Forgot your password?
typodupeerror
Android Operating Systems Security IT

CyanogenMod Android ROMs Accidentally Logged Screen Unlock Patterns 69

Posted by Soulskill
from the reasons-not-to-run-android-on-your-bank-vault dept.
tlhIngan writes "Heads up CyanogenMod users — you will want to update to the latest nightly build as it turns out that your unlock patterns were accidentally logged. The fix has been committed and is in the latest build. While not easy to access (it requires access to a backup image or the device), it was a potential security hole. It was added back in August when Cyanogen added the ability to customize the screen lock size.`"
This discussion has been archived. No new comments can be posted.

CyanogenMod Android ROMs Accidentally Logged Screen Unlock Patterns

Comments Filter:
  • It's these sort of things that make you paranoid about the world+dog having access to everything. If it's not outright surveillance it's accidental. If not by design then by lack of design. A bug, a user error, a missed setting, a weak password etc. *puts on tin foil hat* Screw this, I'm going somewhere, underground, without electricity or things that need it. Log that.
    • Re: (Score:2, Funny)

      by Anonymous Coward
      Your location has been observed and logged. We have dispatched the black helicopters. Your co-operations is appreciated.
      • by Anonymous Coward

        Your location has been observed and logged. We have dispatched the Mole People. Your co-operations is appreciated.

        ftfy

    • by meatbites (564257)
      Simple unlock patterns are inherently flawed, anyway. Your password is finger-painted on the screen. Even direction is easy enough to determine.
      • by neonKow (1239288)

        Don't eat fries before you unlock your phone :P

        Seriously though, I appreciate the amount of paranoia the makers of Cyanogen exhibit as far as potential security holes go. Even if patterns are not super secure, it's nice that take additional security holes seriously enough to fix it quickly and and make a public announcement.

      • by LizardKing (5245)

        Simple unlock patterns are inherently flawed, anyway. Your password is finger-painted on the screen. Even direction is easy enough to determine.

        Particularly if you sweat as much as Jimmy Savile in a primary school playground.

  • by alex67500 (1609333) on Wednesday October 24, 2012 @05:26AM (#41749835)

    That's one of the issues with many committers, you can't review all the code before it ships off in a build. I seem to remember a bug in openssl where some kid commented an entropy line "because it showed warnings at compile-time" and managed to commit it without raising suspicions.

    Bottom line, where are the code reviewers in this process? QA?

    • by mwvdlee (775178)

      Continuous integration should be able to prevent such problems.
      At it's worst it'll do no worse than the best of all code reviewers combined.

      • Re: (Score:3, Insightful)

        by Anonymous Coward
        I fail to see how CI would have picked this up, unless you have something like a lint checker that screams about new Log() calls not in a white list or have an Interface in place for Log such that the unit tests only pass if Log is never called for certain classes.
    • by Anonymous Coward

      Are you speaking about CM specifically or open source in general? With respect to the CM project, particularly on XDA, you will find a large number of people who ship binaries only instead of embracing the open source style of making branches in git and using gerritt. You just have to stick to the better known builders and subscribe to their git repo.

    • To be fair, the bug was caused by the Debian OpenSSL package maintainers, not by the OpenSSL developers themselves. Here are some information [theinquirer.net] for the bug in question.

      While this bug in Cyanogenmod is different and the developers themselves are responsible for it, it was not shipped in any official build. If it did, it would have been a totally different matter.

    • by fuzzywig (208937)
      Two months late is where the code reviewers are, but still there.
  • by Anonymous Coward

    So, nothing to see here, move along.

  • by Anonymous Coward

    What protection can you really expect from the screen lock? Someone who is determined enough can usually use the android debugging bridge to do whatever the hell they want with it anyway (either in recovery or when booted up). As the saying goes: if you have physical access to a device... all bets are off anyway.

    The screen lock is simply to protect against most "attackers".

    • by Ogive17 (691899)
      I would just look at the finger oil lines on the phone's surface and use that to guess what the unlock pattern is. Unless someone wipes their phone down every time, it should be easy to spot.
  • You can bypass the lockscreen on any phone that has CM installed. Just hook it up to a PC with a USB cable, up pops the "Turn on USB storage" screen, hit Home, bam, you're in.

    I don't use any lockscreen gesture or password, because I find them a PITA, and I want my gf to be able to use it without hassles. On the other hand, I try to treat my phone as I treat my wallet. I look around me when I pull it out of my pocket. I wait until the subway doors are closed. Etc.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      You have to unlock it to access the dialog to enable USB storage.

      Maybe you are thinking of USB debugging?

    • by Anonymous Coward

      I have a phone here running CyanogenMod

      Hooked it up to a PC with a USB cable
      Phone's screen turns on, locked

      Now what?

      When you say "any phone" but you actually mean "My phone, on which I have disabled the lockscreen" then you look like a retard.

    • I don't use any lockscreen gesture or password, because I find them a PITA, and I want my gf to be able to use it without hassles.

      I had the same oppinion, but I've recently added a lock gesture to stop my pocket from using the phone.

  • The difference is that I trust CyanogenMod more than I do the big corporations. I have seen them "do no evil". This makes it seem like a more honest mistake, in a nightly build no less. The other large corporations, have given us reason to have trepidation.
  • by robbak (775424) on Wednesday October 24, 2012 @08:20AM (#41750657) Homepage

    Basically, the story is that:
    It is debugging code left in a development build, that happens to be used by many persons as nightlies.
    It does not write to a file. It is debug information written to a ring buffer in RAM. You would need to have an app installed with permission on the logs, or connect a cable in debug mode and trace the log to even get these messages.
    It was found in a code review, and removed.

    So much a non-issue that it is a wonder that Ars even reported it. Seems Ars misread a mailing list heads-up. We are waiting for Ars to publish the correction to their article.

  • A issue in a nightly build! OMG!
  • The thread following TFA mentions that this is for CM10 nightlies, so if you're tracking the development branch, you just need to upgrade to the latest nightly to ensure you have the fix.

  • "An alternative to removing the line is adding a character to the code so it's treated as a comment and isn't executed." What is this wizardry?
  • ...if the results were uploaded to a central location for data mining. I wonder what patterns are the most popular...

Simplicity does not precede complexity, but follows it.

Working...