CMBig news from the CyanogenMod team this evening. They are introducing a CyanogenMod Account service to help track and remotely wipe lost or stolen phones, and to help on the security front they will be moving to a dual-release of stable ROMs.

The first bit is pretty self-explanatory. They are building their own service that offers the device tracking and remote wipe we see from Google in the new Android Device Manager service. They state the existing services are not secure because company employees or "malevolent attackers" can access your location data without your permission. The optional (and free) service will be maintained by CyanogenMod, and they will be putting up privacy policy and users can learn more about the service on their What is a CyanogenMod Account page.

The second bit is interesting as well. Previously, CM ROMs were signed with "test" keys — generic keys that ship with the Android SDK. In the near future, they will be moving to a dual-release where a User branch is signed with private keys, locking down the system and bringing it in line with the Android security model. For folks who will want to build themes and edit apps, the test key releases will continue as they are now. This should allow users who want a secure setting to have it, and users who want to modify and tinker still can do so.

These changes are coming soon, but won't be included as part of the nightly builds. For more information, visit the official source below.

Source: CyanogenMod

 
There are 15 comments

njd915 says:

Chea!

MissyHaney says:

With all due respect to CyanogenMod, there is no way that I'm opening an account and tracking my phone through CyanogenMod.

How do we know that they can be trusted? I don't even trust Google or the US Govt 100%... let alone a private entity that is dedicated on unlocking/cracking/modifying phones...

rootedVette says:

Except, everything CM does is open source. So...

Posted via Android Central App

squiddy20 says:

1. As with just about everything CM does, it's open source. So people can go in, review the code, close up any possible security holes, and make suggestions to further strengthen security.
2. The fourth paragraph from the Android Police article pretty well sums up your other concerns: http://www.androidpolice.com/2013/08/19/cm-team-announces-cyanogenmod-ac...

superlinkx says:

The whole point of the way they implemented this is that their servers act only as tunnels. They can't read the data, because it get encrypted on both sides, and they don't have access to the keys. It's actually the most secure and tamper-proof implementation out there.

juggle says:

Koush basically explained in a G+ post that the whole point of the way this is designed is to deal with exactly that. (I'd give a link but the forum then flags it as spam.)

It's open source so you can see how it works - and the way it works is encryption is between your phone and browser using a public key system so the server can't access they plain text of anything. Even if the server was compromised the attackers wouldn't have access to anything more than if they sniffed the connection.

still1 says:

why??? isnt that redundant now that all android devices has Android device manager?

eahinrichsen says:

There are some pretty significant differences, which sound pretty interesting. More here: https://plus.google.com/110558071969009568835/posts/RUENmRmrGhX

Posted via Android Central App

Why?

Only the whole reason most of us use Android: Options.

tim242 says:

So Jerry, do you approve? You love open source and love CM one day, and hate it the next. Please enlighten .

I love open-source when it's done correctly and not used as a bullet point for more sales.

Whether or not I approve of this makes no difference.

yankeesusa says:

The question is, can the phone still be tracked after a hard reset?

Via Android Central App from a Galaxy Note 2

eagle63 says:

My question as well. I use the Avast app for security on my phone primarily because it offers hard reset protection. I'm sure it's overkill, but you never know.

Posted via Android Central App

yankeesusa says:

Same here. I love that app.

Via Android Central App from a Galaxy Note 2

rwong48 says:

One thing I noticed is that it mentioned the ability to wipe /sdcard. I think Android Device Manager just wiped /data. Am I wrong?