Root Privacy & Safety of using ROMs

[TARDIS]

Greetings everyone!

This question springs from my desire to: a) add either CM7/9 or MIUI to my Triumph but having concerns about privacy and security. Recently, our family went through a bout of identity theft and it is a primary concern right now.

Are there any safeguards taken or reviews done of the open source codes for CM7, MIUI, or other ROMs to help make sure there are no malicious lines of code for data-tracking, keylogging, misdirected URLs, etc?

I'm out of my depth in terms of tech understanding to find the answer to this question; I hope it even makes sense to you!

Thanks for your help!

- TARDIS

 

[iSnow]

just as a heads up....CM9 isnt out yet!

 

[TARDIS]

Just planning for the future, friend!

 

[iSnow]

Just planning for the future, friend!

ah! sorry about that!

to my knowledge they are safe....ive used CM7 for what seems like forever now!

 

[isaacj87]

Greetings everyone!

This question springs from my desire to: a) add either CM7/9 or MIUI to my Triumph but having concerns about privacy and security. Recently, our family went through a bout of identity theft and it is a primary concern right now.

Are there any safeguards taken or reviews done of the open source codes for CM7, MIUI, or other ROMs to help make sure there are no malicious lines of code for data-tracking, keylogging, misdirected URLs, etc?

I'm out of my depth in terms of tech understanding to find the answer to this question; I hope it even makes sense to you!

Thanks for your help!

- TARDIS

The Cyanogenmod project, and our specific port, is worked on with complete transparency. In fact, the way I set up my build environment, I can't even build without first pushing my stuff online. (Well, I could, but it's simpler for me to just push everything to Github first). Simply put - nothing is going in the code that you can't visibly see for yourself. To answer your question, there is a review of all code going into CM. You can see that here: http://review.cyanogenmod.com/

For the Triumph specific port, I've written detailed instructions on building CM7 for yourself. If you were so inclined, you can build the exact build that is currently on the forums. Any port specific changes Tickerguy and I have made can be viewed on our respective Github pages.

Now, for MIUI, I can't account for the all changes the Xiaomi has made the AOSP/CM code. However, since I use the ROM myself, I have combed through the decompiled framework code personally. I have yet (or anyone else in the Android community) to find anything malicious. The MIUI project has been active for almost 2 years with no problems. The best advice I can give is never enter sensitive data on a mobile device.

 

[Ayered]

The best advice I can give is never enter sensitive data on a mobile device.

Wow. Do you mean never log into any accounts or services? Or would you draw the line at something like financial services?

I ask because on my old pocket tablet, I never logged into anything (not even email or forums). So, I mainly used the device as a web reader and offline media player.

With my new Triumph and all the Android services out there, I'm thinking I may need to relax my "no login" policy. Specifically, I'm wondering about email security and even services like the Amazon Appstore or Netflix. If those were accessed over public wifi, it seems like account information could easily leak.

So, do you use a SSH tunnel or VPN on your devices or simply not use any login services? Where do draw the line?

 

[iSnow]

make sure the sites are https:// when login into something like a bank account or buying something. s means secure!

 

[Ayered]

make sure the sites are https:// when login into something like a bank account or buying something. s means secure!

Well, I've been reading about how https isn't that great to start with and some Certificate Authorities have been compromised recently (even affecting big name sites). There's also the problem of whether or not everything is secured after the login.

Of course, I have my Gmail and others set to always use https. The desktop version of Firefox has addons like HTTPS Everywhere, but I'm not sure if Android browsers have an equivalent.

 

[iSnow]

Well, I've been reading about how https isn't that great to start with and some Certificate Authorities have been compromised recently (even affecting big name sites). There's also the problem of whether or not everything is secured after the login.

yeah or either use a secure wifi connection

wpa etc

 

[isaacj87]

Wow. Do you mean never log into any accounts or services? Or would you draw the line at something like financial services?

I ask because on my old pocket tablet, I never logged into anything (not even email or forums). So, I mainly used the device as a web reader and offline media player.

With my new Triumph and all the Android services out there, I'm thinking I may need to relax my "no login" policy. Specifically, I'm wondering about email security and even services like the Amazon Appstore or Netflix. If those were accessed over public wifi, it seems like account information could easily leak.

So, do you use a SSH tunnel or VPN on your devices or simply not use any login services? Where do draw the line?

I'd never enter any credit card numbers, bank information, important passwords (for sensitive accounts), SSN, etc. But that's just me. I'm paranoid about my data. More importantly, should my device ever get stolen or lost, I wouldn't want someone else having easy access to my information.

 

[Ayered]

I'd never enter any credit card numbers, bank information, important passwords (for sensitive accounts), SSN, etc. But that's just me. I'm paranoid about my data. More importantly, should my device ever get stolen or lost, I wouldn't want someone else having easy access to my information.

As you can guess, I feel the same way. So, how do feel about accessing something like the Amazon Appstore on public wifi? Mine is tied into my "real" Amazon account, so even if just I downloaded a free app or ran an app that needed to authenticate with the Amazon Appstore, couldn't that potentially leak some private account info too?

yeah or either use a secure wifi connection

wpa etc

Yes, I always do on my own networks, but that's not always an option when you're on the go.

 

[agentc13]

I'd never enter any credit card numbers, bank information, important passwords (for sensitive accounts), SSN, etc. But that's just me. I'm paranoid about my data. More importantly, should my device ever get stolen or lost, I wouldn't want someone else having easy access to my information.

That's is pretty much exactly what I do.

I wouldn't use anything that had information you would not want others to see over an open network. It's probably not going to get seen, but you never know. I don't connect to anything sensitive over an open wifi network (I don't really use them that often anyway) only over mine at home (and a couple other secure ones I know).


note to OP - SWEET FORUM NAME!!!

 

[b_randon14]

Maybe its just me being from a small town but I have used android devices for a year now and have logged into any site I had, shopped online and even logged into my online banking site. I have never had a theft problem from using this device.
I'm not saying to log into everything its one of those to each is own deals but I don't feel unsafe doing. But I also don't go to websites I don't trust just as I wouldn't do that on my PC.
I think as long as its a trustworthy site you should be okay. In not saying bad things can't happen cause we all know they can even on secure PC's!

 

[ziggy46]

Maybe its just me being from a small town but I have used android devices for a year now and have logged into any site I had, shopped online and even logged into my online banking site. I have never had a theft problem from using this device.
I'm not saying to log into everything its one of those to each is own deals but I don't feel unsafe doing. But I also don't go to websites I don't trust just as I wouldn't do that on my PC.
I think as long as its a trustworthy site you should be okay. In not saying bad things can't happen cause we all know they can even on secure PC's!

i agree... well with my moms credit card that is

but anyways, i dont think you have anything to worry about.

 

[Chairshot215]

I always draw the line with actualy entering financial information. If my payment method is already on file such as Google or Amazon and I'm only giving my concent to use it I don't worry to much but I would never actualy set up a payment method on my phone. With that said if anyone actualy stole my info they would probably throw it out and look for someone else's information to steel.

 

[alaskn81]

Has anyone heard of Carrier IQ?
I just heard about it today while watching some cnet video, but did a google search on it later on.

Phone 'Rootkit' Maker Carrier IQ May Have Violated Wiretap Law In Millions Of Cases - Forbes

 

[mantera]

Has anyone heard of Carrier IQ?
I just heard about it today while watching some cnet video, but did a google search on it later on.

Phone 'Rootkit' Maker Carrier IQ May Have Violated Wiretap Law In Millions Of Cases - Forbes

I don't believe that's in the Triumph. At least I have not seen the service run on stock nor have I seen it listed in the androidmanifest.xml file where it would be listed if it was on stock. Either way, I'm almost positive it's not part of the CM7 or MIUI roms.

 

[alaskn81]

I don't believe that's in the Triumph. At least I have not seen the service run on stock nor have I seen it listed in the androidmanifest.xml file where it would be listed if it was on stock. Either way, I'm almost positive it's not part of the CM7 or MIUI roms.

Thanks, from the video I seen they said it was hard to detect so I had no idea how it worked.

 

[mantera]

At least from when I was using the Moment, it was a service that ran in the background and you can see that it was running. It was defined in the AndroidManifest.xml file to start up at every boot. So, assuming that that hasn't changed, I didn't see it in there.

 

[alaskn81]

At least from when I was using the Moment, it was a service that ran in the background and you can see that it was running. It was defined in the AndroidManifest.xml file to start up at every boot. So, assuming that that hasn't changed, I didn't see it in there.

Yes, you are right. I did some more reading, and from some more reading they said a ROM from cyanogenmod wont have it, but its on some of the manufactures modded ROM's like touchwiz or htc sense.

Carrier IQ: How the Widespread Rootkit Can Track Everything on Your Phone, and How to Remove It

 

[agentc13]

It won't be included on custom ROMs. I don't believe it is on the stock version of the Triumph either.

 

[Bill Clay]

I ran the Logging TestApp utility on the stock Triumph and it showed clean of any trace of CIQ.

 

[tickerguy]

It is not in the T-Mobile SGS-II ROM and I DID check it.

It IS in a lot of stock devices however. I have no idea if it's in the base Froyo code, but were it in the CM7 code I'm quite sure someone would have found it by now.

The nice thing about open source is that anyone can look, which means someone eventually will, and that in turn is a strong disincentive to try to pull this crap -- the odds of getting caught is extremelyhigh.

 

[mantera]

Just saw this post on the CM site and thought it would be appropriate to answer your questions about carrier iq:

CyanogenMod will never have Carrier IQ | CyanogenMod

 

[mdoggie]

I think this is a prime example, actually, of the stupidity of "brand loyalty". I think, asking the average smartphone user whether they would trust HTC or a group making a version of Android on the internet as to who would more likely have tracking software, they'd probably say the company over a communal development group.

Not so, as this Carrier IQ debacle is showing people that they should think twice about trusting the company they get their phone from.

For those of us who are greatly benefiting from all the android developers involved with CM7/9/MIUI/etc, there's absolutely no doubt that these guys are in it for better reasons than a company that would put all the bloatware/tracking stuff on your phone. I mean, think about it, those poor stock users are STILL on 2.2, when 4.0 just came out, and Gingerbread has been out for a long time now. Does Motorola have any benefit from hurrying to put any newer version of Android on your phone? Not really...this is why the modding community is so very helpful.

I can't say I necessarily trust Huawei/Virgin Mobile/Motorola, but I definitely trust these guys to make my phone run as clean/speedy as possible. If anything, you should think about moving to a modded ROM because the CyanogenMod community is way more worth trusting than this phone at Stock. CM7 does allow to track anonymous statistics, but they are upfront about it, and you can easily tick a box to turn that off.