CyanogenMod dev patches possible unlock gesture logging

Smartphone and tablet tweakers are familiar with CyanogenMod as among the more popular custom ROM releases, which build on stock Android through community contributions. The beauty of open-source software is the ability of the community to spot issues and contribute their own fixes. And so, with this collaborative effort, security vulnerabilities are easily addressed.
One such issue is the possibility for a user’s unlock swipe gesture to be logged. This bug was introduced when developers added the ability to resize the grid for gesture unlocking. Developer Gabriel Castro says a simple fix involves commenting-out that particular line of code so it is not executed.

commit Ibc0d5bfcee9673b1bf049bd69be80d2312602a47 made it so that the lockpattern was loged in logcat as it was entered. I’m really surprised nobody caught this. This could also be solved by commenting the code out or just removing the line without breaking anything.
Patch Set 3: Remove logging

The issue is not very serious for many users, because an attacker will need physical access to a device or a device backup. An attacker will also be limited to unlocking single devices, and not Android smartphones and tablets en masse. But still, it’s a vulnerability that might result in data theft given the right circumstances.
If you’re using CM on your smartphone or tablet, expect this fix to be introduced in the next update. Or, you can go download a nightly build to ensure all relevant patches are included.

SOURCES Github Ars technica

TAGS CyanogenModSecurity

 

Posted in: CyanogenMod, Security