1. Are you ready for the Galaxy S20? Here is everything we know so far!

Privacy & Safety of using ROMs

Discussion in 'Android Devices' started by TARDIS, Nov 30, 2011.


    TARDIS Newbie
    Thread Starter

    Greetings everyone!

    This question springs from my desire to: a) add either CM7/9 or MIUI to my Triumph but having concerns about privacy and security. Recently, our family went through a bout of identity theft and it is a primary concern right now.

    Are there any safeguards taken or reviews done of the open source codes for CM7, MIUI, or other ROMs to help make sure there are no malicious lines of code for data-tracking, keylogging, misdirected URLs, etc?

    I'm out of my depth in terms of tech understanding to find the answer to this question; I hope it even makes sense to you!

    Thanks for your help!

    - TARDIS

    1. Download the Forums for Android™ app!


  2. just as a heads up....CM9 isnt out yet!

    TARDIS Newbie
    Thread Starter

    Just planning for the future, friend! :)
  4. ah! sorry about that!

    to my knowledge they are safe....ive used CM7 for what seems like forever now!
  5. isaacj87

    isaacj87 Android Expert

    The Cyanogenmod project, and our specific port, is worked on with complete transparency. In fact, the way I set up my build environment, I can't even build without first pushing my stuff online. (Well, I could, but it's simpler for me to just push everything to Github first). Simply put - nothing is going in the code that you can't visibly see for yourself. To answer your question, there is a review of all code going into CM. You can see that here: http://review.cyanogenmod.com/

    For the Triumph specific port, I've written detailed instructions on building CM7 for yourself. If you were so inclined, you can build the exact build that is currently on the forums. Any port specific changes Tickerguy and I have made can be viewed on our respective Github pages.

    Now, for MIUI, I can't account for the all changes the Xiaomi has made the AOSP/CM code. However, since I use the ROM myself, I have combed through the decompiled framework code personally. I have yet (or anyone else in the Android community) to find anything malicious. The MIUI project has been active for almost 2 years with no problems. The best advice I can give is never enter sensitive data on a mobile device.
    cubecube and agentc13 like this.
  6. Ayered

    Ayered Member

    Wow. Do you mean never log into any accounts or services? Or would you draw the line at something like financial services?

    I ask because on my old pocket tablet, I never logged into anything (not even email or forums). So, I mainly used the device as a web reader and offline media player.

    With my new Triumph and all the Android services out there, I'm thinking I may need to relax my "no login" policy. Specifically, I'm wondering about email security and even services like the Amazon Appstore or Netflix. If those were accessed over public wifi, it seems like account information could easily leak.

    So, do you use a SSH tunnel or VPN on your devices or simply not use any login services? Where do draw the line?
  7. make sure the sites are https:// when login into something like a bank account or buying something. s means secure!
  8. Ayered

    Ayered Member

    Well, I've been reading about how https isn't that great to start with and some Certificate Authorities have been compromised recently (even affecting big name sites). There's also the problem of whether or not everything is secured after the login.

    Of course, I have my Gmail and others set to always use https. The desktop version of Firefox has addons like HTTPS Everywhere, but I'm not sure if Android browsers have an equivalent.
  9. yeah or either use a secure wifi connection

    wpa etc
  10. isaacj87

    isaacj87 Android Expert

    I'd never enter any credit card numbers, bank information, important passwords (for sensitive accounts), SSN, etc. But that's just me. I'm paranoid about my data. More importantly, should my device ever get stolen or lost, I wouldn't want someone else having easy access to my information.
  11. Ayered

    Ayered Member

    As you can guess, I feel the same way. So, how do feel about accessing something like the Amazon Appstore on public wifi? Mine is tied into my "real" Amazon account, so even if just I downloaded a free app or ran an app that needed to authenticate with the Amazon Appstore, couldn't that potentially leak some private account info too?
    Yes, I always do on my own networks, but that's not always an option when you're on the go.
  12. agentc13

    agentc13 Daleks Über Alles

    That's is pretty much exactly what I do.

    I wouldn't use anything that had information you would not want others to see over an open network. It's probably not going to get seen, but you never know. I don't connect to anything sensitive over an open wifi network (I don't really use them that often anyway) only over mine at home (and a couple other secure ones I know).

    note to OP - SWEET FORUM NAME!!!
  13. b_randon14

    b_randon14 Android Expert

    Maybe its just me being from a small town but I have used android devices for a year now and have logged into any site I had, shopped online and even logged into my online banking site. I have never had a theft problem from using this device.
    I'm not saying to log into everything its one of those to each is own deals but I don't feel unsafe doing. But I also don't go to websites I don't trust just as I wouldn't do that on my PC.
    I think as long as its a trustworthy site you should be okay. In not saying bad things can't happen cause we all know they can even on secure PC's!
  14. ziggy46

    ziggy46 Android Expert

    i agree... well with my moms credit card that is :rolleyes:

    but anyways, i dont think you have anything to worry about. :D
  15. Chairshot215

    Chairshot215 Android Expert

    I always draw the line with actualy entering financial information. If my payment method is already on file such as Google or Amazon and I'm only giving my concent to use it I don't worry to much but I would never actualy set up a payment method on my phone. With that said if anyone actualy stole my info they would probably throw it out and look for someone else's information to steel.
    agentc13 likes this.
  16. alaskn81

    alaskn81 Member

  17. mantera

    mantera Android Expert

    I don't believe that's in the Triumph. At least I have not seen the service run on stock nor have I seen it listed in the androidmanifest.xml file where it would be listed if it was on stock. Either way, I'm almost positive it's not part of the CM7 or MIUI roms.
    alaskn81 likes this.
  18. alaskn81

    alaskn81 Member

    Thanks, from the video I seen they said it was hard to detect so I had no idea how it worked.
  19. mantera

    mantera Android Expert

    At least from when I was using the Moment, it was a service that ran in the background and you can see that it was running. It was defined in the AndroidManifest.xml file to start up at every boot. So, assuming that that hasn't changed, I didn't see it in there.
  20. alaskn81

    alaskn81 Member

    Yes, you are right. I did some more reading, and from some more reading they said a ROM from cyanogenmod wont have it, but its on some of the manufactures modded ROM's like touchwiz or htc sense.

    Carrier IQ: How the Widespread Rootkit Can Track Everything on Your Phone, and How to Remove It
  21. agentc13

    agentc13 Daleks Über Alles

    It won't be included on custom ROMs. I don't believe it is on the stock version of the Triumph either.
  22. Bill Clay

    Bill Clay Member

    I ran the Logging TestApp utility on the stock Triumph and it showed clean of any trace of CIQ.
    Ayered likes this.
  23. tickerguy

    tickerguy Android Enthusiast

    It is not in the T-Mobile SGS-II ROM and I DID check it.

    It IS in a lot of stock devices however. I have no idea if it's in the base Froyo code, but were it in the CM7 code I'm quite sure someone would have found it by now.

    The nice thing about open source is that anyone can look, which means someone eventually will, and that in turn is a strong disincentive to try to pull this crap -- the odds of getting caught is extremelyhigh.
  24. mantera

    mantera Android Expert

  25. mdoggie

    mdoggie Newbie

    I think this is a prime example, actually, of the stupidity of "brand loyalty". I think, asking the average smartphone user whether they would trust HTC or a group making a version of Android on the internet as to who would more likely have tracking software, they'd probably say the company over a communal development group.

    Not so, as this Carrier IQ debacle is showing people that they should think twice about trusting the company they get their phone from.

    For those of us who are greatly benefiting from all the android developers involved with CM7/9/MIUI/etc, there's absolutely no doubt that these guys are in it for better reasons than a company that would put all the bloatware/tracking stuff on your phone. I mean, think about it, those poor stock users are STILL on 2.2, when 4.0 just came out, and Gingerbread has been out for a long time now. Does Motorola have any benefit from hurrying to put any newer version of Android on your phone? Not really...this is why the modding community is so very helpful.

    I can't say I necessarily trust Huawei/Virgin Mobile/Motorola, but I definitely trust these guys to make my phone run as clean/speedy as possible. If anything, you should think about moving to a modded ROM because the CyanogenMod community is way more worth trusting than this phone at Stock. CM7 does allow to track anonymous statistics, but they are upfront about it, and you can easily tick a box to turn that off.

Motorola Triumph Forum

Features and specs are not yet known.

Release Date

Share This Page