believe this is the primary suspect here]
- other standard botnet crap like DDoS bots
- exploits that try to break out of the sandbox to establish persistence, steal other data, or steal your Google account token
- code that steals all data/tokens that the app itself has access to
- adware that shows ad notifications etc.
- ransomware that tries to prevent you from leaving the app (of course this works best if they get a sandbox escape first, but I'm sure you can get pretty close with just aggressive creative use of existing APIs)
In an article about not downloading malware: "You can use my downloader! It's totally safe, bro!"
Yeah, I'll pass.
The internal auto updater of the app directly use github as source, was this also compromised ? If malware was only on some random apkmirror upload then it should probably be fine for most users.
Apparently, yes. My guess is it was the Shai-hulud npm malware leaking their Github keys.
I think this comment relates to the fact that article mentions AFTNews Updater app as a way to install SmartTube... not yet released version of software?
[dead]
[dead]
So we all agree google is probably behind this, right?
That's exactly why I didn't want to trust this app with a google account, it's mandatory to use it. SmartTube also requires permission to install applications for it's updater feature so it's also possible if the attack was targeted for the malware to install another app to get persistance.
Although it's very unfortunate this happened, and it shows a lack of security practices, this could happen to any all developer. Compromising other apps you do install.
On my TV the app vanished and after some searching, it was disabled. I was kinda afraid Google had finally (ab)used it's Play Services power to ban it. But luckily it was because the developer marked it as compromised. All and all impact was minimised this way.
I doubt your statement about requiring a Google account to be connected, as you can also import subscriptions instead of granting access to your account.
> it's mandatory to use it
I've been using it for years and I've never had to sign in.