Shared publicly  - 
 
The details behind CM Account
 
Technical Details on +CyanogenMod Device Finder

The new +CyanogenMod Device Finding service creates a secure connection between your browser (javascript) and your phone.

The server never has your password. Your authentication is a derived password.
A public key is generated in the browser, and hmac'd with the actual password (unavailable to the server).
On a device find request, the Android device receives this public key, and validates it is authentic, as the Android device also has the same, underived/original, password.
The Android device sends back an encrypted symmetric key using the public key.
The server can not decrypt the symmetric key, as it does not have the private key.
The browser receives the encrypted payload, and decrypts the symmetric key.

The browser and phone at this point have a secure communication channel, and both sides have authenticated each other. The server is not capable of listening in. It merely provides a transport.

The browser then requests the device location (or requests a wipe) through this secure channel.

The result? As seen in firebug below, the data sent through the server is completely opaque.

This is how device finding should be done. You can not trust that a service will never be compromised. You can never trust that a service will not be subject to the will of a government request.

You can only trust that your data was secure from the service itself.

The code is up on github, and a review from outside parties is highly encouraged.
777
122
Alessio Moscatello's profile photoRobert Koch's profile photoRobert Marcano's profile photoGerry Rauch's profile photo
93 comments
 
I'll continue to support you guys, I've been with CM since CM 6.
 
How do we sign in in our devices?
 
So this is more secure then Google's Android Device Manager?
 
Anyone can tell me if Google's one ia this secure or it doesn't like the others?
 
+Ricardo Varela The point is the Google one has implicit trust of Google. Which is pretty much ok for me since they already have all my email data this additional exposure is pretty irrelevant.
 
Is it known how Google's solution works? Would be nice to see a comparison in terms of security but nonetheless you guys are awesome and cm gets more and more awesome with every feature. 
 
By the time cm 10.2 is released, there's going to be so many new features.. I love cm.
 
What's functionally better about this than Google's solution? Better security is nice, I guess, but their security is already pretty damned good, like enough for this sort of stuff anyways. I'm looking forward to trying yours and appreciate the effort, but it seems kind of redundant.

And is this a Nemesis project? Whatever happened to that stuff beyond Focal, which only works on a handful of devices?
 
+Bill Puckering ours doesn't come with mining your data to sell you ads. 

This is unrelated to Nemesis, as that project's goal is to address the in-OS polish. 
 
OMG this is awesome, are you also panning on doing an app store?? that would be awesome to.
 
That's a great 1st step. Are you planning on being able to track/locate/wipe a phone that doesn't have a data connection though? Via SMS commands?
 
Need to add remote picture taking. If someone steals your device, it would be nice to take a pic of them holding it for evidence to give to the police. Location data can't prove who has your phone, with location often times being off by a few houses. Having that picture will remove any doubt if the location data is correct or not and that the person actually has your phone.
 
+Joe Mays I've been thinking about adding this feature. It will probably make an appearance eventually. It is definitely on my hit list.
 
+Chris Soyars good to hear. I use Lookout because it has that option, and like to think that they listened to me when I requested it 6 months before they added it lol.
 
your security model sounds cool, but I'd really rather run the server side myself - its still a single point of possible multiple failure, baked into the os.
 
(meant to include) ... the Not having this sort of thing was one of my favourite features of cyanogenmod
 
+joseph barrows That is completely fine.  If you don't want to use any of the features provided by CyanogenMod Account, the solution is to simply not create an account. 
 
Until there is a standalone application instead of a web page, the server can still be compromised and serve JavaScript that sends your information to a third party, nobody will inspect the JavaScript code to validate is trusted every time they load the page
 
+Chris Soyars how can I be sure? apart ofcourse from picking through all the sourcecode and compiling it myself (as I do ofcourse for all other oss ;). playing devils advocate here but I know google can haz all my data, but they probably also haz large security staff on their servers. cm was my release from google (verb, not noun), now I can't be sure, it may create a default (just.in
case.you.forgot.to.create.one.and.now.your.phone.is.missing) account. how would I know?
ps. I love the work CM do, just think this is a step in the wrong direction.
 
+joseph barrows You just explained how you can be sure.  Our code for the device-side of this feature is completely open.  You can view it at http://github.com/CyanogenMod/android_packages_apps_CMAccount.

Sure, Google has a large security staff.  They also store your location on their servers.  We do not.  That is the point of our service over theirs.

You are using Google+, however the source for the Google+ Android application is not open source.  Because you are using Google+, I assume you are also using other Google services, and currently have a device that is logged in to one or more Google account.

Google is collecting a ton of data from you, we are not.  Once again, if you want to feel comfortable using (or not using) this service, the code is there for you to view.  If you build CyanogenMod yourself, you have the option of completely excluding this application from your build as well.  If it does not exist on your system, there is absolutely no way it can still track your location.
 
+chris soyars i currently use prey to track my devices, a cm version is very appealing, looking forward to having a play. couple of things.

is there going to be a device limit per account? prey for example only allow 3 devices for free.

do you have 'take a screenshot' on your todo list? saw above you have take a picture, but a screenshot would also help police as the thief may be on Facebook etc. most of preys success stories come from screenshots and photos. 
 
Very nice work guys... I'll flash 10.2 soon and I will try that... Thank you all! 
 
Could you tell me where is the source of the server? Thank you!
 
Screenshot is an interesting idea. Have it automatically take a screenshot when they open Gmail, Facebook, twitter, and Google +. That along with taking a face pic of them holding the phone would be great. 
Jed Liu
 
+Chris Soyars I'd like to see a response to +Robert Marcano' s comment, as I had the same immediate concern when I read about the browser's involvement in the recovery process.

Specifically, the design implicitly trusts the integrity of CM's web server. A compromised server could serve modified JavaScript code, resulting in a potential man-in-the-middle attack that would expose the user's password.

It would be perhaps better to have a cryptographically signed standalone desktop and/or phone app instead of the JavaScript code.
 
What happens when there are (double) NATs involved?
 
I wish there will be a RedPhone and TextSecure like function on Cyanogenmod based on Moxie's code.
 
这是CM的“找回手机”服务?
Translate
 
so what happens when you get a sealed court order courtesy of the NSA? or just your sysadmin does, but can't even tell you because the will be in violation of fubar terrorism act? you have now become an attractive centralised mainstream target, not the decentralized floss alternative. please release server side code.
 
How is this different to what Google already provides? I really don't see the point 
 
What kind of data wipe does this function have? A simple wipe of a full "tons of 0 writes" wipe?
I ask this because a simple wipe is easy to restore with an unerase software.
 
ps. yes, I use google services, infact have a nexus stock (not CM, every other phone has been. cm since G1). I went nexus partly because I thought "at least I'm removing telco from the rom chain". and I use cerberus for remote security, but with both I have a chain of legal and financial liability to go along with the loss of privacy. maybe the signed version of CM could cost $5 so there is a legally binding contract not mere "well, its floss, check the code or install something else".
the apk you say I can remove may only remove the UI. I already use fdroid (see, I have a sense of humour) and, as is doubtless going to be suggested, plan to switch to replicant - when available ;)
 
Under "Accounts" in settings it says "CyanogenMod Account". You should remove the "Account" imho. It's too long and doesn't stick with the rest of the UI. Plus, other accounts don't say "Facebook Account", "Google Account", "Dropbox Account" etc. :)
 
+Konstantinos Pap funny thing, I don't have a "CyanogenMod Account" option under Accounts ... only the Google account. When I try to add an account, the only option I get is to add another Google account. I'm running the latest nightly 2013.08.20 on Lg Optimus G - E975.

*** EDITED - answer:
"Timeframe? Probably a week or so."
 
Will this work on other ROMs should they choose to build with it, or is it restricted to pure cyanogenmod? 
 
Data connection may be switched off so we could not rely on it.  I think that is necessary to implement SMS controls.

First, SMS on specified number when not registered SIM is inserted. Second, SMS controls by itself - ability to wipe, lock/unlock, send message to screen, on/off siren, force enable GPS and data connection. Just like in other anti-theft apps. Integrated security app from cyanogenmod developers which do not "affraid of" wipe will be great! Good luck!
 
+Luc Davids main differences as of right now is Cerberus had more functionality, but tracks the same general method. Give it time, I'm sure CM will incorporate all the features Cerberus has and more
 
+Tyler Bell i would rather see them as a carrier than a manufacturer, but that would be awesome
 
How do I sign into my account on my device? Or am I something very obvious. I am running the latest 10.2 Nightly
 
Im registered just can t connect my gs4 cuz no login page on phone browser
 
+Charl Fourie I don't think it's been merged into the nightlies yet. At least, I haven't seen it in the change log
 
+joseph barrows I suggest you read the terms of service for Cerberus and Google again. In both cases their liability is limited. Google is limited to what you have paid them (minimal) and Cerberus is limited to the same, or $1000. Sure, they are liable, but the amount of money they are liable for is incredibly small.

If we get a sealed court order, we still cannot provide location information, because we don't store it. The service may be compromised after that, but this scenario is highly unlikely and is a problem you risk when using the Internet these days, not just CyanogenMod, unfortunately.

In the end, we feel our service is better because it takes your privacy into concern from the start.
 
+Jed Liu this is a very valid concern. Koush responded to this question in another thread. I can't seem to find it on mobile at the moment, but I'll check this afternoon from a computer.

We have considered a Chrome extension or a standalone app. Even if our servers are compromised, the phone will still only send encrypted information and the number of users that would be compromised is limited to those that are using the service while it was compromised, instead of everyone.

We realize it isn't perfect, but we feel it is much better than the alternatives.
 
you really should team up with an oem phone manufacturer and release your own smartphone with perfectly polished software. as a reference cm platform just like google nexus devices. starting with kickstarter and making profit for funding further cm development.
 
Anyone for a Google experience?? Sprint updates for Samsung galaxy nexus where are they?? Still 4.2.1 c. R. A p.pY
 
Can you use Google+ account instead? Having to remember yet another account/password such a PIA nowdays.
 
It's features and thinking like this that makes me support CM on all of my devices!
 
every time when i switch from PA to CM or the other side i see nice features like this.. and then the action starts again... 
but now i got them both.. ;) thanks multiboot... ;)
 
Don't now it im just being stoopid or not but i can't figure out how to log in to mye CyanogenMod Accound on my device.. Anyone?
 
+Even Mannerud please read the entire thread before posting. I've already said this before, just a couple posts up. It has not been merged into CM nightlies YET. It will. Be patient
 
Guys that made the avast location/data wipe app also included option to write false data on storage after a wipe so files are not accesible through file recovery softwear... Any chance we can get something similar here?
 
This isn't going to be available for 7.2, right?  Which BTW is the same strategy Google is following:  No Love for Gingerbread -_-
 
+CyanogenMod Will this be able to report a device's last known location- in the event that the battery is no longer charged, or has been removed, or the device has been deactivated/out of signal?
 
+Isidro Moran CM 7 is no longer on the official update schedule, but that's the beautiful thing about it being open source: just because the CM team (probably) wont make it work for CM7 doesnt mean somebody else wont take a whack at it. Try popping a post in your device's thread at XDA.

Keep in mind, however, that much of CM's current features rely on API's released with the current version of Android, meaning there's updated code in 4.3 that CM utilizes in all their current work that plain didn't exist in 2.3.7. You might be hard pressed to find a dev to even attempt this undertaking. It would literally be easier to get a dev to make CM10.2 for your device than to get a dev to port 10.2 features to 7.2
 
+Joshua Parnell Thanx for your time.  Great answer!  Sadly my good ol' Galaxy Fit doesn't support CM10.  I guess I'll have to get an upgrade.
 
You are doing incredible work
 
Hey why did you block my comment? Should I remove the link? I thought suggestions are welcome.
 
How can I login to CM Account on my device? I have leatest nightly?
 
+Szymon Osiński really? Do people even read?

First: read this entire thread. If you had done that, you would have known that it hasn't been merged yet.

Second: read the CyanogenMod change log. Details are always there
 
Hi. How to activate my CM Account on my device? THX
 
OK. THX and waiting to come.. ;-)
 
antother question, how long to expect getting a stable build of cm10.2 for the i9300 ??
 
Check your devices thread at XDA. Unless your devices maintainer frequents this post, it's a horrible place to ask
 
Can't you do that thru google already?
 
+Eric Goleski Except with Google, they know where your phone is or if it is getting wiped. CM on the other hand, would be unable to find out that information. It's between you and your hardware.
Add a comment...