YouTube-Music
YouTube-Music copied to clipboard
steve228uk
General Q about safety
Love the app - it looks terrific....
However - I would like clarification what level of the access to my Google Account is acquired by logging via the app.
Soon after I loged I checked my Google Account and could not find the YT Music app under any Safety settings - only thing shown was that new Mac device accessed the account.
I would like clarification - as I am not comfortable with full account access via 3rd party app.
Sorry if this was already asked I could not find the exact topic.
MANY THANKS for the otherwise great app...
Hi @CharlieBrown12! It's great to hear you like the app!
No worries! Just to clarify how this app works. YouTube Music doesn't provide any kind of third party API. All this app is, is a web container (Basically a super-light version of Safari) that opens up to https://music.youtube.com and nothing more. You log in just like you would log in if you were in Safari or Chrome directly, and start using YouTube Music like any other regular website.
So, yes. You do put your username and password directly into this app, but all of it runs through Apple's web performance and security technologies (eg, web content is run through a separate process, and cookies are stored in their own discrete silo in the app).
That being said, that certainly doesn't guarantee this app isn't malicious. I'm also wary that it would be super simple to modify the source code of the app before building a release that could inject JavaScript to snoop the login form.
I'm working on making a new release for YT Music, but before I do that, I want to do two things in order to absolutely guarantee the safety of it:
- Replace
DevMateKitwith an open source version ofSparkleto ensure that 100% of the source code that goes into building this app is readable and independently verifiable. - Set up an automated build pipeline here, so that new release builds are done in the open, and it is possible to digitally verify that the final released builds have not been tampered with beyond any of the code that is visible here.
I hope that answers your question! Thanks!
Great information @TimOliver ! Thanks!
I think this information on security and future plans to enhance it belongs on the README file.
Thanks @LunaticoCR! I've been coordinating with @steve228uk this week to get access to the signing certificates needed to make new production capable builds.
No worries! When the new build is up, I'll update the README with the new information. Thanks!
Guys - just an info that sideloading of iOS version of YouTube Music on M1 Macs now works perfectly. It also allows downloading the library for offline listening.
Hey @CharlieBrown12! Long time no see!
It took a little longer than I expected (Right after I wrote that last post, I moved countries!) but I finally got around to doing what I promised. 😁
Version 1.1.0 went live this weekend, and with it, DevMateKit has been removed, and with regular Sparkle implemented in its place.
In terms of guaranteeing safety, all of the code in the app is now visible, and available for public scrutiny. And the app itself is built via GitHub Actions, again with the build progress also fully visible to scrutinize.
Finally, in order to absolutely guarantee that the ZIP file in the Releases page hasn't been tampered with after the fact, I added an extra build phase in the Actions that would take the ZIP file and print the SHA-256 hash of the file. This is visible here. At any point after downloading the zip file, you can do your own SHA-256 hash check on the file, and confirm the two values match.
Unfortunately, due to GitHub Actions being behind the curve and not offering Big Sur machines yet, the app is only available for Intel builds. But seeing as it's possible to side load the official app on M1 hardware, this sounds like it's not a huge issue.
In any case, I hope this puts your mind at ease. When I get the chance, I'll write this up in a proper security document.
All the best!
Hi there,
thanks for the reply.
I am not sure if you are aware but now there are bunch of apps who do this natively. So here is how I use it:
Method 1: www.applicationize.me Creating the app on this website is a breeze. It works as a Chrome extension - and without a hassle. Only thing you need is to add the custom icon. No ads blocking. You and also edit the start page - so that it starts in your library of the uploaded music.
Method 2: Unite 4 (BZG apps) - will create the app frontend similar to Method 1, just using Safari Webkit for it. Gives more configurations, and adblock.
Method 3: Coherence (BZG apps) - will create the app fronthed similar to Method 1, just using Chromium browsers as a base. Also supports full Chrome extensions - so ads are blocked, and page layout can be modified too.
Cheers,
CB
On Sun, Apr 25, 2021 at 10:06 AM Tim Oliver @.***> wrote:
Hey @CharlieBrown12 https://github.com/CharlieBrown12! Long time no see!
It took a little longer than I expected (Right after I wrote that last post, I moved countries!) but I finally got around to doing what I promised. 😁
Version 1.1.0 https://github.com/steve228uk/YouTube-Music/releases/tag/1.1.0 went live this weekend, and with it, DevMateKit has been removed, and with regular Sparkle implemented in its place.
In terms of guaranteeing safety, all of the code in the app is now visible, and available for public scrutiny. And the app itself is built via GitHub Actions, again with the build progress also fully visible to scrutinize.
Finally, in order to absolutely guarantee that the ZIP file in the Releases page hasn't been tampered with after the fact, I added an extra build phase in the Actions that would take the ZIP file and print the SHA-256 hash of the file. This is visible here https://github.com/steve228uk/YouTube-Music/runs/2427156873?check_suite_focus=true. At any point after downloading the zip file, you can do your own SHA-256 hash check on the file, and confirm the two values match.
Unfortunately, due to GitHub Actions being behind the curve and not offering Big Sur machines yet, the app is only available for Intel builds. But seeing as it's possible to side load the official app on M1 hardware, this sounds like it's not a huge issue.
In any case, I hope this puts your mind at ease. When I get the chance, I'll write this up in a proper security document.
All the best!
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/steve228uk/YouTube-Music/issues/105#issuecomment-826279174, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJFP2RUU3W2IUFAMRAHNLVLTKPEQPANCNFSM4UHTTZWQ .