Malware in Custom Roms? - Thunderbolt Q&A, Help & Troubleshooting

DISCLAIMER:
This is totally academic, and I only pose the question as that of mere curiosity.
In no way do I mean to accuse any developer here or elsewhere of intentionally or otherwise installing malicious software in our ROMs. Not trying to start a flame war or anything.
What is the possibility that a rogue ROM creator would or could install malicious content on one of our devices? What kind of things would we look for to indicate that our device may be compromised? Perhaps packet sniffing for the extra paranoid.
I am the type that, when I see something that doesn't look normal, I question it. That said, I am a very experience Linux, *BSD, and Solaris administrator; but my experience with Android is just blooming. So I might not know where to look in the Android filesystem, or know which processes may be irregular.
I did some Googling but haven't found anything to indicate this has happened before (thank God). Are there self-checks in Android to prevent this from happening? Call me paranoid, but I just like to know what's going on.
Do the "anti-virus" softwares in the App market actually help with this?
Again just curious. I heard about some apps on the Market that Google had to remotely erase. And I believe I am correct in understanding that Google isn't as restrictive with its applications as Apple.
Any takes on this?

Antivirus and Task killers all that are garbage and slow your phone down. You won't have to worry about that happening on this site.

It depends if he/she is an asshole...
The first "viruses" for android were because people were downloading paid apps on the internet, from some site in china, that had viri put into those apps that people were downloading.

Just dont get on the bad side of a dev.

adrynalyne said:
Just dont get on the bad side of a dev.
Click to expand...
Click to collapse
LOL! I'll make sure not to do that!
I know that task-killers are BS. I figured the anti-virus was a gimmick, too. As far as for self-replicating viruses on the phones I doubt that will occur.
I'm more worried about malware in the form of a sleeper-trojan that calls home with my personal phone information, or gets added to some jack-asses botnet for DDoSing.

That was a worry of mine when I first came to this site, but the dev's I download from I find quit professional. I have since just started to dig into roms trying to port them to the tb, and compare the contents and begin to see what is normally packed in the zip. I have never found a dev on this site attempt to introduce malware. I have seen some intro warz but the site immediately banned them. The site has banned devs for not giving credit were credit is due, and opening multiple accounts in a way to circumvent the system.
This site is great for all, and they do their best to keep everyone honest.

I've been here and ppcgeeks for nearly 3 and 1/2 years, both with winmo and android, and I have never had an issue. It seems that these sites really do the best they can to catch things before they happen. Personally, I can't say enough about our devs. They're great, and they do a good bit of work for people who are honestly not thankful enough to them. I personally don't think you will ever have an issue, as I haven't. And I download tons of stuff from here and other places.

I think everyone is missing the OP's point. OP isn't asking if it's happning now or whether it's happening here.
Instead, the question concerns whether or not it's physicsally possible for malicious code to get executed after installing a custom ROM and/or kernel, assuming the developer of that ROM or Kernel was inclined to put some in there. Assuming it *is* possible, which I certainly believe it is, what if anything can be done by an experienced *NIX adminsitrator to be aware of it?
Is your only option to 'trust' the developer of the ROM or Kernel, or are there things we can do with a runnning android system to know how well the live code is behaving?

I've always been curious of this myself. I am no advanced Linux administrator (yet), just an aspiring IT student. I would think the best people to ask would be the developers themselves, though.

funkybside said:
I think everyone is missing the OP's point. OP isn't asking if it's happning now or whether it's happening here.
Instead, the question concerns whether or not it's physicsally possible for malicious code to get executed after installing a custom ROM and/or kernel, assuming the developer of that ROM or Kernel was inclined to put some in there. Assuming it *is* possible, which I certainly believe it is, what if anything can be done by an experienced *NIX adminsitrator to be aware of it?
Is your only option to 'trust' the developer of the ROM or Kernel, or are there things we can do with a runnning android system to know how well the live code is behaving?
Click to expand...
Click to collapse
No one is missing the point, the op asked if it can happen in roms/kernels/etc. Roms/kernels/etc for the phone are distributed here, therefore he is asking if it can happen here or anywhere that devs create these things for our phones.
BTW an experienced Linux admin should already know how to check for these things

Actually I believe it has happened at least twice. Once by accident, and once there may have been malicious code put into a rom that was set as bate for code thieves.
The first one was stupid, an update agent was left in the rom, and an update got pushed that loaded the phone browser to a certain site (it was not a bad site either). This effected a VERY minor few, as you had to have a certain version of a rom, and have rebooted over a very specific point in time.
The latter I will not go into as I do not know the specifics, or the validity of any of what happened.

g00s3y said:
No one is missing the point, the op asked if it can happen in roms/kernels/etc. Roms/kernels/etc for the phone are distributed here, therefore he is asking if it can happen here or anywhere that devs create these things for our phones.
BTW an experienced Linux admin should already know how to check for these things
Click to expand...
Click to collapse
Sorry if my post offended you and no disrespect intended, but I think you are mistaken. The question of whether or not something "can happen" is fundamentally different from the question of whether or not anyone is actually doing it. Also, saying that any "experienced Linux admin should already know how to check for these things" is in poor taste; it's a personal attack that adds no value to the discussion. The idea here is to address the OPs question as a purely acedemic thought experiment; there is no implict reference to the morality of the developers here...
Perhaps we should ask the same question in a differnet way:
If net-sec researcher working at SANS wanted to test expolitation vectors against their own personal HTC Thunderbolt. Is it physically possible for them to build a custom ROM and/or Kernel such that this custom module includes malicious code that executes automatically after installed on the device?
I'd be highly surprised if anyone claims the answer is no. If the kernel itself is custom, anything the hardware can do is fair game...
Concerning the question of how to know if anything is happening, since we're talking about the firmware itself, it would be difficult to do anything in userspace with confidence. To be really sure, you'd likely need to sniff traffic (both mobile and wifi) as well as physically monitor the hardware's debug output (and perhaps even the circuit traces themselves). With a comprimized kernel, you can't trust anything running throuh the operating system's APIs.

It's very doubtful that any reputable developer on XDA would do this. Impossible? No. But XDA is the kind of place where something like this would be discovered very quickly and spread like wildfire.
Now, some unknown developer, on a random website? While I havent come across this yet, I'd say: More likely.

The question isn't concerning the likelihood of it occuring on XDA or elsewhere, it's specifcally about whether or not it is technically possible to do it.
I think we can infrer from everyone who is answering the unrelated question, i.e. Is it happening on XDA or anywhere else?, that yes, it is possible to insert malicious code into a ROM or kernel.

funkybside said:
The question isn't concerning the likelihood of it occuring on XDA or elsewhere, it's specifcally about whether or not it is technically possible to do it.
I think we can infrer from everyone who is answering the unrelated question, i.e. Is it happening on XDA or anywhere else?, that yes, it is possible to insert malicious code into a ROM or kernel.
Click to expand...
Click to collapse
I think you are right. As long as there is superuser access, then basically anyone with su can pretty much to anything to your phone.
At least that's my take on it.

I'm new to android in general and XDA in particular, so please forgive my ignroance (and yes I will try searching), but this makes me wonder: Do the established developers of custom ROMs and Kernels release their source code? I'd imagine the same terms of the GPL that require HTC to release their source would also require anyone building custom Kernels to do the same. Is this also true for ROMs?

I am an experienced *NIX administrator, and that's what makes me so paranoid. This kernel source isn't coming from a CVS tree that is being scrutinized by hundreds of developers, at least not to my knowledge.
I know how code can be injected into a kernel, into a module, pretty much anywhere. Should I run a diff on the kernel source tree to see what was changed? Could do that, but that may be time consuming. I've seen innocuous kernel modules altered to allow a gateway for elevating to UID 0 (and in fact, more often in Linux than in others.)
I'm pretty confident that the folks here on XDA aren't doing anything malicious: the following of these ROMs are too popular and very fluid, and I would expect something malicious to be found quickly.
Again this is just purely academic.

nerozehl said:
I am an experienced *NIX administrator, and that's what makes me so paranoid. This kernel source isn't coming from a CVS tree that is being scrutinized by hundreds of developers, at least not to my knowledge.
I know how code can be injected into a kernel, into a module, pretty much anywhere. Should I run a diff on the kernel source tree to see what was changed? Could do that, but that may be time consuming. I've seen innocuous kernel modules altered to allow a gateway for elevating to UID 0 (and in fact, more often in Linux than in others.)
I'm pretty confident that the folks here on XDA aren't doing anything malicious: the following of these ROMs are too popular and very fluid, and I would expect something malicious to be found quickly.
Again this is just purely academic.
Click to expand...
Click to collapse
Agreed that the liklihood of stuff here being questionable is low, but the simple fact that there is a non-zero risk certainly makes me think a little bit. You summed it up well and the examples are spot on - this is why I immediately wonderd if developers here are publishing the source code on their customized versions. Ignoring the GPL angle, its just good to know it's out there if it is, and by the same token, also good to know if it's not out there.

I have another question to add. I love miui, and to my understanding miui is made by Chinese developers and it is not open source, it is just translated and ported to our devices. If it is not open source, is there anyway to know for sure?
I am a little bit wary of the security, although I love the rom. I trust all of the credible devs on xda, however I don't know anything about the Chinese devs developing miui. Would the devs porting miui be able to see the malware if it isn't open source
Sent from my ADR6400L using XDA App

It is definitely possible. I read a paper a while back that I've been referencing in my own research where some researchers compiled some kernel modules to do malicious tasks in the background without knowledge of the user, mind you this was on an open source linux based phone system similar to android. Basically compiled in root kits, which replacing your kernel/rom w/ a community developed system would result in possibilities of this occurring. The primary solution to preventing these things from ending up on your phone as well as keeping the Trojans and other malware on the android market come down to the same thing knowing your publisher and being careful what permissions you allow. Like stick to kernels/roms from reputable developers on XDA, and make sure your "movie player" doesn't have access to your SMS system and you'll be fine
Mind you my own research currently is in detection of malware/malicous code & anomalous behavior. As well as hopefully prevention techniques eventually.

Related

[Q] antivirus .. Would it help??

hi crew,
I couldn't seem to find the answer or a logical breakdown on this topic and so I wanted hear from the folks here at xda. I'm relatively new and just learned about this website last year while I was searching for things to do with my HD2. I used to flash all kinds of stuffs on my phone and really enjoy it. However, I moved on to the Sensation, touchpad, kindle fire, and Dell 7.
except for the touchpad (cm7), I'm keeping everything else stock and unrooted. This year alone there were several incidents with security on android platform .. Skype, malicious apps on market and forums, and I believe there was also ISSues with custom roms for folks in China. I guess my question is .. How easy is it to include a malicious coding into a custom Rom? If a developer/chef can modify just about every aspect of this platform then I'm guessing it won't break much sweat for them to include these spying coding into a custom Rom?
don't get me wrong because I truly believe that 99.999% of developers on this forum is dedicated and passionate about giving us the ultimate user experience. But if you look at the math, it only takes 1 out of every 100,000 and that's enough to create fear in many of us. Is there a way for users (common users) like myself to determine if there is something else coded in a custom Rom? Would it help at all to protect our privacy with an AV?
of course, one answer to my question is to avoid custom Rom! But yet, with the recent news about carrier iq even with stock you are still being monitored. Since I'm not a developer and have very limited knowledge about this area, I just wanted ask the questions here to hear inputs, suggestions, and opinions from more experienced users (and perhaps developers if any). Thanks!
.
Thread moved to Q&A due to it being a question. Would advise you to read forum rules and post in correct section.
Failure to comply with forum rules will result in an infraction and/or ban depending on severity of rule break.
qdochemistry said:
How easy is it to include a malicious coding into a custom Rom? If a developer/chef can modify just about every aspect of this platform then I'm guessing it won't break much sweat for them to include these spying coding into a custom Rom?
Click to expand...
Click to collapse
Very easy.
qdochemistry said:
Is there a way for users (common users) like myself to determine if there is something else coded in a custom Rom? Would it help at all to protect our privacy with an AV?
Click to expand...
Click to collapse
It depends. You could use an antivirus, but they mainly just scan your apps, media, and settings; so if the malicious 'thing' is directly built into the rom, it will not be detected. If it was an app (or in one), then there is a chance it would be detected.
Thanks .. that was indeed my thoughts but since I don't know much about coding or "cooking" and so figured I'd would ask. XDA is a great community but it is a scary thought having to think that our privacy with custom roms is entirely relying on the "honor code" of developers. I have not read about anything isolated incidents with infected ROMs, and much less would something like that happen here at XDA. I hope I am correct with the assumption that ROMs being released here are somehow being cross-checked by someone .. but I guess that would be a great amount of effort as too many ROMs are being released everyday on this site.
Again, there are many reputable developers in this community but just thought that I'd ask since it would only take one to ruin the effort of a million ... if anyone got thoughts or opinions feel free to comment.
Thanks for replying
I think that's a very valid concern. I am using a custom rom right now so this is also my concern.
I hope I am correct with the assumption that ROMs being released here are somehow being cross-checked by someone .. but I guess that would be a great amount of effort as too many ROMs are being released everyday on this site.
Click to expand...
Click to collapse
Well, I don't think there is anyone / any party responsible for checking the released ROMs given that the amount of work required...So what I do is to avoid dealing anything sensitive with the phone (even I was using Stock ROM). All this kind of stuff I will do it with my desktop where I feel I have more control.
lol .. same here .. on devices with ported ROMs I am quite careful as to what I do with it .. and on stock devices i do keep the number of apps to the minimal. But it's just sad being that way .. or may be i'm just paranoid!

[Q] Creating Kernel Source Not Kernel from source!!!!!!!!

Hello Everybody,
I just wanted the ICS for my device as we are still running on GB and which is awful thing for an Dual-Core,Tegra-2 device(Micromax A85 a rebranded Mobile of K-Touch w700/Cherry Magnum 2X).We tried to create a ICS for our device but we failed as we are not having kernel sources for our device and they haven't released kernel for any device.
And so i started asking developers that can they help us and the only answer i got was no and they kept saying no way , your situation is hopeless and all that.
And Now I Just Wanted to know That when a mobile is manufactured first time they didn't have any kernel source for it they create it for the device or develop it for the device and when they can develop it then why we can't develop it as we all are humans and what they can do i can do.So Please Tell me now how to create kernels not that you can't,nothing can be done.And I think that Xda Is A Great Site and now i wanna know that are there real developers or there are some kind of script kiddies present in Xda.
Now Show me What developers have got and i know deep inside my mind that there are developers which can help me.They are just needed to be discovered.!!!!!
Well....it is possible, but ts a ton of work and will take months...its something no one wants to do for free, as the end result isn't worth all the work.
I'm no expert on kernels...I'm actually pretty new to them, but I'll tell you this: you have to identify every single chip in your device, you then need to implement there drivers...you need to make thousands of files....the end result is a folder that is over 100 MBS....almost completely "text" documents....I would never even attempt it unless I was getting paid a lot of money...
The people who make these from scratch (manufacturers) typically have teams of people who are specialized who have gone through years of schooling and work to get where they are at now.
And keep in mind there is different kinds of development....don't start calling people script kiddies if they don't know how to make kernels from scratch...for all you know thy could be one of the best app or game developers around...they are just specialized in a different area
I really dislike the way you are asking for help...you seem to be indirectly putting down a lot of people in the OP...and basically saying if you can't build a kernel from no source then you're not a developer...these people have jobs and life's, they don't have the time to make a kernel from nothing. The reason manufacturers are able to is because that is there job...that's what they do for hours a day everyday...
Anyways...try bugging the manufacturer for source...they have to release it or they are in violation of GLL (I think that's the name...) and they could get sued...as far as I know due to android being open source kernel source must always be released.
Sent from my SGH-I997 using Tapatalk 2
mg its GPL v2.0
mg2195 said:
Well....it is possible, but ts a ton of work and will take months...its something no one wants to do for free, as the end result isn't worth all the work.
I'm no expert on kernels...I'm actually pretty new to them, but I'll tell you this: you have to identify every single chip in your device, you then need to implement there drivers...you need to make thousands of files....the end result is a folder that is over 100 MBS....almost completely "text" documents....I would never even attempt it unless I was getting paid a lot of money...
The people who make these from scratch (manufacturers) typically have teams of people who are specialized who have gone through years of schooling and work to get where they are at now.
And keep in mind there is different kinds of development....don't start calling people script kiddies if they don't know how to make kernels from scratch...for all you know thy could be one of the best app or game developers around...they are just specialized in a different area
I really dislike the way you are asking for help...you seem to be indirectly putting down a lot of people in the OP...and basically saying if you can't build a kernel from no source then you're not a developer...these people have jobs and life's, they don't have the time to make a kernel from nothing. The reason manufacturers are able to is because that is there job...that's what they do for hours a day everyday...
Anyways...try bugging the manufacturer for source...they have to release it or they are in violation of GLL (I think that's the name...) and they could get sued...as far as I know due to android being open source kernel source must always be released.
Sent from my SGH-I997 using Tapatalk 2
Click to expand...
Click to collapse
It's GPL my friend.
But to answer OP's question, taking the Linux kernel and configuring it to boot on a phone/tablet takes a HUGE amount of effort and time. This is something that paid developers do for companies like HTC or Samsung. It usually requires a whole team of developers who work on it months, or even years before the release of the device. Even then, the developers still continue to improve on the kernel and the manufacturer can release an OTA update. I'm not saying that it's impossible, but it is a task that is definitely not worth it. It's just better to ask the company for the kernel sources.

Native Linux in an Atrix, possible?

My Atrix got it's case cracked and the touch-screen display died, and given I already got a replacement phone I feel a bit adventurous. I wanted to see if I could build my own computer with what remains, so I wanted to run Linux natively (no Android). Given that there's a Linux 4 Tegra from Nvidia:
Is there a chance that I could build my own distro based on that?
Should I use another kernel (like the one currently used in gingerbread or CM7)?
Please note that I'm not trying to do webtop.
I thought of building my own handheld with the Atrix, or what remains of it. So any tips on how to get started would be great.
Cheers!
wrong section
ovitz said:
wrong section
Click to expand...
Click to collapse
Umm... what section would you suggest other than Q&A?
It was moved. Sorry 'bout that. I was under the impression that development questions were on the other forum...
"Android development" is in the description. I think they keep that forum just for Android-specific things, even though Android is just a flavor of linux.
tonglebeak said:
"Android development" is in the description. I think they keep that forum just for Android-specific things, even though Android is just a flavor of linux.
Click to expand...
Click to collapse
You're being way too literal. It's been used for all sorts of non-Android dev multiple times. Right now, Boot2Gecko is right there. The fact of the matter is that when it pertains to dev questions, this post would most likely be answered there. I'm pretty sure it'll die here on this forum with barely any useful answer, if at all.
The development section is mostly for things that are "in progress", ie. with "something to show". Questions, discussions and ideas go elsewhere.
As for your question, I believe I've seen a thread about this already, and quite recently too.
ravilov said:
The development section is mostly for things that are "in progress", ie. with "something to show". Questions, discussions and ideas go elsewhere.
As for your question, I believe I've seen a thread about this already, and quite recently too.
Click to expand...
Click to collapse
I've checked a few that I've found on the forum, but most had no answer and were about other devices. With regards to the Atrix or the Tegra, I've only found threads about webtop.
Not to argue too much about this too much, but I've seen threads that started with nothing in the dev section. Like the Kernel porting project that started as a mere placeholder for the project. Point is, I've done my research and found no pointers to the questions I have. I made it in case another dev had an idea about it. I may have missed something, but that's why I asked in the first place. If I believed I had covered all grounds by myself, I wouldn't have asked in the first place.
Lugaidster said:
I've checked a few that I've found on the forum, but most had no answer and were about other devices. With regards to the Atrix or the Tegra, I've only found threads about webtop.
Not to argue too much about this too much, but I've seen threads that started with nothing in the dev section. Like the Kernel porting project that started as a mere placeholder for the project. Point is, I've done my research and found no pointers to the questions I have. I made it in case another dev had an idea about it. I may have missed something, but that's why I asked in the first place. If I believed I had covered all grounds by myself, I wouldn't have asked in the first place.
Click to expand...
Click to collapse
What you're looking to do seems similar to this question: http://forum.xda-developers.com/showthread.php?t=2110161
The difference between the webtop and a stand alone installation of Linux won't be that different, mainly it would just be where on the device the OS is installed and how video is handled. That said, I'm not sure about the kernel, specifically the video drivers, since they're intended for Android and may not be compatible with X. AFAIK, Wayland is closer to Android than X is, but Wayland isn't quite ready.
Anyway, assuming you did succeed, what you would end up with would be less like a true desktop (as you'd be pretty much locked into a specific kernel, and therefor any packages limited by it, but it doesn't invalidate the effort), and more like a persistent live CD, since the OS would be installed to an area mounted as read-only (to prevent flash wear), with access to an area that has read/write access, like in Android where you store apps and user files. Overall, it could be fun if you enjoy a challenge and aren't intimidated by soldering and using the JTAG connector.
lehjr said:
What you're looking to do seems similar to this question: http://forum.xda-developers.com/showthread.php?t=2110161
The difference between the webtop and a stand alone installation of Linux won't be that different, mainly it would just be where on the device the OS is installed and how video is handled. That said, I'm not sure about the kernel, specifically the video drivers, since they're intended for Android and may not be compatible with X. AFAIK, Wayland is closer to Android than X is, but Wayland isn't quite ready.
Anyway, assuming you did succeed, what you would end up with would be less like a true desktop (as you'd be pretty much locked into a specific kernel, and therefor any packages limited by it, but it doesn't invalidate the effort), and more like a persistent live CD, since the OS would be installed to an area mounted as read-only (to prevent flash wear), with access to an area that has read/write access, like in Android where you store apps and user files. Overall, it could be fun if you enjoy a challenge and aren't intimidated by soldering and using the JTAG connector.
Click to expand...
Click to collapse
Actually, I might have to do soldering anyway. I'm not really intimidated by it and don't really care all that much for phone functionality and such. I'm not even interested all that much in X as my project is more towards transforming it into a handheld gaming (more like emu) device. I don't mind compiling software specifically for the system. The question is pretty low-level in that regard for me. I want to know if I have to do anything with regards to the kernel since it's specific to Android. Given that most emus I know that would run acceptably in a tegra 2 don't really need the GPU, I don't mind just using framebuffer so HW doesn't really interest me.
Lugaidster said:
Actually, I might have to do soldering anyway. I'm not really intimidated by it and don't really care all that much for phone functionality and such. I'm not even interested all that much in X as my project is more towards transforming it into a handheld gaming (more like emu) device. I don't mind compiling software specifically for the system. The question is pretty low-level in that regard for me. I want to know if I have to do anything with regards to the kernel since it's specific to Android. Given that most emus I know that would run acceptably in a tegra 2 don't really need the GPU, I don't mind just using framebuffer so HW doesn't really interest me.
Click to expand...
Click to collapse
Unfortunately, it's going to be one of those areas where you'll have to make an educated guess, since as far as we know, no one has successfully pulled off a straight Linux implementation on the device.
That said, nVidia does have both Android and Linux images for the Ventana dev kit, so it should be possible. In my case, I would compare the source code for their Linux kernel vs the stock Linux kernel vs their closest Android kernel vs the stock Android kernel. The biggest thing is how the the device specific files translate from one kernel to another, because you'll likely need to translate the device specific files for the Atrix in the same manner. The changes may be subtle or they may be drastic. The main thing is to just be able to set the pins properly so you don't release any "magic smoke". Unfortunately, I see no source code for any of nVidia's kernels.
Anyway, that's how I would do it, but I do suspect that someone with more knowledge could find a much simpler approach and hopefully they'll chime in, but this part of the forums isn't the thriving hub of activity it used to be, so I don't know if that will happen any time soon or at all.
lehjr said:
nVidia does have both Android and Linux images for the Ventana dev kit
Click to expand...
Click to collapse
Atrix is a Whistler, not a Ventana.
http://forum.xda-developers.com/showthread.php?p=33289027#post33289027
ravilov said:
Atrix is a Whistler, not a Ventana.
http://forum.xda-developers.com/showthread.php?p=33289027#post33289027
Click to expand...
Click to collapse
Thanks for the heads up and the link! :highfive:

[Q] Audit of Root Exploits and Unofficial Bootloaders

Greetings XDA Forum,
This is a general question that should be in everyone's mind who might want to root a phone or tablet or any Android or other mobile OS device:
Is this root exploit or bootloader going to be spyware and collect any and all data of mine (login credentials, keylog my every character, account/bank numbers, identity information, use your evil imagination)?
So, I searched this forum for key words like "trust root" "secure root" "security" and found nothing related to this topic.
So, how am I to trust ANY of the root exploits or bootloaders created and posted to this forum for ANY device?
Have any of the developers developed an audit process using firewall rules to ensure that a posted root exploit or bootloader does not attempt to keylog, report captured information to some obscure IP address (thief/hacker's machine of course)?
Do any of these root exploits or bootloaders or custom unofficial builds of entire android (like Cyanogenmod and the 3rd party variants) get Security Audited?
How am I to believe that the whole lot of you making the root exploits and bootloaders are not a big community of identity thieves and financial fraudsters?
Am I just supposed to trust you?
Answer me that, folks
Aknor
I've never seen any root exploit that did as you say, if your concerned pick apart the code and look for this, I've never seen anything of the like
As for bootloaders, there are very few devs that actually make or tweak bootloaders as a misstep will nearly for certain result in a brick. Almost every bootloader you will find is made by the OEM, if its not, again feel free to pull apart the code and look for an issue, but I doubt it as this is far more advanced than most will ever become
As for custom ROMs, well this is the most possible out of all your worries, but again most ROM chefs here are not capable of inserting malicious code, and if its an official build of a major team (cm, aokp, slim, etc) you are damn near 100% certain there is no issue, as for random ports made in the former USSR by KGB spies, well just don't flash their ROM and you'll be fine
But of course no one is forcing you to root your phone, flash their bootloader, or download their ROM, so if youre the paranoid type just get an iPhone, at least they're upfront about most of their evil ways
Sent from my Nexus 4 using xda premium
demkantor said:
I've never seen any root exploit that did as you say, if your concerned pick apart the code and look for this, I've never seen anything of the like
As for bootloaders, there are very few devs that actually make or tweak bootloaders as a misstep will nearly for certain result in a brick. Almost every bootloader you will find is made by the OEM, if its not, again feel free to pull apart the code and look for an issue, but I doubt it as this is far more advanced than most will ever become
As for custom ROMs, well this is the most possible out of all your worries, but again most ROM chefs here are not capable of inserting malicious code, and if its an official build of a major team (cm, aokp, slim, etc) you are damn near 100% certain there is no issue, as for random ports made in the former USSR by KGB spies, well just don't flash their ROM and you'll be fine
But of course no one is forcing you to root your phone, flash their bootloader, or download their ROM, so if youre the paranoid type just get an iPhone, at least they're upfront about most of their evil ways
Sent from my Nexus 4 using xda premium
Click to expand...
Click to collapse
Okay, I can see that on the boot loaders, but more than just a few make the root exploits and custom builds of cyanogen or android for many, many devices. So, how am I to pick apart the code of these projects when they do not provide the source code for the builds? How would I even trust those builds after they are built? They could slip some malicious code in that they intentionally do not show in the public repository for the code and no one would ever know.
Sure this sounds very paranoid, but no one has really answered how or if at all any of these builds of unofficial android or cyanogenmod or the root exploits or the bootloaders can/would be tested for malicious code.
Think of it, something as small and innocuous as a keylogger with a simple, non threatening name, and all the while, it logs your every username and password, credit card number, 3-digit security code, bank account numbers, anything. How bad would that be, eh?
Any you're not concerned these builds/exploits are not somehow security audited and we're all just supposed to trust them like blind sheep?
As more and more of these get built, it's only a matter of time before someone slips something like this into their build to take advantage of all those people who want to root their phone/tablet, or put an unofficial build of android on their device. Shame on that person who does it, of course, but to think somehow we could have audited the software and found out as a matter of course?
-- Aknor
Well there aren't that many root exploits and depending on the device you will be changing most if not all firmware and software directly after exploiting, but again just look at the code before you use it
As for keyloging etc from flashing a ROM, you would be surprised how many OEMs actually have somethings that many would consider malicious and or a brief of privacy.
As for a worry about flashing a custom ROM with bad code just stick to official builds or mod your own ROMs, no one is forcing you to flash anything in particular. But there are apps that are meant to look for malicious code. Feel free to use these to help protect you
I have flashed oh so many ROMs over the past 4 years or so and have never seen anything malicious, but I flash a lot of my own source built ROMs and mostly use ROMs on the higher end which tend to be from trusted sources such as recognized developers and people I work with. Also I'm not a paranoid person so I don't look into this sort of thing much, this means unfortunately I can't really give you much more than this
But best of luck to you and happy flashing!
Sent from my Nexus 4 using xda premium

Ready for some WAVES...

Theres something that was pointed out to me by a new friend, that I had to vent about.. so HERE IT IS!!1
Why are some people too good to hang out in their threads and answer questions about the builds they post???
It seems to me that it builds credibility, to help the people using your build, so why not hang out and answer questions, address issues, help finding solutions, offer advice... BE HUMAN
Sure its great that new builds are being pushed out constantly... BUT IF YOURE NOT TALKING TO THE PEOPLE RUNNING THE CURRENT ONE AND EXPERIENCING PROBLEMS WHAT GOOD IS IT????
Step down from the clouds, and walk barefoot on the grass with the rest of us.. its cool and refreshing on your feet
WOW Man..
pitbull8265 said:
Theres something that was pointed out to me by a new friend, that I had to vent about.. so HERE IT IS!!1
Why are some people too good to hang out in their threads and answer questions about the builds they post???
It seems to me that it builds credibility, to help the people using your build, so why not hang out and answer questions, address issues, help finding solutions, offer advice... BE HUMAN
Sure its great that new builds are being pushed out constantly... BUT IF YOURE NOT TALKING TO THE PEOPLE RUNNING THE CURRENT ONE AND EXPERIENCING PROBLEMS WHAT GOOD IS IT????
Step down from the clouds, and walk barefoot on the grass with the rest of us.. its cool and refreshing on your feet
Click to expand...
Click to collapse
Could not have said it better.... You hit the nail right on the head.. People respect those who back their work with support:good::good::good:
This DOES seem to be in SHORT reserve.. WELL STATED
Impressive
I have noticed this too.. Its like these people are too GOOD for Q&A and sometimes even respond to questions like they are PETTY and an inconvenience.. There ARE some who DO help, and those people deserve to know they are appreciated.. You in particular, have helped me a ton, so thanks.. Maybe you'll start a movement, and more people will start doing their part to help their followers...
+1
There is a SERIOUS shortage of helpers and an overage of shovelers
All these builds keep coming, and still the same problems on the one they put out before with a different NAME for the ROM.. Its like they change the name and recycled it..
I read through threads now, and if the OP doesn't hang out and help their users, I wont use their builds anymore.
Couldn't agree more!! Nicely said too
Be proud of your work.. Stick around and make sure people can..ya know, enjoy it too..
It's quality not quantity that matters. Stepping on other teams and developers to rush something out just to say "FIRST" will get you no where.. So while timely updates are important, if that's the only thing you post in your own thread.. "New build is up" when there's been 10 pages of people asking questions... I'll never support you, both publicly or financially.
I understand new enthusiast can be quite frustrating or maybe you just aren't a people type of person.. team up with someone that is... pass the q&a on to them, but do fricking something, people want support for YOUR roms and if you put out 20..that means all 20.
Exactly, how dare these developers not spend any time in the forums answering the same useless non-informative questions over and over. How dare they spend countless hours building a ROMs for free and then share it for others to use. How dare they spend time with their families and go to their actual job and have a life. How dare they….. (/sarcasm)
mapatton82 said:
Exactly, how dare these developers not spend any time in the forums answering the same useless non-informative questions over and over. How dare they spend countless hours building a ROMs for free and then share it for others to use. How dare they spend time with their families and go to their actual job and have a life. How dare they….. (/sarcasm)
Click to expand...
Click to collapse
Yea, I'm somewhere between this and the op. They shouldn't be 100% absent, but on the same note, some consideration for the above quote is in order too.
While were venting, its possible the devs haven't figured out how to fix some of these issues, but it doesn't do a dam bit of good for 50 people to complain about the same thing and no one is posting logcats. So don't complain about things not getting fixed, if your not attaching logs to every post about issues.
Just my 2c, add 97c more and go buy a cheeseburger.
Sent from my G3, Unlocked by Team Codefire
mapatton82 said:
Exactly, how dare these developers not spend any time in the forums answering the same useless non-informative questions over and over. How dare they spend countless hours building a ROMs for free and then share it for others to use. How dare they spend time with their families and go to their actual job and have a life. How dare they….. (/sarcasm)
Click to expand...
Click to collapse
Then why put out 20 instead of 1 that they can handle is the point!!
Variety is the spice of life. I'd rather have 20 that will get fixed eventually than just 1 that works perfectly. If they are all too similar for you then just move on to another one, build your own, or just wait for fully featured lollipop which will be here soon enough. If a thread is maintained or not - I'm just happy to have a thread. A couple devs have walked away already and it'd suck if more left. Just be grateful for what we've got and be patient.
Kris Nelson said:
Then why put out 20 instead of 1 that they can handle is the point!!
Click to expand...
Click to collapse
The same person is not releasing 20 different versions. Also, most are all based off of the AOSP core source, but each dev might add their own touch/flare to it. But, since each one is based off of AOSP, then more than likely, they will all have the same issues, unless the dev has made some changes.
I'd rather have a lot of choices than none. Believe me, when there is NO dev support (that is, a lot of ROMs being release), then you get even MORE whining of "Why isn't there any ROMs/dev support for this?"
Maybe you're not a dev, but I am (not for ROMs but that is my full-time job). Development takes a lot of time. I do it at work and to do it at home as well, especially for something that is free, takes a lot of time and dedication. Especially, ROM development is NOT an easy task. Rebuilding ROMs takes at least 90 minutes or more, depending on the speed of your machine, the size of the source code, etc. Heck, I've pulled down the git for CM12 and it's 12gb in size (source code only, not compiled) and it took hours to download over my high-speed internet connection at home.
I can understand wanting support if you PAID for it, but this is free, people. Free. They don't ask for anything in return monetarily, and yet, we see people demanding support as if they paid for it. You get what you pay for, and in this case, it's free. But I feel the support most devs give is very good, considering it's free. Also, for things like CM, it's usually not just one dev, but several who have responsibilities for different parts of the Android code base. So, just because one guy posts about it, doesn't mean he's the only dev on it. He might be sending your findings back to the other devs.
Also, you DON'T have to flash these custom ROMs. They all have disclaimers that the dev is not responsible for any damages that may occur to your phone. They don't guarantee support, but it's there for you to use. However, who is to say they aren't monitoring the forums? Just because they don't respond, doesn't mean they aren't looking into the issues you report.
Yes, I understand how you want a response from them, but in the end, it is your choice whether you want to flash or not. They didn't twist your arm to do it.
Keep posting your defects. Most devs, the good ones, do monitor the forums and take note of the issues. However, they know about other major issues that they are probably trying to work on. Again, for most, it is done in their spare time.
I myself would like to build and release ROMs, but right now, I don't have the time. it's not just "make a change, compile, release". There is a lot of researching, debugging, etc that must go on. Those that are programmers understand this. And, once you fix a bug, you don't just go and release it (under normal circumstances). You have to go through a complete testing cycle, retesting previous tests along with any new tests to ensure you didn't break something else. It's not that simple.
However, with these free releases, WE are the testers. WE are the ones that report back the issues so they can be addressed. Post them here, or even some devs have Twitter pages where you can post defects. Not all, but some.
In the end, be thankful you have so many choices. Yes, it may seem as if they are all the same, and in some cases they are and some are from people who just want to say "look I released a ROM" and then you never hear from them again. But, in the case of XDA, to post about a ROM in the dev forum, I believe you have to be an identified developer, so they do have to go through some vetting process. So, more than likely, they are legit developers, not a fly-by-night person.
Just wanted to get that off my chest. I understand what people feel, but you have to understand, this is not an easy thing to do. Maybe a lot of you understand that, but I find that a lot don't. Or, they say they understand, when they really don't. They just "think" they understand.
Wow. Off the soapbox. It just burns me as a developer when I see things like this. Yes, I understand where you are coming from, but sometimes, I think you need to hear it from the other side as well.
Ciao!
If you're a good parent, when you bring a child into this world, you raise it, and nurture it... creating it is not enough...
noun
1.
the act or process of developing; growth; progress:
iBolski said:
The same person is not releasing 20 different versions. Also, most are all based off of the AOSP core source, but each dev might add their own touch/flare to it. But, since each one is based off of AOSP, then more than likely, they will all have the same issues, unless the dev has made some changes.
I'd rather have a lot of choices than none. Believe me, when there is NO dev support (that is, a lot of ROMs being release), then you get even MORE whining of "Why isn't there any ROMs/dev support for this?"
Maybe you're not a dev, but I am (not for ROMs but that is my full-time job). Development takes a lot of time. I do it at work and to do it at home as well, especially for something that is free, takes a lot of time and dedication. Especially, ROM development is NOT an easy task. Rebuilding ROMs takes at least 90 minutes or more, depending on the speed of your machine, the size of the source code, etc. Heck, I've pulled down the git for CM12 and it's 12gb in size (source code only, not compiled) and it took hours to download over my high-speed internet connection at home.
I can understand wanting support if you PAID for it, but this is free, people. Free. They don't ask for anything in return monetarily, and yet, we see people demanding support as if they paid for it. You get what you pay for, and in this case, it's free. But I feel the support most devs give is very good, considering it's free. Also, for things like CM, it's usually not just one dev, but several who have responsibilities for different parts of the Android code base. So, just because one guy posts about it, doesn't mean he's the only dev on it. He might be sending your findings back to the other devs.
Also, you DON'T have to flash these custom ROMs. They all have disclaimers that the dev is not responsible for any damages that may occur to your phone. They don't guarantee support, but it's there for you to use. However, who is to say they aren't monitoring the forums? Just because they don't respond, doesn't mean they aren't looking into the issues you report.
Yes, I understand how you want a response from them, but in the end, it is your choice whether you want to flash or not. They didn't twist your arm to do it.
Keep posting your defects. Most devs, the good ones, do monitor the forums and take note of the issues. However, they know about other major issues that they are probably trying to work on. Again, for most, it is done in their spare time.
I myself would like to build and release ROMs, but right now, I don't have the time. it's not just "make a change, compile, release". There is a lot of researching, debugging, etc that must go on. Those that are programmers understand this. And, once you fix a bug, you don't just go and release it (under normal circumstances). You have to go through a complete testing cycle, retesting previous tests along with any new tests to ensure you didn't break something else. It's not that simple.
However, with these free releases, WE are the testers. WE are the ones that report back the issues so they can be addressed. Post them here, or even some devs have Twitter pages where you can post defects. Not all, but some.
In the end, be thankful you have so many choices. Yes, it may seem as if they are all the same, and in some cases they are and some are from people who just want to say "look I released a ROM" and then you never hear from them again. But, in the case of XDA, to post about a ROM in the dev forum, I believe you have to be an identified developer, so they do have to go through some vetting process. So, more than likely, they are legit developers, not a fly-by-night person.
Just wanted to get that off my chest. I understand what people feel, but you have to understand, this is not an easy thing to do. Maybe a lot of you understand that, but I find that a lot don't. Or, they say they understand, when they really don't. They just "think" they understand.
Wow. Off the soapbox. It just burns me as a developer when I see things like this. Yes, I understand where you are coming from, but sometimes, I think you need to hear it from the other side as well.
Ciao!
Click to expand...
Click to collapse
Thank you.. Just to correct you though.. There ARE the same persons that are putting out 20 different versions (1 developer. releasing 20 different roms.) That was just the point i was making..
I do personally research before i ever flash a rom or anything..and trust me i donate!! LOL
Kris Nelson said:
Thank you.. Just to correct you though.. There ARE the same persons that are putting out 20 different versions (1 developer. releasing 20 different roms.) That was just the point i was making..
I do personally research before i ever flash a rom or anything..and trust me i donate!! LOL
Click to expand...
Click to collapse
I see who you are talking about. If you read the OP, at the bottom, he gives thanks to the devs on these ROMs. I don't think he's a developer at all. At least, his profile doesn't say so. I think he just finds all these ROMs and posts links to them. I could be wrong, and I apologize if I am if that person is reading this thread, but I don't see where the OP of the 5+ ROM threads is the actual developer for them. It's almost like he does the "announcing" for the devs of those ROMs.
And since it does appear that you do not have to be a developer to post in the standard DEV forum, then that makes even more sense.
I do know that in another forum I frequented a lot, you were given developer status and only developers could create new threads in the DEV/ROM forum. That was to prevent a lot of "spam" postings of ROMs.
Makes me wonder if that's what is happening here.
iBolski said:
I see who you are talking about. If you read the OP, at the bottom, he gives thanks to the devs on these ROMs. I don't think he's a developer at all. At least, his profile doesn't say so. I think he just finds all these ROMs and posts links to them. I could be wrong, and I apologize if I am if that person is reading this thread, but I don't see where the OP of the 5+ ROM threads is the actual developer for them. It's almost like he does the "announcing" for the devs of those ROMs.
Click to expand...
Click to collapse
I wish you were correct but nope, he is the builder and maintainer. Trust me many more than 5+ when you include other carriers as well.. But not just the one, others have started as well... It's very frustrating that after 1 week, several messages of a very specific problem (not mine just someone i was helping) on different sites where they are posted.. I have to track down someone that i know can help but has NOTHING to do with any of these roms...and gets zippy cash.. Though he should..lol
Anyway, i truly value great developers and have learned who to support and who not to. I like to help people so the developers can build awesome stuff and its my way of keeping the simple crap of your plate so you can do just that..but when i can't even find the answer, the developer should be available.
Just saw your edit.. Yes i think that is happening too. I was always under the assumption that builders/maintainers did so for the actual devise and carriers they use.. I guess that's no longer the case.
Oadam11 is a builder of various roms for our G3's from source repositories available for anyone to build from, and anyone to commit to. He may or may not be doing any commits/merge requests - and even if he did those contributions might not be accepted into the various G3 forks.
In any case, he might not be in a position to contribute to feature requests or bug fixes. He might not be running his own builds of all these roms, past checking to see if they will boot and more or less work.
Say Team Vanir does a fork of their work for the G3, an official one. Ok, then you would ask for support from members of Team Vanir, sure, though you might not get much, depending on a lot of factors (including your attitude...) Then consider the possibility that someone just builds something like Commotio from publicly available sources, with just enough tweaks from somewhere to get it to compile and run, unofficially, on one or more G3 variants. I suspect that is where oadam11 is coming from. He doesn't create the roms, he builds them for G3's. He watches the repositories for each rom he has built for us, and when he sees that rom's devs have checked in and merged useful updates, then he rebuilds for us when he has time. Builds take a while. Then he makes them available for us users to download and install them, after some degree of testing.
The point is that he is in no way responsible for supporting the builds he produces of these team's work. It would be impossible for him to anyway. I am sure he gets permission and some degree of cooperation from any team project he builds from, but he is NOT a team member, or major contributor, for all of them. He is a noble builder and distributor, and you should expect nothing more from him than What he is already providing.
If you want to get a problem or new feature dealt with on any given rom, you must deal with the team's source contributers by raising issues on their gerrit or maybe working on an outstanding and team-prioritized bug as a contributor.
Sent from my VS985 4G using Tapatalk
Thank you..you actually confirmed the point I was making. However, is the average person going to know all this? Of course not...should they do their research prior, of course but they don't... I see good teams being hurt by this as well.. Vanir just had an issue the other day.. Something is being lost in translation and by no means was i only referring to Adam.
I understand. It is interesting that in G+ just a little why ago someone asked David Kessler of Team Vanir who was their maintainer of the G3 Vanir and he replied that they don't have one.
There was also discussion about someone providing support, like answering questions. The idea of supporting a clueless user who had tried to flash TouchWiz onto a Vanir device, by beating the user over the head with an iPhone6+ was suggested. The devs have no patience with such users, generally.
That said, Holy Angel seems exceptional.
Sent from my VS985 4G using Tapatalk
The problem I have, is that when a person POSTS a Rom, and are the OP, they need to support what they post, and help the people posting questions in the thread, or BOW OUT!!! There are people posting and dumping... DONT Post a ROM if you're not willing or able to help the team you are Posting links to... Dont post it and then say "Any problems, contact THEM"
THAT PERSON mentioned, has a lot of them, all as OP, none supported other than.."New build up"
Raising the age limit for COPPA
The amount of entitlement exhibited in this thread is phenomenal. Yes, by all means don't use a build if the developer (who has actually done some REAL WORK) won't support you to your liking.
That will really teach those mean developers a lesson.
Don't forget to complain about the slow speeds of free downloads as well.
It's also a good idea to stop using a build if the developer won't add features you want, and soon, too.
DeanGibson said:
The amount of entitlement exhibited in this thread is phenomenal. Yes, by all means don't use a build if the developer (who has actually done some REAL WORK) won't support you to his/her liking.
That will really teach those mean developers a lesson.
Don't forget to complain about the slow speeds of free downloads as well.
It's also a good idea to stop using a build if the developer won't add features you want, and soon, too.
Click to expand...
Click to collapse
Just because you want a feature, doesn't mean it's a good feature to add. If you did that, you would end up with something that could eventually become impossible to maintain.
There are SO many bugs right now in the AOSP code that these devs are trying to fix to make it work on this phone. I would rather those get fixed first.
And, do you think you are the only one to ask for features?
I'm a developer, not for android, but I write code for a living. And what you are asking for is what we call "scope creep". We have to weed out the "must haves" with the "wants". Must haves are the things that they user must have in order to perform their job. This is usually adding functionality that isn't there currently that is needed to complete their job. The "wants" are "I would like to have the ability to clear out all background apps with a single button or swipe". That is NOT needed on this phone, but it's a nice "to have" option, but it doesn't affect the overall performance of the OS itself. Yes, you might say it does because you can clear out the background apps, but in reality, those apps are NOT running. I don't want to get into the specifics of android app management, but those apps you see in the "recent apps" history are NOT running. They are suspended and not taking up ANY CPU cycles, what-so-ever. If they happen to be, then it's a poorly written app, and it means the dev knowingly circumvented the Android OS app management process which is a big no-no. In that case, you should go back to the dev of the app and demand they fix that.
But, you are free not to install the ROM. That's fine and that's your choice, but it just irks me when I see people make complaints like this who probably have no idea what the software development life cycle is all about. To me, fixing bugs right now is the main issue, not adding pretty enhancements to the OS.
And who's to say they aren't working on what you ask, especially if you ask for fixes to major issues (such as battery life, radio, etc)?
Remember, these are UNOFFICIAL releases. They are based off of AOSP source which is pretty much device-agnostic except when it comes to Nexus devices since those are Google devices and therefore, the AOSP source is built for those type of devices.
Android is completely different from iOS. iOS is built for a set of hardware that doesn't have much variance like Android does. Hence, that is why Apple controls both the software AND the hardware of iPhones. It means less fragmentation across devices, but it also means, they decide what is best and you have no way of getting the source.
Google releases the source for Android so you CAN have these custom ROMs built. But, because one Android device has a different hardware configuration from another (CPU and GPU's being the biggest ones), then anything that can take advantage of the hardware architecture for a particular phone means having to change the AOSP source to use any of those "advantages" from that hardware. Which then means, that source no longer works on other phones, only for the phone they modified it for.
So, give the devs some slack, please. They are working hard on it and it's not one dev. If it were, then give the guy even MORE slack. The source for Android is over 12gb along. That is where it's not even compiled. And, compiling the android source generally takes about 90 minutes. So, each "fix" they do requires recompiling (90 minutes) and then testing.
Then, more than likely, the "fix" either didn't work or it possibly broke something else. That means, going back, determining the issue, fixing it, recompiling (wait another 90 minutes) and test again.
That all takes time, people. We developers are NOT magicians, even though it might seem like it.
So, try to imagine trying to fix all the big bugs that you know about, then have to come here, read through ALL the posts and then log those requests down, prioritize them based on all the other work you have, make those changes, recompile, test, etc. It's not a easy and it gets frustrating. But believe me, when we do fix an issue or are able to give the users what they want, we get an extreme amount of satisfaction knowing that we were able to satisfy the "customer".
So please, be careful what you state about devs. Those that do read here usually have thick skins, but complain enough, and they might just quit and then you have nothing.
I understand where people are coming from, but you've been blaming the devs when it's not their fault. Again, the android source is huge and it takes more than one person to work on it. Especially if they are responsible for more than one device. Some devs are working on source for more than just this phone. So, add that to what I already stated and hopefully, you can begin to understand what the devs are going through.

Categories

Resources