CyanogenMod Android ROMs Accidentally Logged Screen Unlock Patterns

tlhIngan writes "Heads up CyanogenMod users — you will want to update to the latest nightly build as it turns out that your unlock patterns were accidentally logged. The fix has been committed and is in the latest build. While not easy to access (it requires access to a backup image or the device), it was a potential security hole. It was added back in August when Cyanogen added the ability to customize the screen lock size.`"

Re:Accidentally?

FUD:

* it's an open-source project
* the fix has been commited
* it requires access to the device

Re:Accidentally?

The guy is part of the Cyanogenmod team, he used his username so he could grep the debug output he created with that log line while a testing a feature he was working on.

To sum it up:
Not a big deal, just left over debug code.

Not really a vulnerability either, because in most cases where you can read the local log file you already unlocked the phone in the first place.

--
Me

Re:Accidentally?

[Parker+Lewis]

And it's a nightly build! Not a stable release!

The Comments of the Ars article are worth reading.

[robbak]

Basically, the story is that:
It is debugging code left in a development build, that happens to be used by many persons as nightlies.
It does not write to a file. It is debug information written to a ring buffer in RAM. You would need to have an app installed with permission on the logs, or connect a cable in debug mode and trace the log to even get these messages.
It was found in a code review, and removed.

So much a non-issue that it is a wonder that Ars even reported it. Seems Ars misread a mailing list heads-up. We are waiting for Ars to publish the correction to their article.