Articles by DarrenHill

Is it legal?

Is it legal?


After “What exactly is Kodi?”, the second most common question we often get asked is “Is Kodi legal?”.

The two questions are of course linked, but with the recent media reporting concerning piracy the answer to the legality is sometimes not so clear to the man in the street. Due to various 3rd party addons, the app has gained an unwanted reputation as being a “way to get movies and TV shows for free”.

This is not helped at all by certain unscrupulous websites and YouTube bloggers who encourage and perpetuate the myth, simply to increase their traffic from web users and earn more cash from the site sponsors. So it may be worthwhile to try and officially answer the legality question, and at least in part for usage one as well.


So what is Kodi?

Put simply the “reference Kodi”, which is the one supplied by Team Kodi and available from our website along with selected official app stores (Google and Windows for example) is a media centre. Underneath the hood is a powerful media player to play back video or audio files, but coupled to that is the flexible user interface and library system for storing and displaying posters, plot and cast information and other supporting metadata.

As supplied, reference Kodi does not ship with any media at all, nor are any media-providing addons pre-installed. What it does come with though is a catalogue of vetted and approved addons (our official repo) which can be installed from within the Kodi GUI by the user, enabling access to a selection of legitimate sources.

The intended usage case is that the user will either supply their own media files stored locally on their network for Kodi to access, or that they will install the addons that they wish to use.


Then is it legal?

As we supply it, Kodi is totally legal.

If the user is supplying their own media for Kodi to play, then the provenance and legality of that media is their own responsibility, as is any possible consequences of them having it in their possession. Similarly if they actively choose to install an addon within Kodi, it is their decision and responsibility to do so.

Where things become murkier is the area of third party addons. Kodi is designed to be extendable, and addons are available through third party repositories as well as from the official sources. It should be noted firstly that in reference Kodi this third party capability is disabled by default, and must be specifically enabled (along with a warning message and confirmation) by the user before third party sources can be used. If this is enabled, then additional repos can be installed and addons obtained from them. As the name suggests, these third party addons and repos are neither produced by, supported by nor endorsed by Team Kodi.

Sadly there are many third party addons out there which enable access to pirated media or streams, in violation of copyright laws. This has in the past led users who make use of them into legal difficulties alongside legal action being taken against those who write and supply such addons. This of course is something we wish to avoid, as by the nature of the press our name and brand gets associated with their activities, and the infamous “Kodi Box” has become synonymous with piracy (even though there is strictly no such thing, as we do not produce, sell or endorse hardware media devices).


How do I spot a dodgy deal?

As with any deal, common sense is your best yardstick. But there are a number of pointers to guide you when things may be less than kosher, be it for a device or for a third party addon:

  • if you are being offered media (TV shows, TV channels, events or movies) for free that you would normally expect to pay for.
  • if you are being offered media that you wouldn’t normally have access to privately (for example movies currently playing in theatres or not yet on DVD/streaming release).
  • if you are being sold a device by someone claiming to be Kodi or officially endorsed by them (for example by their website using our brand name and/or logo).
  • if the device is being sold as preconfigured to enable immediate access to online media sources.
  • if the supplier website or channel is plastered with ads for VPNs and other similar methods to “cover your tracks”, and doubly so if the article says that they are required.
  • if the deal is “too good to be true”.

In the end always ask yourself this question – “if I were offered this in a pub car park or a market, would I buy it?”.

The official built-in repo has been audited by Team Kodi. No addon within it makes use of non-legitimate sources, nor does their code pose a malware risk if installed. As this audit is not done on any other third party source, the user should beware and confirm that they are happy to trust the source before using it, or at least are prepared to accept any repercussions from doing so.


So what about torrents, storage sites and builds?

These again can be grey areas in terms of legality and trustworthiness.

Whilst we do allow addons which give access to torrents and web storage sites (OneDrive, Google Drive, Dropbox, Mega etc), we do not allow any into the official repo which come pre-packaged with sources included. Again this comes down to user choice and responsibility. The user can do what he likes with the software, as long as it is done with their understanding of what they are doing and that they take personal responsibility for their actions.

One thing that we do not support at all is builds, as by their very nature they take away that user choice. Even aside from the fact that most are simply there to provide access to pirated media via dodgy addons, they also take away the users consensual choice as to what is being installed on their devices. There has been more than one example of malware being bundled into certain builds, or other unwelcome inclusions which subvert and often break Kodi functionality. As we had nothing to do with such breakages, we of course do not wish to have to support fixing them.


The final verdict

So is Kodi legal? As we supply it, the answer is yes.

But as the old saying goes, “it’s not what you have, it’s how you use it”, and in this case also where you got it from. If it has been sourced from elsewhere, or if something has been added or modified since it was obtained, then all guarantees are null and void. We won’t tell you what to do, not to do or how to use our software. We guarantee the reference Kodi we supply, anything beyond that is up to you.

The Freedom of Choice

The Freedom of Choice

One of the main tenets of both Kodi and open-source software in general is freedom of choice. By making the software freely and publicly available without charge, users are able to try the software with no financial outlay or risk. As the source code is also available for inspection, the risks of “hidden nasties” such as covert information gathering and other data mining can also be alleviated. Anyone can download, review and audit any part of the software that they wish, as well as submitting any updates, improvements and bug fixes that they may make.

This notion of user choice is also key to the operation and support offered by Team Kodi, both through GitHub and the web forum. One common question is why we don’t do more to combat piracy, especially given our zero tolerance policy towards support (or lack thereof, aside from attempts to completely remove from infected systems). The simple answer is that we believe in user choice, and that if the user makes the conscious and informed decision that they want to use Kodi for such purposes then that is up to them. Similarly, any resultant technical or legal problems which may arise are also down to them, and there’s no liability or responsibility on Team Kodi for what a user has chosen to do.


An Informed Choice

Key to that stance, though, is that the user has made an informed choice. This is the reason why third-party repositories are not usable by default in Kodi. The user has to make a specific action to enable their usage, complete with a warning pop-up message about the risks and liabilities involved. We take responsibility for our official repository and what we we allow into it, and content is reviewed and audited before it is included. Any fork of Kodi which seeks to override or remove this default setting would immediately be blacklisted by the team, and no support for it at all would be offered by any official Team Kodi outlet.

Similarly, this is why the team does not allow forks with pre-installed add-ons to be made without complete rebranding and disassociation from Kodi, and why no “builds” are supported. By “build”, here we use the term in the common user parlance (as can be found on many of the third-party YouTube videos and parasitic “fan” websites that we would rather did not exist) for collections of add-ons either grouped into an “all in one” installation, or even images of Kodi with such add-ons pre-installed. This obviously completely removes the user choice element, aside from the choice to install the build in the first place.

The main issues here are twofold. Firstly, whilst such builds tend to install popular piracy add-ons, they often also quietly install other code under the hood with little or no visibility to the user. This can range from scripts that try to maintain the installation (given the limited lifespan of such add-ons) to ones that aim to sabotage or remove those of rival suppliers – and, in the extreme, even to malicious malware scripts to form botnets, mine digital coinage or perform other nefarious actions behind the user’s back.

Secondly, such builds tend to be advertised on websites and in videos as being official, legal and legitimate. This is often deliberately done to confuse the naive user that they are getting something for nothing and a good deal. Of course, a moment’s thought and common sense should tell anyone that if media providers such as Sky, HBO and Disney charge people what they do for their officially-provided services, then offers of them for free cannot be above board. Similarly, sources or add-ons offering media that wouldn’t normally be available, such as movies that are still in cinema theatres, should also ring alarm bells in the head of any consumer.


Uncommon Sense, or Stating the Obvious?

Unfortunately in this day and age such common sense does not seem to apply to the internet. We often see this on the forum when new users request support for such installations and then apologise with “sorry, I didn’t know” or similar when we decline to assist. They completely miss the point that it was their choice and basic greed that led them there, and a moment’s thought should have given them pause. For some reason users seem to willingly accept the most obviously dodgy deals on the internet, ones that they wouldn’t touch if offered in a pub car park, car boot sale or other “real world” environment.

Our simple advice is to apply the same judgement to your Kodi installation as you would to anything else in life. If the deal you’re being offered seems too good to be true, it quite probably is and there will be a catch somewhere. The team works hard to provide the Kodi software and also to curate the official repository. Both of these can be safely used when obtained from our official site. However, beyond that, the principles of caveat emptor apply. We expect and enforce that users are responsible for their own actions and the repercussions from them.

So before using any third party repository or add-on, take a moment to consider what you know about the authors, their reputation and what they are offering. Don’t be fooled by false promises and dodgy deals – in the end the person responsible for your devices’ safety and security is you.

Repos: When All-in-One Can Be No Fun.

Repos: When All-in-one Can Be No Fun.

For better or worse, one of the most powerful features of Kodi is the ability to extend its capabilities via addons. Key components in this are the repositories, or “repos” as they’re more commonly known. They allow for quick and simple installation and upgrade of addons, but as with the whole topic they too have a darker and riskier side that many users do not consider. 

Before we go into details of those risks, let’s first set the background by considering what a repo actually is and what it enables. 

As most users know, there are two main ways of expanding Kodi’s functionality with addons – install from zip and install from repo. Install from zip does exactly what it says on the tin: it installs a given addon into Kodi using a zip file package that contains the addon code. That zip file may be either downloaded from the internet and transferred onto the device where Kodi is running, or it can be accessed directly over the internet via an added source (most commonly through the Kodi file manager). This route is mainly intended for addon development purposes, prior to release and inclusion in a repo.

There are two main issues with this approach. The first problem is that the installation is then static. If the addon is updated or modified, Kodi won’t know this and any updates will need to be manually installed by the user. The second issue, however, is the one most commonly encountered by users, in that any other addons or code that the original addon depends on (that it uses or references, and requires to be installed for it to run) will not be automatically installed. Thus, for the original addon to operate and not just generate log errors or crash, all of its dependencies, both the correct packages and the correct versions, need to be manually located and installed separately.

So, What’s a Better Way?

Using a repo can solve both of these issues. A Kodi repo contains links to the current (and, commonly, also older) versions of the addon plus any required dependencies. So it acts as a “one stop shop” to install the given addon, with the bonus that it can be done via the Kodi GUI using the Install from repo option. With the exception of the official Kodi repo (which comes built into the Kodi core code), the only install from zip that is required is the original one to install the repo itself.

The real power of the repo, though, is that when the addon author updates their addon and pushes that new version to the repo (whether the official one or their own third-party one which the user has installed), then Kodi will see that the update is available and can either offer the update or just update it automatically, depending on configuration. So, with minimal or even no user effort, addons can be quickly and easily maintained, and distributed, keeping all user devices up to date.

Sounds Great – What’s the Catch?

That update functionality is where the potential risks come into play, however, especially for the common third party “all-in-one” repos (containing addons from multiple authors) that can be obtained from various internet sites and sources. Currently, if a newer version (with a higher version number) of a given addon is pushed to an installed repo, then the addon can be updated regardless of which repo the addon originally came from. Hence, if a malicious programmer pushes a new version of an addon (which may or may not be their own) to an installed repo, then anyone who had the original version will get the poisoned version installed onto their device instead. This is a obviously a very undesirable outcome and would lead to widespread issues if a popular addon were to be subverted.

Another big issue with third-party repos is the fact the domain name might be abandoned and expire while users still have the repository installed. This could enable an attacker to later register that expired  domain, effectively taking it over. They could then replace the existing addon content with malicious code. This exact scenario is a significant enough risk to have been covered in several security conferences last year, for example this one.

If Only Someone Could Do Something…

There have been internal Team Kodi discussions on how to manage this risk, ranging from disallowing third-party repos completely, through to only allowing addons to update from their original repo, and on to the official stance of leaving things as they are as all of this should be the user’s responsibility anyway. Another issue is that there are cases which complicate any such restrictions, such as the use of testing “beta” repos for unstable versions of addons either under construction or for adding new features. This most commonly applies to skins, but also when addon authors make early or “bleeding edge” versions of new or existing addons available for public testing using this method.

In the case of the built-in official repo, each and every addon submitted to it is thoroughly reviewed, examined and tested by the repo maintainers (all Team Kodi members) to ensure it poses no risk to our user base. There are also limitations placed on addons – such as containing no pre-compiled, obfuscated or executable code (“binary blobs”) – all to try and stop our addon update system becoming a distribution path for malware. For third-party repos though, no such checks are, of course, performed by the team. So for each repo to be installed, the user – that means you! – should consider where it has come from, and whether they trust the author or organisation that has supplied it. Ask yourself whether they maintain such diligence over what is included in the repos they provide.

For cases such as the well-known individual addon author and their beta repos containing only their own work, the risks are often minimal. The “all-in-one” style repos, though, obviously offer a significantly higher risk of problems, especially for those that just seem to scrape any and all repos that they can access on the net, often without author agreement or consent. This is why many such repos are included on the Team Kodi banned addons list, although their common inclusion of banned piracy addons would place them on the list anyway. It’s also why Team Kodi offers no support for “builds” which pre-install addons or repos, as this is another common gateway to malware problems. And for those who may be under the illusion that this is just a hypothetical scenario, the stark reality is that such hijacking cases, “code flame wars” and distribution of malware-infected code have all actually occurred in the past using these exact methods. It is a genuine and real risk.

Team Kodi and its members are working towards improving the addon/repository infrastructure. A lot of tools have been developed in the last few years. Some examples of this include:

In conclusion, then: before you install any third-party addon, repo or build onto your Kodi device, pause and consider whether you really trust the source you’re getting it from and any repercussions that may result from that install.