Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

CyanogenMod Android ROMs Accidentally Logged Screen Unlock Patterns

Soulskill posted about 2 years ago | from the reasons-not-to-run-android-on-your-bank-vault dept.

Android 69

tlhIngan writes "Heads up CyanogenMod users — you will want to update to the latest nightly build as it turns out that your unlock patterns were accidentally logged. The fix has been committed and is in the latest build. While not easy to access (it requires access to a backup image or the device), it was a potential security hole. It was added back in August when Cyanogen added the ability to customize the screen lock size.`"

cancel ×

69 comments

Sorry! There are no comments related to the filter you selected.

first post (-1)

Anonymous Coward | about 2 years ago | (#41749785)

I'm posting this through my remote zombie Cyanogenmod handset.

Multi-layered security (1)

GeekWithAKnife (2717871) | about 2 years ago | (#41749791)

It's these sort of things that make you paranoid about the world+dog having access to everything. If it's not outright surveillance it's accidental. If not by design then by lack of design. A bug, a user error, a missed setting, a weak password etc. *puts on tin foil hat* Screw this, I'm going somewhere, underground, without electricity or things that need it. Log that.

Re:Multi-layered security (2, Funny)

Anonymous Coward | about 2 years ago | (#41749829)

Your location has been observed and logged. We have dispatched the black helicopters. Your co-operations is appreciated.

Re:Multi-layered security (1)

Anonymous Coward | about 2 years ago | (#41749981)

Your location has been observed and logged. We have dispatched the Mole People. Your co-operations is appreciated.

ftfy

Re:Multi-layered security (2)

meatbites (564257) | about 2 years ago | (#41750189)

Simple unlock patterns are inherently flawed, anyway. Your password is finger-painted on the screen. Even direction is easy enough to determine.

Re:Multi-layered security (1)

neonKow (1239288) | about 2 years ago | (#41752349)

Don't eat fries before you unlock your phone :P

Seriously though, I appreciate the amount of paranoia the makers of Cyanogen exhibit as far as potential security holes go. Even if patterns are not super secure, it's nice that take additional security holes seriously enough to fix it quickly and and make a public announcement.

Re:Multi-layered security (0)

LizardKing (5245) | about 2 years ago | (#41752467)

Simple unlock patterns are inherently flawed, anyway. Your password is finger-painted on the screen. Even direction is easy enough to determine.

Particularly if you sweat as much as Jimmy Savile in a primary school playground.

Accidentally? (-1, Troll)

lxs (131946) | about 2 years ago | (#41749823)

If an official ROM did this it would be taken as an evil invasion of privacy by Samsung, HTC or Google, but when the Cyanogen team does it it's immediately accepted as an accident.

Interesting.

Re:Accidentally? (5, Insightful)

Anonymous Coward | about 2 years ago | (#41749891)

FUD:

* it's an open-source project
* the fix has been commited
* it requires access to the device

Re:Accidentally? (2, Insightful)

Anonymous Coward | about 2 years ago | (#41750367)

Oh, it's open source so it's all good?
 
Open source is so fast to get a pass on being Evil(tm) around here. More people who own an Android phone have the skills to rebuild an engine than to properly interpret the source code of their phone. Open source only matters if you have the skills to understand the code. The vast majority of people running CyanogenMod don't have this skill set.

Re:Accidentally? (4, Insightful)

Em Ellel (523581) | about 2 years ago | (#41750743)

Ahh, you miss the point. The vast majority do not need to understand the code.

Open source's strength is not that everyone has to read/understand the code -- it is that everyone can. It takes only one person to find an issue, then others can see for themselves and confirm/fix. If the vendor not fixing it fast enough, a fork or patch can be done without vendor's approval. On the other hand when Apple logged your location, it was only found by accident because they left data laying around. Then you had to wait for Apple to fix it, which, for all we know, they did by not leaving the data easily findable.

Of course that is not perfect and plenty of bugs and issues do not get found quickly in Open Source - but if it is popular enough, it is much harder to be evil on purpose and hide it.

Oh, it's open source so it's all good?

Open source is so fast to get a pass on being Evil(tm) around here. More people who own an Android phone have the skills to rebuild an engine than to properly interpret the source code of their phone. Open source only matters if you have the skills to understand the code. The vast majority of people running CyanogenMod don't have this skill set.

Re:Accidentally? (1)

highphilosopher (1976698) | about 2 years ago | (#41755519)

Android flavor messes up security and Apple gets dissed. Standard day on /.
Move along people, nothing to see here :)

Re:Accidentally? (5, Informative)

Parker Lewis (999165) | about 2 years ago | (#41750433)

And it's a nightly build! Not a stable release!

Re:Accidentally? (1)

wile_e8 (958263) | about 2 years ago | (#41751383)

As a curious Cyanogenmod user, does anyone know specifically what builds are affected? I'm assuming all of the nightly builds since this was committed include it, but since I now stick to the M-builds I'm wondering if it's in those too.

Re:Accidentally? (1)

alostpacket (1972110) | about 2 years ago | (#41753211)

The fix was in the nightly, not the bug. The bug has been there for months.

For whatever it's worth this is sloppy coding. As of ADT 20 there is an automatically generated java file called BuildConfig with a single constant DEBUGGING.

So the way this line of code should have been written is something like this:


if (BuildConfig.DEBUGGING) Log.v (TAG, "some logging info");

That said, this isn't exactly leaking bank details, it's a swipe gesture. It's good they caught it, but it's not a huge security risk unless you lose your device.

Re:Accidentally? (0)

acedotcom (998378) | about 2 years ago | (#41752037)

Yes it requires access to the device....to information that, most likely, is stored on the unencrypted easy to access SD card

Re:Accidentally? (2)

hey_popey (1285712) | about 2 years ago | (#41749895)

The Cyanogenmod team (however precisely it is defined) might not be responsible for that one: the guy who added that "feature" seems to be working independently: he used his username directly in the code...

Re:Accidentally? (5, Informative)

Anonymous Coward | about 2 years ago | (#41749937)

The guy is part of the Cyanogenmod team, he used his username so he could grep the debug output he created with that log line while a testing a feature he was working on.

To sum it up:
Not a big deal, just left over debug code.

Not really a vulnerability either, because in most cases where you can read the local log file you already unlocked the phone in the first place.

--
Me

Re:Accidentally? (2)

Lumpy (12016) | about 2 years ago | (#41750135)

Or you have a program running on it that is looking for that information and sending it to you via the cellular data channel.

Imagine what the criminals of the world will do with a database of android unlock codes and gestures!

Re:Accidentally? (0)

Anonymous Coward | about 2 years ago | (#41750249)

Gasp, they could do the same thing they did with credit cards!

http://pastebin.com/2qbRKh3R

Now imagine all the android unlock combinaison available to all. The horror!

Re:Accidentally? (1)

PopeRatzo (965947) | about 2 years ago | (#41750369)

Imagine what the criminals of the world will do with a database of android unlock codes and gestures!

What am I missing? What good is the gesture and unlock code without the phone?

Re:Accidentally? (0)

Anonymous Coward | about 2 years ago | (#41750449)

What am I missing?

A sense of humor.

Re:Accidentally? (2)

PopeRatzo (965947) | about 2 years ago | (#41750483)

What am I missing?

A sense of humor.

Wait, was that sarcasm?

I have a condition where I cannot determine sarcasm before 7am.

Re:Accidentally? (1)

Anonymous Coward | about 2 years ago | (#41751095)

by PopeRatzo (965947) on Wednesday October 24, @07:52AM

I have a condition where I cannot determine sarcasm before 7am.

Whew, dodged that one!

Re:Accidentally? (1)

PopeRatzo (965947) | about 2 years ago | (#41755397)

by PopeRatzo (965947) on Wednesday October 24, @07:52AM

I have a condition where I cannot determine sarcasm before 7am.

Whew, dodged that one!

Never heard of "time zones"? I posted it at 06:52 CST.

Re:Accidentally? (1)

Binestar (28861) | about 2 years ago | (#41750931)

What am I missing? What good is the gesture and unlock code without the phone?

Just imagine what the criminals will do!!! IMAGINE!

Re:Accidentally? (1, Funny)

Archangel Michael (180766) | about 2 years ago | (#41752353)

Run for Office?

Re:Accidentally? (0)

Anonymous Coward | about 2 years ago | (#41755311)

Install a trojan?

Re:Accidentally? (1)

tlhIngan (30335) | about 2 years ago | (#41753283)

Imagine what the criminals of the world will do with a database of android unlock codes and gestures!

Or law enforcement - imagine what they can do with the data - they sieze your phone, plug it in to see if it'll spew data out the USB port while locked. If you have USB debugging on, they could look at the logcat and see the unlock code and use it to legitimately snoop around (it "wasn't locked - it just had a very fancy "slide to unlock" function).

Given how cellphone's legal status as a container is in doubt, this could be potentially troubling. (And face it - those who use CM nightlies probably HAVE USB debugging on.

And on my non-CM JB phone, you can access adb and the logcat while it's still locked.

Re:Accidentally? (3, Insightful)

Anonymous Coward | about 2 years ago | (#41749939)

If an official ROM did this it would be taken as an evil invasion of privacy by Samsung, HTC or Google, but when the Cyanogen team does it it's immediately accepted as an accident.

Interesting.

No, things like this have happened with the larger developers and it has always been explained as a bug and accepted as incompetence. The times you see outrage is when the larger developers logs data and send it to them as part of the intended function. Cyanogen has not done anything like that yet and indie teams generally don't have an interest to do so.

Re:Accidentally? (4, Interesting)

thegarbz (1787294) | about 2 years ago | (#41750015)

Not interesting in the slightest. The difference between evil invasion of privacy and an accident is purely intent.

If a company had done it you can't prove it one way or another so it's safe to assume the worst.

If on the other hand it's done to code that is openly published at a time where a feature is modified which during developing would have clearly called for logging the actions to file for debugging purposes it shows quite a different level of intent.

You can still assume the worst, but if you do in this case we'll just assume your tinfoil hat would need to be retuned.

Re:Accidentally? (1)

Anonymous Coward | about 2 years ago | (#41750751)

I disagree with that. No matter the intentions harm is still possible. So are you saying that if it were a company somehow they are only capable of malicious capitalistic greed, and do not possess the ability to make a mistake? That seems a bit over the top (speaking of tinfoil hats...). In this case it requires physical access to the device, and is therefore less of an issue than if it could be accessed remotely, or worse uploaded and stored on some centralized server. Rest assured that open or closed source is not the issue here.

Re:Accidentally? (1)

Anonymous Coward | about 2 years ago | (#41751011)

I disagree with that. No matter the intentions harm is still possible. So are you saying that if it were a company somehow they are only capable of malicious capitalistic greed, and do not possess the ability to make a mistake? That seems a bit over the top (speaking of tinfoil hats...). In this case it requires physical access to the device, and is therefore less of an issue than if it could be accessed remotely, or worse uploaded and stored on some centralized server. Rest assured that open or closed source is not the issue here.

It's a matter of means, motive, and opportunity.

On one side, you have a company. It's sole purpose for existence is the creation of profit for its shareholders. Because their products are closed, they can introduce a security flaw under cover of closed source ("opportunity"). Because they make the product, they the only ones who can introduce the security flaw ("means"). Security flaws are potentially lucrative and the only reason a company exists is to make money ("motive").

On the other side, you have an open-source ROM project. They create the project, so they have the ability to introduce a security flaw ("means"). The code is open, so creating a security flaw that can't be spotted is very difficult to impossible (lack of "opportunity"). Because the ROM project is not for sale, a security flaw is not lucrative for the maintainers (lack of "motive").

You can rest assured that open or closed source is precisely the issue here.

Re:Accidentally? (1)

thegarbz (1787294) | about 2 years ago | (#41762093)

No what I am saying is that without context we can assume the worst. Companies can and often do make mistakes, and if those mistakes are found through a process of auditing rather that security researchers finding locally stored sensitive information as is usually the case, then they would be forgiven.

The issue here is that the open source provides context into what happened. Could it have been nefarious? Possibly, but given the incident, the full code review provided and the timetable it is quite unlikely.

Re:Accidentally? (0)

Anonymous Coward | about 2 years ago | (#41751291)

If an official ROM did this it would be taken as an evil invasion of privacy by Samsung, HTC or Google, but when the Cyanogen team does it it's immediately accepted as an accident.

Interesting.

Judging by the "Troll" mod you currently have? Yes. Precisely. After all, Friend Cyanogen would never hurt you. They are above suspicion. Why are you trying to hurt your friend with your harmful insinuations? They only want what is right for you. Friend Cyanogen would never hurt you. Friend Cyanogen would never hurt you.

Re:Accidentally? (0)

Anonymous Coward | about 2 years ago | (#41752845)

Event: A recently-employed Google engineer walks around the Mountain View area. Being from Arizona, his body is not acclimated to the foliage of Silicon Valley and the pollen therein, and he sneezes.

Slashdot's Response: HOOOOOOOOOOOOLY CRAP did you see that? DID YOU SEE THAT? That sneeze represents OUR PRIVACY and what Google thinks of it! Obviously all of Google thinks we're just a bunch of bugs to be sneezed at! You know what this means, right? THEY'RE SELLING OFF YOUR PASSWORDS AND EMAILS TO *gasp* ADVERTISERS!!! ARRG! The longer and harder I think about it, the more I hallucinate how EVIL it is! GRRRRRRR! STONE HIM! Tear him limb from limb! Then tear out his blood vessels until all his organs come sliding out the holes where his arms and legs used to be! THEN BURN THE HERETIC! WE MUST CLEANSE THE EARTH OF HIS SINFUL WAYS! RRRRRRR! I can still remember that sneeze! THAT SNEEZE! CAN'T YOU SEE IT? THAT SNEEZE!!! WHY HAVEN'T THEY FIXED THAT YET?!?!? It's been a whole thirty seconds since The Great Privacy Sneeze of 2012! THIRTY SECONDS! And they STILL haven't fixed it! HRRRRRRRG ANGRY! We must go to Nevada* and cleanse his extended family, too! IT'S THEIR FAULT! They shaped his life such that GOOGLE MADE HIM SO RECKLESSLY CALLOUS ABOUT OUR PRIVACY! CLEANSE THE EARTH! CLEANSE THE EARTH! CLEANSE THE EARTH! LET NOBODY STAND IN OUR WAY! THEY MUST ALL BE ERADICATED AS ENEMIES OF OUR FREEDOMS!!!

*: Yes, I said the guy came from Arizona. I am quite familiar with how vigilante justice works, thank you very much.

Event: Code has been found in an open source project that clearly and blatantly saves and logs your cell phone's screen locking patterns.

Slashdot's Response: Oh ho ho! Those silly Billies at Cyanogen! What a light-hearted mistake they made! After all, it's impossible for them to keep track of every single commit that comes into their repo, right? Of course it is! It's open source! That makes it so hard to keep track of, so they'd never notice such a problem coming in! And how could they possibly have known what that would do? Oh, for fun. But don't worry! Since open source is so easy to keep track of, they can easily fix it in a week or so! Ha ha! Well, take your time, you nutty kids!

Open source // code review? (4, Insightful)

alex67500 (1609333) | about 2 years ago | (#41749835)

That's one of the issues with many committers, you can't review all the code before it ships off in a build. I seem to remember a bug in openssl where some kid commented an entropy line "because it showed warnings at compile-time" and managed to commit it without raising suspicions.

Bottom line, where are the code reviewers in this process? QA?

Re:Open source // code review? (1)

mwvdlee (775178) | about 2 years ago | (#41749921)

Continuous integration should be able to prevent such problems.
At it's worst it'll do no worse than the best of all code reviewers combined.

Re:Open source // code review? (3, Insightful)

Anonymous Coward | about 2 years ago | (#41749985)

I fail to see how CI would have picked this up, unless you have something like a lint checker that screams about new Log() calls not in a white list or have an Interface in place for Log such that the unit tests only pass if Log is never called for certain classes.

Re:Open source // code review? (0)

Anonymous Coward | about 2 years ago | (#41750027)

Continuous integration is just making sure the code everyone is working on is kept up to date. It's normally paired with automatic unit testing, which is what I assume you were trying to refer to. Unit testing only checks for possible bugs covered by the unit tests. Almost no one has comprehensive tests. 100% code and branch coverage is extremely difficult and you should assume your testing code has the same quality as your product code.

How would a continuous integration system detect back-doors being added to the program? Why couldn't the submitter's change also update the tests to ignore his introduced bug? You always need code reviews in open source projects if you want to maintain quality.

Re:Open source // code review? (0)

Anonymous Coward | about 2 years ago | (#41750053)

The change in question was actually code reviewed. Since we know it's there it stands out like dog's balls, but in amongst all of the other changes I can see how a human without 20/20 hindsight might have missed a line doing some logging.

Re:Open source // code review? (0)

bluefoxlucid (723572) | about 2 years ago | (#41750557)

Most dogs don't have balls because PETA has determined that it's cruel to not cut a creature's nuts off.

Re:Open source // code review? (1)

Anonymous Coward | about 2 years ago | (#41749965)

Are you speaking about CM specifically or open source in general? With respect to the CM project, particularly on XDA, you will find a large number of people who ship binaries only instead of embracing the open source style of making branches in git and using gerritt. You just have to stick to the better known builders and subscribe to their git repo.

Re:Open source // code review? (0)

Anonymous Coward | about 2 years ago | (#41750375)

process? code review? QA? - On an open-source project with more than 1 person.

ROTFLOL......

That's not to say that all open-source projects are like this, but with all open source: caveat emptor.

Re:Open source // code review? (1)

Esospopenon (1838392) | about 2 years ago | (#41750803)

To be fair, the bug was caused by the Debian OpenSSL package maintainers, not by the OpenSSL developers themselves. Here are some information [theinquirer.net] for the bug in question.

While this bug in Cyanogenmod is different and the developers themselves are responsible for it, it was not shipped in any official build. If it did, it would have been a totally different matter.

Re:Open source // code review? (1)

fuzzywig (208937) | about 2 years ago | (#41751241)

Two months late is where the code reviewers are, but still there.

Re:Open source // code review? (0)

Anonymous Coward | about 2 years ago | (#41754443)

http://review.cyanogenmod.com/

from http://wiki.cyanogenmod.com/wiki/Howto:_Gerrit
Gerrit is a source code review system developed by Google for use with Android (though it can be applied to any type of project). You can use Gerrit if you find an error in the source code, or you believe you have a better way of implementing a certain feature.

Requires backup file or device (1)

Anonymous Coward | about 2 years ago | (#41749991)

So, nothing to see here, move along.

Apple'd have said "Feature, not a bug" (0)

Anonymous Coward | about 2 years ago | (#41750043)

There are others who would have done the same as well. Glad that a happening project like Cyanogenmod takes such things seriously.

Storm in tea-cup (1)

Anonymous Coward | about 2 years ago | (#41750213)

What protection can you really expect from the screen lock? Someone who is determined enough can usually use the android debugging bridge to do whatever the hell they want with it anyway (either in recovery or when booted up). As the saying goes: if you have physical access to a device... all bets are off anyway.

The screen lock is simply to protect against most "attackers".

Re:Storm in tea-cup (1)

Ogive17 (691899) | about 2 years ago | (#41752201)

I would just look at the finger oil lines on the phone's surface and use that to guess what the unlock pattern is. Unless someone wipes their phone down every time, it should be easy to spot.

Excuse me, but... so what? (1, Insightful)

frenchbedroom (936100) | about 2 years ago | (#41750223)

You can bypass the lockscreen on any phone that has CM installed. Just hook it up to a PC with a USB cable, up pops the "Turn on USB storage" screen, hit Home, bam, you're in.

I don't use any lockscreen gesture or password, because I find them a PITA, and I want my gf to be able to use it without hassles. On the other hand, I try to treat my phone as I treat my wallet. I look around me when I pull it out of my pocket. I wait until the subway doors are closed. Etc.

Re:Excuse me, but... so what? (2, Informative)

Anonymous Coward | about 2 years ago | (#41750389)

You have to unlock it to access the dialog to enable USB storage.

Maybe you are thinking of USB debugging?

Re:Excuse me, but... so what? (1)

Anonymous Coward | about 2 years ago | (#41750477)

I have a phone here running CyanogenMod

Hooked it up to a PC with a USB cable
Phone's screen turns on, locked

Now what?

When you say "any phone" but you actually mean "My phone, on which I have disabled the lockscreen" then you look like a retard.

Re:Excuse me, but... so what? (0)

Anonymous Coward | about 2 years ago | (#41751183)

He probably means USB debugging.

Re:Excuse me, but... so what? (1)

acedotcom (998378) | about 2 years ago | (#41752111)

or you could just remove the SD card and get the back up that way. just sayin'.

Re:Excuse me, but... so what? (1)

marcosdumay (620877) | about 2 years ago | (#41751319)

I don't use any lockscreen gesture or password, because I find them a PITA, and I want my gf to be able to use it without hassles.

I had the same oppinion, but I've recently added a lock gesture to stop my pocket from using the phone.

s/Android/iOS/ (-1)

Anonymous Coward | about 2 years ago | (#41750295)

iOS logs lock screen codes? Outrage! Pitchforks! Fire! Oh wait it's Android? No worries, it's cool everyone.

Re:s/Android/iOS/ (0)

Anonymous Coward | about 2 years ago | (#41752013)

You are missing the fact that this is not Android (i.e. the official vendor version) but the nightly development version of a community-built version. Now, when there is a popular, fast developing enhanced version of iOS provided under an open source license, and it has a problem like this, we might be able to compare one to the other.

The Big Difference (1)

confusedwiseman (917951) | about 2 years ago | (#41750611)

The difference is that I trust CyanogenMod more than I do the big corporations. I have seen them "do no evil". This makes it seem like a more honest mistake, in a nightly build no less. The other large corporations, have given us reason to have trepidation.

The Comments of the Ars article are worth reading. (5, Insightful)

robbak (775424) | about 2 years ago | (#41750657)

Basically, the story is that:
It is debugging code left in a development build, that happens to be used by many persons as nightlies.
It does not write to a file. It is debug information written to a ring buffer in RAM. You would need to have an app installed with permission on the logs, or connect a cable in debug mode and trace the log to even get these messages.
It was found in a code review, and removed.

So much a non-issue that it is a wonder that Ars even reported it. Seems Ars misread a mailing list heads-up. We are waiting for Ars to publish the correction to their article.

Run to the hills! (2)

Parker Lewis (999165) | about 2 years ago | (#41750663)

A issue in a nightly build! OMG!

Well how about that. (0)

Anonymous Coward | about 2 years ago | (#41750989)

Never ascribe to malice what you can to incompetence.
That said, boy is that convenient if someone needed to gain access.

unlock patterns suck (0)

Anonymous Coward | about 2 years ago | (#41751107)

who cares? those unlock patterns are laughably weak protection anyway.

Screen smear pattern also gives it away. (0)

Anonymous Coward | about 2 years ago | (#41751401)

While unlock patterns are fast and easy, often you can just look at someone's phone and tell the 2 options for what their pattern is.

CM10 Nightly... (1)

ectospasm (5186) | about 2 years ago | (#41751419)

The thread following TFA mentions that this is for CM10 nightlies, so if you're tracking the development branch, you just need to upgrade to the latest nightly to ensure you have the fix.

What is this wizardry? (1)

phybere (970508) | about 2 years ago | (#41751957)

"An alternative to removing the line is adding a character to the code so it's treated as a comment and isn't executed." What is this wizardry?

This would be more interesting... (1)

undefinedreference (2677063) | about 2 years ago | (#41757273)

...if the results were uploaded to a central location for data mining. I wonder what patterns are the most popular...
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>