Security and You


Many of you may not give it a second glance, but among all the furor and concern about permissions requested by market apps and privacy, all Custom ROMs (CyanogenMod included) ship with one major security risk — root!

We have been struggling with how to handle this for quite a bit, and took a first step with the first public CyanogenMod 9 alpha builds, by disabling the previously-default root access over USB. You can still get adb root access by running “adb root” in terminal, should you ever need it.

We recently merged 3 patches into CyanogenMod 9, to further address this: http://goo.gl/eCjDV http://goo.gl/oWAFI and http://goo.gl/34vai.

What follows is an explanation of the changes, how they affect you and our reasoning behind them.

What do the patches do?
They disable root selectively and in a configurable way. Users will be able to configure their exposure to root as:

Disabled
Enabled for ADB only
Enabled for Apps only
Enabled for both
How does this change affect the usage of your device, and root apps you have installed?
On a default CyanogenMod installation, root usage will have to be explicitly enabled by the user. This means that the user is fully aware that any application that uses root may perform actions that could compromise security, stability and data integrity. Once enabled, the process mirrors that of the current process, apps that request root will be flagged by the SuperUser.apk and the user will have to grant selective access.

Why the change?
At CyanogenMod, security has always been one of our primary concerns, however, we were hesitant to make a change that might disrupt the current root ecosystem. With CyanogenMod 9 we have the opportunity to do things better, whether its the code in the OS, UI/UX, or security – we are taking this time to do things with a fresh approach.

Shipping root enabled by default to 1,000,000+ devices was a gaping hole. With these changes we believe we have reached a compromise that allows enthusiasts to keep using root if they so desire but also provide a good level of security to the majority of users.

What concerns remain?
Many of you reading this are savvy enough to note a remaining hole in this approach – recovery and unlocked bootloaders. The bootloaders are out of our hands, there is little to nothing we can do on that front.

Regarding recovery – with unlocked bootloaders, a malicious user could just flash a new recovery image (without any potential security we could apply) or just dump the data partition. This however, requires physical access to the device. As such, the security standards for this are highly reliant on you, the device owner. Data encryption is available in ICS to safeguard your data. (Warning for emmc only users – encrypted /data means recovery will be non-functional.)

The onus is on you to secure your device; take care of your possessions, and this risk is minimal. Always make sure you take devices out of your car before you go into the mall and remove them from pockets before washing laundry. Common sense is a basic security tool.

But Why?
We honestly believe there are limited uses for root on CyanogenMod, and none that warrant shipping the OS defaulted to unsecured.

Colton
I would like to see CyanogenMod shipped with SELinux for Android.

Logan
Android should have a permission for “root” like other permissions so the user is notified when they install the app that it can request root access

Tom Burall
Could the “Enabled for Apps only” option also include a list of apps that can be selected to have root access?

Tom Burall
Could the “Enabled for Apps only” option also include a list of apps that can be selected to have root access?

http://cyanogenmod.com/ ciwrl
The su app already handles this aspect, so we don’t see a real need there.

http://cyanogenmod.com/ ciwrl
That would all but make Google acknowledge the ‘root’ as legitimate in the market. That won’t be likely to happen.

Anonymous
CyanogenMod needs to get into the business with Mobile Brands (HTC, Samsung and etc) and US Carriers (Sprint, Verizon, T-Mobile and etc)… cuz it has awesome ROMs.

Puklu
Sounds good, I think that’s definitely a step in the right direction. Can’t wait to get it to daily use.

norupz
Clever move

Anonymous
Can anyone explain it in layman’s terms for the arts majors out there, not the computer science or engineering students? So if I install Cyanogenmod, it’s not really secure when browsing, using emails, making purchases from the device? Or is it unsafe only if someone steals it? Sorry, I know I sound like a moron.

Anonymous
For all arts majors: instead of pushing you into the wrestling ring, cyanogen now asks you if you want to enter the ring. If you opt out, no danger. If you opt in, risk and reward.

Dr-Hack
Good and safe move…
They didn’t take the option just gave us one more…to have root or not to
No cm need more time to be default shipped os

http://www.facebook.com/StygiAnTrepidAtioN Rahul Kesarkar
Fabulous thought! Absolutely nothin lost. It’s a win-win for both power users n the relatively naive ones!

A a
How about whitelisting root apps?

CJ Hayden
I can see that as a good thing. But we all use some root apps whether it is root explorer or open garden is becides the point. They are a risk. Perhaps you could have another option, say “enabled for apps only with exceptions” where you could add apps to safe to use list similar to how superuser does but with a little heavier hand.

Dr Fr3ak
in the same direction of thought it would be awesome. if you would include the ability to revoke permissions for apps just as in cm7. any plans on doing so?
i think these root management ideas are very good.

Joshua Talley
This is a great idea. Maybe I can have my bacon and eat it, too. The one thing I miss running CM is being able to rent movies from the Mar…I mean Play Store. Being able to enable or disable it within the ROM would be great. I could see enabling it to run a backup in Titanium, then disabling for daily use.

Androidrob
I just wish some support would start going to the Tmobile sgs2.

Chinpokomon
You mean like how SuperUser does already? I mean, we basically white list our own applications in that way. If there is a system level white list, who should we trust to maintain that list? If you need root access today, the current SuperUser method provides a good security balance. For many mainstream users, they just don’t need root to begin with. I think this s a reasonable compromise.

source