Articles by DarrenHill

The Freedom of Choice

The Freedom of Choice

One of the main tenets of both Kodi and open-source software in general is freedom of choice. By making the software freely and publicly available without charge, users are able to try the software with no financial outlay or risk. As the source code is also available for inspection, the risks of “hidden nasties” such as covert information gathering and other data mining can also be alleviated. Anyone can download, review and audit any part of the software that they wish, as well as submitting any updates, improvements and bug fixes that they may make.

This notion of user choice is also key to the operation and support offered by Team Kodi, both through GitHub and the web forum. One common question is why we don’t do more to combat piracy, especially given our zero tolerance policy towards support (or lack thereof, aside from attempts to completely remove from infected systems). The simple answer is that we believe in user choice, and that if the user makes the conscious and informed decision that they want to use Kodi for such purposes then that is up to them. Similarly, any resultant technical or legal problems which may arise are also down to them, and there’s no liability or responsibility on Team Kodi for what a user has chosen to do.

 

An Informed Choice

Key to that stance, though, is that the user has made an informed choice. This is the reason why third-party repositories are not usable by default in Kodi. The user has to make a specific action to enable their usage, complete with a warning pop-up message about the risks and liabilities involved. We take responsibility for our official repository and what we we allow into it, and content is reviewed and audited before it is included. Any fork of Kodi which seeks to override or remove this default setting would immediately be blacklisted by the team, and no support for it at all would be offered by any official Team Kodi outlet.

Similarly, this is why the team does not allow forks with pre-installed add-ons to be made without complete rebranding and disassociation from Kodi, and why no “builds” are supported. By “build”, here we use the term in the common user parlance (as can be found on many of the third-party YouTube videos and parasitic “fan” websites that we would rather did not exist) for collections of add-ons either grouped into an “all in one” installation, or even images of Kodi with such add-ons pre-installed. This obviously completely removes the user choice element, aside from the choice to install the build in the first place.

The main issues here are twofold. Firstly, whilst such builds tend to install popular piracy add-ons, they often also quietly install other code under the hood with little or no visibility to the user. This can range from scripts that try to maintain the installation (given the limited lifespan of such add-ons) to ones that aim to sabotage or remove those of rival suppliers – and, in the extreme, even to malicious malware scripts to form botnets, mine digital coinage or perform other nefarious actions behind the user’s back.

Secondly, such builds tend to be advertised on websites and in videos as being official, legal and legitimate. This is often deliberately done to confuse the naive user that they are getting something for nothing and a good deal. Of course, a moment’s thought and common sense should tell anyone that if media providers such as Sky, HBO and Disney charge people what they do for their officially-provided services, then offers of them for free cannot be above board. Similarly, sources or add-ons offering media that wouldn’t normally be available, such as movies that are still in cinema theatres, should also ring alarm bells in the head of any consumer.

 

Uncommon Sense, or Stating the Obvious?

Unfortunately in this day and age such common sense does not seem to apply to the internet. We often see this on the forum when new users request support for such installations and then apologise with “sorry, I didn’t know” or similar when we decline to assist. They completely miss the point that it was their choice and basic greed that led them there, and a moment’s thought should have given them pause. For some reason users seem to willingly accept the most obviously dodgy deals on the internet, ones that they wouldn’t touch if offered in a pub car park, car boot sale or other “real world” environment.

Our simple advice is to apply the same judgement to your Kodi installation as you would to anything else in life. If the deal you’re being offered seems too good to be true, it quite probably is and there will be a catch somewhere. The team works hard to provide the Kodi software and also to curate the official repository. Both of these can be safely used when obtained from our official site. However, beyond that, the principles of caveat emptor apply. We expect and enforce that users are responsible for their own actions and the repercussions from them.

So before using any third party repository or add-on, take a moment to consider what you know about the authors, their reputation and what they are offering. Don’t be fooled by false promises and dodgy deals – in the end the person responsible for your devices’ safety and security is you.

Repos: When All-in-One Can Be No Fun.

Repos: When All-in-one Can Be No Fun.

For better or worse, one of the most powerful features of Kodi is the ability to extend its capabilities via addons. Key components in this are the repositories, or “repos” as they’re more commonly known. They allow for quick and simple installation and upgrade of addons, but as with the whole topic they too have a darker and riskier side that many users do not consider. 

Before we go into details of those risks, let’s first set the background by considering what a repo actually is and what it enables. 

As most users know, there are two main ways of expanding Kodi’s functionality with addons – install from zip and install from repo. Install from zip does exactly what it says on the tin: it installs a given addon into Kodi using a zip file package that contains the addon code. That zip file may be either downloaded from the internet and transferred onto the device where Kodi is running, or it can be accessed directly over the internet via an added source (most commonly through the Kodi file manager). This route is mainly intended for addon development purposes, prior to release and inclusion in a repo.

There are two main issues with this approach. The first problem is that the installation is then static. If the addon is updated or modified, Kodi won’t know this and any updates will need to be manually installed by the user. The second issue, however, is the one most commonly encountered by users, in that any other addons or code that the original addon depends on (that it uses or references, and requires to be installed for it to run) will not be automatically installed. Thus, for the original addon to operate and not just generate log errors or crash, all of its dependencies, both the correct packages and the correct versions, need to be manually located and installed separately.

So, What’s a Better Way?

Using a repo can solve both of these issues. A Kodi repo contains links to the current (and, commonly, also older) versions of the addon plus any required dependencies. So it acts as a “one stop shop” to install the given addon, with the bonus that it can be done via the Kodi GUI using the Install from repo option. With the exception of the official Kodi repo (which comes built into the Kodi core code), the only install from zip that is required is the original one to install the repo itself.

The real power of the repo, though, is that when the addon author updates their addon and pushes that new version to the repo (whether the official one or their own third-party one which the user has installed), then Kodi will see that the update is available and can either offer the update or just update it automatically, depending on configuration. So, with minimal or even no user effort, addons can be quickly and easily maintained, and distributed, keeping all user devices up to date.

Sounds Great – What’s the Catch?

That update functionality is where the potential risks come into play, however, especially for the common third party “all-in-one” repos (containing addons from multiple authors) that can be obtained from various internet sites and sources. Currently, if a newer version (with a higher version number) of a given addon is pushed to an installed repo, then the addon can be updated regardless of which repo the addon originally came from. Hence, if a malicious programmer pushes a new version of an addon (which may or may not be their own) to an installed repo, then anyone who had the original version will get the poisoned version installed onto their device instead. This is a obviously a very undesirable outcome and would lead to widespread issues if a popular addon were to be subverted.

Another big issue with third-party repos is the fact the domain name might be abandoned and expire while users still have the repository installed. This could enable an attacker to later register that expired  domain, effectively taking it over. They could then replace the existing addon content with malicious code. This exact scenario is a significant enough risk to have been covered in several security conferences last year, for example this one.

If Only Someone Could Do Something…

There have been internal Team Kodi discussions on how to manage this risk, ranging from disallowing third-party repos completely, through to only allowing addons to update from their original repo, and on to the official stance of leaving things as they are as all of this should be the user’s responsibility anyway. Another issue is that there are cases which complicate any such restrictions, such as the use of testing “beta” repos for unstable versions of addons either under construction or for adding new features. This most commonly applies to skins, but also when addon authors make early or “bleeding edge” versions of new or existing addons available for public testing using this method.

In the case of the built-in official repo, each and every addon submitted to it is thoroughly reviewed, examined and tested by the repo maintainers (all Team Kodi members) to ensure it poses no risk to our user base. There are also limitations placed on addons – such as containing no pre-compiled, obfuscated or executable code (“binary blobs”) – all to try and stop our addon update system becoming a distribution path for malware. For third-party repos though, no such checks are, of course, performed by the team. So for each repo to be installed, the user – that means you! – should consider where it has come from, and whether they trust the author or organisation that has supplied it. Ask yourself whether they maintain such diligence over what is included in the repos they provide.

For cases such as the well-known individual addon author and their beta repos containing only their own work, the risks are often minimal. The “all-in-one” style repos, though, obviously offer a significantly higher risk of problems, especially for those that just seem to scrape any and all repos that they can access on the net, often without author agreement or consent. This is why many such repos are included on the Team Kodi banned addons list, although their common inclusion of banned piracy addons would place them on the list anyway. It’s also why Team Kodi offers no support for “builds” which pre-install addons or repos, as this is another common gateway to malware problems. And for those who may be under the illusion that this is just a hypothetical scenario, the stark reality is that such hijacking cases, “code flame wars” and distribution of malware-infected code have all actually occurred in the past using these exact methods. It is a genuine and real risk.

Team Kodi and its members are working towards improving the addon/repository infrastructure. A lot of tools have been developed in the last few years. Some examples of this include:

In conclusion, then: before you install any third-party addon, repo or build onto your Kodi device, pause and consider whether you really trust the source you’re getting it from and any repercussions that may result from that install.