CyanogenMod Android ROMs Accidentally Logged Screen Unlock Patterns 69
tlhIngan writes "Heads up CyanogenMod users — you will want to update to the latest nightly build as it turns out that your unlock patterns were accidentally logged. The fix has been committed and is in the latest build. While not easy to access (it requires access to a backup image or the device), it was a potential security hole. It was added back in August when Cyanogen added the ability to customize the screen lock size.`"
Open source // code review? (Score:5, Insightful)
That's one of the issues with many committers, you can't review all the code before it ships off in a build. I seem to remember a bug in openssl where some kid commented an entropy line "because it showed warnings at compile-time" and managed to commit it without raising suspicions.
Bottom line, where are the code reviewers in this process? QA?
Re:Accidentally? (Score:5, Insightful)
FUD:
* it's an open-source project
* the fix has been commited
* it requires access to the device
Re:Accidentally? (Score:3, Insightful)
If an official ROM did this it would be taken as an evil invasion of privacy by Samsung, HTC or Google, but when the Cyanogen team does it it's immediately accepted as an accident.
Interesting.
No, things like this have happened with the larger developers and it has always been explained as a bug and accepted as incompetence. The times you see outrage is when the larger developers logs data and send it to them as part of the intended function. Cyanogen has not done anything like that yet and indie teams generally don't have an interest to do so.
Re:Open source // code review? (Score:3, Insightful)
Excuse me, but... so what? (Score:1, Insightful)
You can bypass the lockscreen on any phone that has CM installed. Just hook it up to a PC with a USB cable, up pops the "Turn on USB storage" screen, hit Home, bam, you're in.
I don't use any lockscreen gesture or password, because I find them a PITA, and I want my gf to be able to use it without hassles. On the other hand, I try to treat my phone as I treat my wallet. I look around me when I pull it out of my pocket. I wait until the subway doors are closed. Etc.
Re:Accidentally? (Score:2, Insightful)
Oh, it's open source so it's all good?
Open source is so fast to get a pass on being Evil(tm) around here. More people who own an Android phone have the skills to rebuild an engine than to properly interpret the source code of their phone. Open source only matters if you have the skills to understand the code. The vast majority of people running CyanogenMod don't have this skill set.
The Comments of the Ars article are worth reading. (Score:5, Insightful)
Basically, the story is that:
It is debugging code left in a development build, that happens to be used by many persons as nightlies.
It does not write to a file. It is debug information written to a ring buffer in RAM. You would need to have an app installed with permission on the logs, or connect a cable in debug mode and trace the log to even get these messages.
It was found in a code review, and removed.
So much a non-issue that it is a wonder that Ars even reported it. Seems Ars misread a mailing list heads-up. We are waiting for Ars to publish the correction to their article.
Re:Accidentally? (Score:5, Insightful)
Ahh, you miss the point. The vast majority do not need to understand the code.
Open source's strength is not that everyone has to read/understand the code -- it is that everyone can. It takes only one person to find an issue, then others can see for themselves and confirm/fix. If the vendor not fixing it fast enough, a fork or patch can be done without vendor's approval. On the other hand when Apple logged your location, it was only found by accident because they left data laying around. Then you had to wait for Apple to fix it, which, for all we know, they did by not leaving the data easily findable.
Of course that is not perfect and plenty of bugs and issues do not get found quickly in Open Source - but if it is popular enough, it is much harder to be evil on purpose and hide it.
Oh, it's open source so it's all good?
Open source is so fast to get a pass on being Evil(tm) around here. More people who own an Android phone have the skills to rebuild an engine than to properly interpret the source code of their phone. Open source only matters if you have the skills to understand the code. The vast majority of people running CyanogenMod don't have this skill set.