Slashdot Mirror

← Back to Stories (view on slashdot.org)

CyanogenMod Android ROMs Accidentally Logged Screen Unlock Patterns

Posted by Soulskill on from the reasons-not-to-run-android-on-your-bank-vault dept.

tlhIngan writes "Heads up CyanogenMod users — you will want to update to the latest nightly build as it turns out that your unlock patterns were accidentally logged. The fix has been committed and is in the latest build. While not easy to access (it requires access to a backup image or the device), it was a potential security hole. It was added back in August when Cyanogen added the ability to customize the screen lock size.`"

9 of 69 comments (clear)

  1. Open source // code review? by alex67500 · · Score: 4, Insightful

    That's one of the issues with many committers, you can't review all the code before it ships off in a build. I seem to remember a bug in openssl where some kid commented an entropy line "because it showed warnings at compile-time" and managed to commit it without raising suspicions.

    Bottom line, where are the code reviewers in this process? QA?

    1. Re:Open source // code review? by Anonymous Coward · · Score: 3, Insightful

      I fail to see how CI would have picked this up, unless you have something like a lint checker that screams about new Log() calls not in a white list or have an Interface in place for Log such that the unit tests only pass if Log is never called for certain classes.

  2. Re:Accidentally? by Anonymous Coward · · Score: 5, Insightful

    FUD:

    * it's an open-source project
    * the fix has been commited
    * it requires access to the device

  3. Re:Accidentally? by Anonymous Coward · · Score: 5, Informative

    The guy is part of the Cyanogenmod team, he used his username so he could grep the debug output he created with that log line while a testing a feature he was working on.

    To sum it up:
    Not a big deal, just left over debug code.

    Not really a vulnerability either, because in most cases where you can read the local log file you already unlocked the phone in the first place.

    --
    Me

  4. Re:Accidentally? by Anonymous Coward · · Score: 3, Insightful

    If an official ROM did this it would be taken as an evil invasion of privacy by Samsung, HTC or Google, but when the Cyanogen team does it it's immediately accepted as an accident.

    Interesting.

    No, things like this have happened with the larger developers and it has always been explained as a bug and accepted as incompetence. The times you see outrage is when the larger developers logs data and send it to them as part of the intended function. Cyanogen has not done anything like that yet and indie teams generally don't have an interest to do so.

  5. Re:Accidentally? by thegarbz · · Score: 4, Interesting

    Not interesting in the slightest. The difference between evil invasion of privacy and an accident is purely intent.

    If a company had done it you can't prove it one way or another so it's safe to assume the worst.

    If on the other hand it's done to code that is openly published at a time where a feature is modified which during developing would have clearly called for logging the actions to file for debugging purposes it shows quite a different level of intent.

    You can still assume the worst, but if you do in this case we'll just assume your tinfoil hat would need to be retuned.

  6. Re:Accidentally? by Parker+Lewis · · Score: 5, Informative

    And it's a nightly build! Not a stable release!

  7. The Comments of the Ars article are worth reading. by robbak · · Score: 5, Insightful

    Basically, the story is that:
    It is debugging code left in a development build, that happens to be used by many persons as nightlies.
    It does not write to a file. It is debug information written to a ring buffer in RAM. You would need to have an app installed with permission on the logs, or connect a cable in debug mode and trace the log to even get these messages.
    It was found in a code review, and removed.

    So much a non-issue that it is a wonder that Ars even reported it. Seems Ars misread a mailing list heads-up. We are waiting for Ars to publish the correction to their article.

    --
    Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
  8. Re:Accidentally? by Em+Ellel · · Score: 4, Insightful

    Ahh, you miss the point. The vast majority do not need to understand the code.

    Open source's strength is not that everyone has to read/understand the code -- it is that everyone can. It takes only one person to find an issue, then others can see for themselves and confirm/fix. If the vendor not fixing it fast enough, a fork or patch can be done without vendor's approval. On the other hand when Apple logged your location, it was only found by accident because they left data laying around. Then you had to wait for Apple to fix it, which, for all we know, they did by not leaving the data easily findable.

    Of course that is not perfect and plenty of bugs and issues do not get found quickly in Open Source - but if it is popular enough, it is much harder to be evil on purpose and hide it.

    Oh, it's open source so it's all good?

    Open source is so fast to get a pass on being Evil(tm) around here. More people who own an Android phone have the skills to rebuild an engine than to properly interpret the source code of their phone. Open source only matters if you have the skills to understand the code. The vast majority of people running CyanogenMod don't have this skill set.

    --
    RelevantElephants: A Somatic WebComic...