Skip to main content

Splitting off a thread for the new Web App in an effort to separate feedback from the ‘announcement’ thread that is justifiably dominated by mobile app feedback.

First and foremost, thank goodness the Windows (and Mac?) Desktop Apps still work! That allows us to use (okay, attempt to use) the new web app without going completely ballistic.

I’ll start with something nice to say: it’s amazing that the Web App works, being quite an architectural departure from anything before. It picked up my local library and played music AOK on my first go.

QUESTION: has anyone seen album art from their local library display in the Web App? I’ve not seen any such album art display, be it albums in Sonos Favorites or navigating through Your Sources > Music Library > Albums or zooming down to a single album or ‘now playing’. Using a streaming service, all of those methods display album art so the functionality is kinda sorta there. And yes, I’ve waited a full 90 minutes for something to happen.

I’ve read that some people see at lest some album art from their local library .., if that includes you, kindly reply with step-by-step description of what works for you.

No album art on the web app here I’m afraid. What a mess!


No art here on the local library, all blank.


Where is that ‘web app’?!?

Where is it run from?!?


If you have multiple systems on the same account, its impossible to tell them apart:

 

This is contrary to Sonos’ own guidelines for handling this: you are supposed to list the rooms in each system, plus they could also show the actual name of each system. Here is a screenshot from their developer documentation, given as an example:

Local album art is indeed missing, and I doubt that is coming back for technical reasons.

I wish it would show named groups.


Where is that ‘web app’?!?

Where is it run from?!?

Jacob, I’m gonna’ tell you how to access the Web App but you promise not to hold it against me.

https://play.sonos.com/en-us/web-app


A complete mess!  

 

Cannot access any devices.

 

Been loyal customer for 10 years with 15 devices.

 

Such a poorly functioning application, many many errors.

 

Don’t waste your time!!


I just browsed the web app from work.  From this location, I can control my systems at both my home and cottage.  I can’t imagine why I’d want to beyond some edge cases, but that’s beside the point.

From the web, I can browse or play my locally (at home) stored NAS files on devices at that location.  I don’t like this.  It means that anyone who has access to my account can manipulate my system.

  1. Up to now, I believed that all Sonos connections to the internet were “outbound”.  I was wrong.  There is some kind of ‘inbound’ connection, and it’s been there for a while, as I still have firmware 16.1 on my devices wedit: I _think_ I have 16.1 but maybe device firmware was auto-updated]
  2. I never gave a second thought to the complexity of my password for my sonos system.  I guess now that I should.
  3. What is the security model being used?  Is it hackable?  Does this link expose my home network in any way?  It feels like another attack surface that I have no way of managing.
  4. How can I turn this remote access feature off entirely so that my home devices simply refuse to accept connections from outside the local network?

If you have multiple systems on the same account, its impossible to tell them apart:

 

 

I wish it would show named groups.

I had the same discovery.  It would have been fairly easy to allow “naming” each system from within the web app.  So easy in fact that I can only guess that the testing must have been very minimal.

I could not find a way to switch systems without logging out of the account and then logging back in to the account to select another of my systems.  How about a “switch system” that doesn’t require logging out then in??


 

I’ve read that some people see at lest some album art from their local library .., if that includes you, kindly reply with step-by-step description of what works for you.

I have music on my NAS.  I added it using the SMB protocol.  That does not provide me with any art, and it is also not searchable using the web app.

However, I have a PLEX server configured on my NAS as well.  I added my music sources as a source there, and then added PLEX as a provider to SONOS.  Using that, all of my music becomes searchable via Plex, and Plex also adds album art.


I just browsed the web app from work.  From this location, I can control my systems at both my home and cottage.  I can’t imagine why I’d want to beyond some edge cases, but that’s beside the point.

From the web, I can browse or play my locally (at home) stored NAS files on devices at that location.  I don’t like this.  It means that anyone who has access to my account can manipulate my system.

  1. Up to now, I believed that all Sonos connections to the internet were “outbound”.  I was wrong.  There is some kind of ‘inbound’ connection, and it’s been there for a while, as I still have firmware 16.1 on my devices wedit: I _think_ I have 16.1 but maybe device firmware was auto-updated]
  2. I never gave a second thought to the complexity of my password for my sonos system.  I guess now that I should.
  3. What is the security model being used?  Is it hackable?  Does this link expose my home network in any way?  It feels like another attack surface that I have no way of managing.
  4. How can I turn this remote access feature off entirely so that my home devices simply refuse to accept connections from outside the local network?
  1. Sonos systems have been accessible remotely for at least five years, but it hasn’t been as obvious as it is now via the web app.
  2. Very much so, as no 2FA or even permission revocation is available
  3. https://docs.sonos.com/docs/authorize
  4. No known way to disable this so far

  1. How can I turn this remote access feature off entirely so that my home devices simply refuse to accept connections from outside the local network?
  1. No known way to disable this so far

Thanks for the info.

Not being able to disable it feels horrible.

I don’t see any port manipulations on my router, so it must be the case that sonos device(s) are generating outbound connections and those are being used to access my local resources.

This gives me memories of the Sony Rootkit fiasco .

 


If you have multiple systems on the same account, its impossible to tell them apart:

 

 

I wish it would show named groups.

I had the same discovery.  It would have been fairly easy to allow “naming” each system from within the web app.  So easy in fact that I can only guess that the testing must have been very minimal.

It turns out that you can add a name to each system.  It can only be done from the mobile APP, not the web.  However, you still need to log out then in to change systems (on both the app and web).

 


If you have multiple systems on the same account, its impossible to tell them apart:

 

 

I wish it would show named groups.

I had the same discovery.  It would have been fairly easy to allow “naming” each system from within the web app.  So easy in fact that I can only guess that the testing must have been very minimal.

It turns out that you can add a name to each system.  It can only be done from the mobile APP, not the web.  However, you still need to log out then in to change systems (on both the app and web).

 

Naming systems has been a thing for a while, but no names are displayed for any of my systems here. My own app gets the names just fine.


From the web, I can browse or play my locally (at home) stored NAS files on devices at that location.  I don’t like this.  It means that anyone who has access to my account can manipulate my system.

  1. How can I turn this remote access feature off entirely so that my home devices simply refuse to accept connections from outside the local network

I put in a feature request for this on the forum, but give Sonos don't pay any attention to the end users’ opinions, I don't hold out much hope of them caring about the security of our systems and not wanting our soundsystem so easily exposed to the world. At least before, it was only cloud apis being called from your app at home. Now these have been made acceoable via a Web interface.