Home

Share this Story

CyanogenMod Releases Security PSA, Explains New Security Patches That Keep Root In Check

The recent fiasco surrounding Google Wallet being exploited through root has forced a lot of Android users and developers to take a look at security on their phones. CyanogenMod has released a PSA of sorts explaining some of their recent patches to CM9 and tells us why root was the main focus.

… All Custom ROMs (CyanogenMod included) ship with one major security risk — root!

This is the basis of the Google Wallet scandal. When on a rooted phone, applications are at risk of having data accessed and this is why Google has taken the stance of saying Google Wallet is unsupported when on a rooted phone. Cyanogen’s new patches disable root in a selective way which allows for a bit more security on your phone.

The patches change root as followed:

  • Disabled
  • Enabled for ADB only
  • Enabled for Apps only
  • Enabled for both

The CyanogenMod team didn’t want to go so far as to change the root ecosystem as it is now but still offer a way to keep it in check on user’s phones. The changes allow the user to decide what gets root and when, whether it be through ADB or allowing Apps to have access.

CM admits “shipping root enabled by default to 1,000,000+ devices was a gaping hole” but they are trying to stem the tide with this change. One note though is that CM cannot do anything for unlocked bootloaders and recovery, those still remain issues that cannot be tackled, “there is little to nothing we can do on that front.” CM says that common sense is the most basic security tool.

Via: Cyanogenmod

  • alu0506

    So does google wallet work now or not?

  • Towelie420

    I’m running bugless beast on my gnexus.. I successfully used Google wallet to make a vending machine purchase the other day even though it says device not supported.
    If my phone always stays with/on me, what risk do I run of having my information stolen from me? What information, specifically is at risk? And how can said information be stolen?

  • NorCalGuy

    Umm there’s this other rom called miui and for over the last year it has NOT shipped with root but allows you to enable it through system preferences. So as far as I am concerned this is an OK measure to me just going to be annoying when my phone is restoring and apps are auto downloading and will be denied root before I can get it turned on in system pref.. just a small annoyance I have noticed in miui and just one more reason I will keep AOKP.

  • Spunker88

    Root could be a security hole, but isn’t that what Superuser prompts are for? I only allow apps I trust like Titanium and Root Explorer so I don’t see how it would be a security issue.

  • AndroidUser00110001

    If they care that much about security then they should secure their kernels. With a boot.img that is not secure one can gain access to files through ADB and very possibly through an app to mimic ADB.

    It’s not that difficult to have a user install some type of program on PC with companion app on phone. Have them think it is some type of cool app but in the background it is dumping just about every file from phone, zipping it up and then sending it off somewhere.

    That’s why common sense is the most basic security tool.

  • Rickerbilly

    Google Wallet is overrated. It is a novelty for now. If it ever becomes mainstream, we will all be using different phones and apps anyway.

    • feztheforeigner

      Like this comment, to show dislike for the comment above…

  • ben

    What I don’t understand in all of this is that the root exploit for g-wallet requires physical access to the device… What would keep a person with physical access to your device from rooting you even if you hadn’t previously?

    I may be missing something obvious here.

    • http://twitter.com/QSMinSD Q

      From what I understand, rooting the G-Nex involves unlocking the bootloader which wipes the phone. 

      • snowblind64

        That’s what I thought too.

        There is also a kernel exploit method, which does not require unlocking the bootloader, and leaves all user data intact.

  • http://www.twitter.com/nblufire12 Nathan Patel

    who uses google wallet every day and for what…?

    • http://twitter.com/QSMinSD Q

      I use it all the time to buy things.

      • http://www.twitter.com/nblufire12 Nathan Patel

        where and for what? I have no idea where to use it.

        • Atcbrownie83

          I use it all the time at 7 eleven, gas stations and at my works vending machines

          • Noyfb

            There is a paypass locator app in the market, it shows where business have it around you.

    • Jdstell

      7-11, Some Shell stations, BP, Hess, CVS Pharmacy, Walgreens Pharmacy, McDonald’s, Foot Locker, Burger King, Sports Authority, Einstein Bagels, Home Depot, Rite Aid, Petco, Pollo tropical, Super Vitamin Outlet, Circle K, Racetrac …   just to name a few.

      • Jdstell

        I know I missed a bunch, but those are some of the ones in my area. A lot of times I finish checking out and realize they have a paypass machine after I’ve paid with a credit card.

  • Michael_NM

    That last sentence says it all. Common sense is the solution to many “issues.” :-)

    • patapongirl

      You’d be surprised how many people are lacking it.

      • sc4fpse

        Bingo. It turns out common sense is not so common anymore.

        Nothing a good whack upside the head with a 2 by 4 can’t fix. :)

    • enigmaco

      the problem with common sense though is it’s not that common.

      • http://www.facebook.com/TJHRULZ tjhrulz

        The moment you create an idiot proof system, the universe creates a bigger idiot.

        • wtsamatta

          !

  • http://quiklives.tumblr.com quiklives

    I don’t mean to be stupid, but I still don’t understand why there was such a fuss over Wallet and root in the first place. It’s still more secure than the credit cards in your wallet.

    • Keith Sumner

      Like they said “common sense” credit card data or other sensitive information could be potentially hijacked from your phone.

  • Adam Elghor

    i feel like the traffic to this site has diminished a little… :(

    • Elliott HillJennings

      march madness