i.TV Guide App Updated; Two TiVo Notes

One of the more impressive unaffiliated TV guide iPhone apps has seen a massive makeover. In fact, i.TV 3.0 completely drops movie listings, trailers, and theater ticket purchases to exclusively focus on television content… including shows located on Hulu and Netflix. The interface refresh is more than skin deep, and i.TV now brings native support to the iPad. It’s definitely a (free) app worth checking out if your television provider doesn’t offer one to your liking.

On the TiVo front, i.TV has been the unofficial, official TiVo iPhone app. So someone may want to suggest that TiVo, Inc update their website (shown below right) as their screengrab is no longer relevant — i.TV has dropped that virtual TiVo remote control during the redesign. While it’ll return in some form at some point, the virtual Roku remote is gone for good.

Last year, we uncovered a minor security issue related to i.TV and TiVo DVR scheduling:

I did some poking around i.TV’s various files and took a look at the network traffic using Wire Shark. It appears that i.TV uses our TiVo.com credentials once to retrieve a token, valid for one year, which is subsequently used to access our account data and authenticate scheduling requests. While network communication appears secure, our TiVo.com username and password are stored in the clear by i.TV – accessible from both the iPhone file system and computer-based iTunes backup. It’s obviously not best practice; However, in the real world, the security implications are most likely inconsequential.

Well, it looks as if this has finally been put to bed. MethodicJon took a look at the new files for us and there’s no sign of his password in the clear (below left). However, it’s possible the gibberish prior to his username/email is the password… obscured with some function. But given the minimal risk, I’m satisfied and won’t invest time deconstructing it further.

13 thoughts on “i.TV Guide App Updated; Two TiVo Notes”

  1. Although, I will add i.TV should not be retaining anything. The way I understand it, after initial authentication to TiVo a token is issued and valid for one year. Related, Jon noticed i.TV takes a snapshot of the TiVo signin screen. It’s not a smoking gun by any means, but why? Also, it’s unclear if you can actually scrub i.TV of your credentials or the TiVo link from the app.

  2. There’s a number of problems with linking with TiVo in i.TV 3.0, all of which are related to i.TV’s new syncing method. i.TV let’s you log-in using an OpenID (Facebook, Twitter, etc). Once you do that all your info gets synced between devices that log in credentials, including your TiVo login token.

    The problem I’ve found is that once something gets synced to i.TV, there doesn’t appear to be any way to modify it, this includes customizing channel lists (which won’t stick) and linking your TiVo account. As such once you link your TiVo account to your i.TV account, there’s no way to unlink it. I’ve tried uninstalling the app and reinstalling, but once I log in to i.TV, my TiVo account reappears in the app and scheduling works. Since a token is used and there’s no way to revoke this token on TiVo’s end (changing password doesn’t do it), there’s no way to sever the link between i.TV and TiVo. I’ve reported this to i.TV who said they will work on a fix, but in the mean time, there’s no way to revoke i.TV’s access to my TiVo account which is very bad.

    Also very bad from a security standpoint is that the app seems to be sending your TiVo credentials to i.TV in the clear. When I logged into my TiVo account on my iPad, I expected to see a SSL connection to a TiVo.com domain. Instead I saw an unencrypted connection to an Amazon S3 cloud server. My guess is that the app sends the TiVo username and password to i.TV which then sends it to TiVo to grab the token. I’m assuming the token is what’s stored and not the TiVo username & password, but the fact that that info is sent in the clear directly to i.TV is very bad.

    By the way, considering the number of 3rd party companies that can link to your TiVo account (Yahoo, TV Guide, Zap2It, i.TV, Amazon, etc) I think TiVo should provide a web page that lists what apps/web sites are linked to your TiVo account and allow you to revoke access to said apps/sites. That’s how every other company out there (Twitter, Facebook, Google, Yahoo, etc) handles things and TiVo should as well.

  3. Interesting… with i.TV 2.0, I recall monitoring a secure connection. But perhaps that was after my credentials had already been cached. Hm. Despite Apple’s approval process, no one’s testing for app security. Although, I’d say this is more on TiVo and their lax monitoring of the access they provide to these third parties. If no one requires i.TV build it securely, why bother wasting the time on such things.

    “I’m assuming the token is what’s stored and not the TiVo username & password”

    In i.TV 2.0 both the username and password are stored in the clear on the iPhone and computer via iTunes backups. With 3.0, as you can see in the picture above left, they’re hanging onto the TiVo username locally at the very least.

  4. I think the username is held simply so it can be displayed in the TiVo settings page in the app.

    When I logged into i.TV (via Facebook) on my iPad and then logged into my TiVo account, it showed my TiVo username on the account page in the app.

    I then logged into i.TV on my iPhone and my TiVo DVRs showed up in the app (without me having to log in to my TiVo account there), but my user name didn’t show up in the TiVo account settings in the app (nor the **** for the password). So that info isn’t synced apparently.

    Because of the unlink bug, I can actually remote my TiVo info from the app by unlinking my account, but since the token isn’t wiped off of i.TV’s servers, “unlinking” doesn’t actually unlink my account.

    I’m not sure if everyone has this problem or not since I imported my old i.TV 2.0 settings after logging in which might have screwed up things on i.TV’s end. I really wish there was a way to wipe your i.TV account.

    On a side note, if you log in via Facebook, i.TV grabs your basic info as well as both your birthday and current city as well as the birthday and current city of all your friends. Why they need any of that info is beyond me.

  5. Hey Dave and Morac,

    First of all, we want to thank you for bringing this to our attention.

    Today we are submitting an update to the App Store that will increase the security regarding the TiVo login. Because this is our highest priority, we won’t have time to add an unlink option for TiVo accounts today. However, if you send an email to support@i.tv, we will be more than happy to manually unlink your TiVo account. (Be aware that this unlink will occur, even though it will not be reflected graphically in the app. We will send you a confirmation email.)

    We have fixed some of the syncing issues you’ve described (such as channel management not working). If there are any persistent issues, please email us at support@i.tv.

    Again, thank you so much. We hope that this answers your concerns.

  6. Thanks, Ryan. I appreciate the prompt response and due attention.

    Morac, yeah that makes sense hanging onto the username for display/convenience. Obviously sending the credentials over the air in the clear a problem. Hopefully that’s the one they intend to hit first. Although we’ll never know what they store in the cloud. Again, I wish we had some assurances TiVo was sufficiently involved with third party access and your de-linkage suggestion, as seen on Twitter, is an appropriate end-user tool.

  7. Yes thanks Ryan.

    By the way, there is an “unlink account” button already in the app, it just doesn’t work correctly. It removes the TiVo info from the app, but not from the i.TV servers. So you don’t need to “add an unlink option for TiVo accounts”, just fix what’s already there.

    The increased security is more important though, so it’s good that you are fixing that first.

    Todd, they can only use OAuth if TiVo uses that. I’m not sure what TiVo uses exactly, but I do know that linking a 3rd party web site to your TiVo account requires logging into TiVo’s web site and authorizes the link. So it’s likely TiVo is using OAuth. Though TiVo has no user accessible revoking mechanism (which is bad).

    The problem here appears (*) to be that the OAuth request is being initiated from i.TV’s servers instead of the app. What should happen is that the TiVo login request should go directly from the app to TiVo which should then return the token to the app. That token is what should be sent from the app to i.TV. Instead what appears (*) to be happening currently is that the TiVo account info is set to i.TV’s server (over port 80) which then submits the OAuth request to TiVo. That defeats the whole purpose of using OAuth. I’m hoping that will be fixed in the update Ryan mentioned.

    (*) I never actually sniffed the data going between my iPad and i.TV’s servers since that’s tricky to do with my setup at home. I just checked the ip address and port numbers being accessed by the app which is a lot easier to do since my router logs traffic info.

  8. “Todd, they can only use OAuth if TiVo uses that.”

    Exactly.

    **AHEM!!!** TiVo ( takes less than a day to implement and your liability insurance premiums will plummet because you will no longer be liable for security breaches )

  9. I have a problem where my TiVo ID and password are not recognized in i.TV. This is very frustrating and it is happening on my iPod Touch and my friend’s iPhone 4S. Very sad that this isn’t working.

  10. I’m having the same issue where i.TV is not recognizing my TiVo credentials. I recently restored my iPhone and reinstalled the latest version of i.TV. Now when I go to link my TiVo account I get the error message, “Wrong username ore password”. I’m positive I have the correct credentials because I used them to successfully log into my TiVo account on my laptop. My guess is that my token from the initial activation is still active. Any ideas on how to deactivate the token, unlink my account, or delete me data from the i.TV server?

    Thanks.

Comments are closed.