The details behind CM Account
Technical Details on +CyanogenMod Device Finder

The new +CyanogenMod Device Finding service creates a secure connection between your browser (javascript) and your phone.

The server never has your password. Your authentication is a derived password.
A public key is generated in the browser, and hmac'd with the actual password (unavailable to the server).
On a device find request, the Android device receives this public key, and validates it is authentic, as the Android device also has the same, underived/original, password.
The Android device sends back an encrypted symmetric key using the public key.
The server can not decrypt the symmetric key, as it does not have the private key.
The browser receives the encrypted payload, and decrypts the symmetric key.

The browser and phone at this point have a secure communication channel, and both sides have authenticated each other. The server is not capable of listening in. It merely provides a transport.

The browser then requests the device location (or requests a wipe) through this secure channel.

The result? As seen in firebug below, the data sent through the server is completely opaque.

This is how device finding should be done. You can not trust that a service will never be compromised. You can never trust that a service will not be subject to the will of a government request.

You can only trust that your data was secure from the service itself.

The code is up on github, and a review from outside parties is highly encouraged.
Shared publiclyView activity