The highly-popular alternative Android ROM known as Cyanogen Mod has been discovered to log lock-screen swipe gestures, according to developer Gabriel Castro. Cyanogen Mod, one of the most spectacular developments of alternative ROMs for Android phones, runs on more than 2.5 million devices worldwide.
Cyanogen Mod 9 Lockscreen. The unlock pattern gets logged locally
The committed code on the projectâ€™s space on GitHub, has one line that escaped initial review and managed to get into the official distribution.
â€œI’m really surprised nobody caught this,â€ wrote the developer in the commit log. Fixing the issue did not require extra patching, as the one-liner got simply commented. â€œThis could also be solved by commenting the code out or just removing the line without breaking anything.â€
The offending line of code that got axed.
The line of code that caused the issue got snuck into the project in early August when the fixed 3Ã—3 grid format for the lockscreen pattern was modified to automatically scale size by adding a PATTERN_SIZE variable. Recording these unlock patterns are similar to logging passwords or unlock PIN numbers, but has not been exploited in the wild. However, simply having these details logged on the PC may expose the user to unnecessary security risks.