Shared publicly  - 
 
CM Account now live

CM Account has now passed code review and will be available in the next nightly builds. 

To add an account, navigate to Settings > Add account > CyanogenMod and create an account or log in with your existing account credentials. 

You can use the Find and Wipe functionality via:
https://account.cyanogenmod.org/login

For those of you who may have built this application on your own (or flashed it from an older source) you may be required to remove your account from your device and add it again. 
716
104
zakarya erraji's profile photoDavid Fischer's profile photoWilliam Stamper II's profile photoambrosia shushu's profile photo
121 comments
 
Anyone can tell me what I can do with CM account? 
 
Thanks for all the hard work. 
 
that would be so good if it has a contact sync too !
 
does the "create new account"  let you set one up without opening the browser?
 
Any news on the encrypted / data based SMS we all heard about back in July?

I assume this is partly one of the prerequisites for that?
 
What is this account for exactly?
 
How does this differ from Google Android device manager find and wipe system? Any extra features? Or is it just cm version of the same? (Maybe open to more people around the world)

 
+Dustin Wiley ours is far more secure, the website (javascript) code, and android code are both open to the public.
 
+Dustin Wiley this us a more secure alternative. Basically it encrypts the data such that only the phone and the browser can see the location/order a remote wipe, the server in the middle simply facilitates this but cannot read it (nor can anyone else read a plain text version of the phones lat/long) 
 
If course I know about Google but what do I need a cm account for? I don't understand!
 
I'm more interested in the server side, I'd like to host my own...
 
I hope you add the option tvout to CM10.2 for galaxysmtd , you are great team i'm happy using your rom thanks
 
Will this save my setting from phone to phone
john h
 
Please cm mega 6.3 att please for unlock bootloader fir I can install youe cm
 
You guys should definitely do one official release for the Samsung Infuse 4G. 
 
Before I make a CM Account, what's the worst thing that could happen if your servers were compromised? Could someone who isn't me wipe my phone remotely to troll me? What could happen worst case? Just want to know.

Also how is it (technical explanation would be appreciated) more secure than alternatives?

I'm only asking because I want to make extra sure before I use it, since obviously security is a huge concern these days. You might have already given an explanation of all this stuff before, but I don't remember reading much beyond a general summation of what the CM Account is or how it's secured. If I'm wrong just point me in the right direction :)
 
This is pretty damn awesome. Thanks CM team!! Who else can boast of such high end, painstakingly engineered features in a custom ROM and free to boot. Long live the open source community!!!
 
I just got settled into stock rom after the failed nightlies
 
+Bill Puckering There are a few scenarios to consider.

Database Compromised
If our database is compromised (for example, someone got a list of all users and their hashed passwords), there are still some safeguards.  We salt your hashed password with a user-specific salt, and a server-specific salt.  The server-specific salt is not stored in the database.  In this event, it would be practically impossible for someone to obtain your password, unless they know the server salt.

Server Compromised
If the server is compromised and someone deploys malicious code, there isn't much they can do.  Your device expects an encrypted message that basically says "start the wipe".  The server does not encrypt the message, your browser does.  The server is simply there to pass the message from your browser to your device.  Even if the server is compromised, it does not have enough information to generate an encrypted message that the device will understand, because it does not know your password.  The most an attacker could do is send a "password reset" message to your device, effectively rendering the find and wipe capabilities useless, until you log back in on the device.

Password Compromised
If your password is compromised, an attacker can remotely wipe or locate your phone.  It is is up to you to choose a secure password, just as you would with any other web service.

As for the security, I'll write up something in more detail later in the week, as the entire process is complex and too much information for a comment on a post.  The important thing to know is that your location is never sent to our servers in plaintext.  All messages between your browser/device are encrypted using AES256.  The key that is used for these encrypted messages is exchanged between the browser/phone using ECDH.  The server only ever knows the public keys of both parties, which is not enough information to calculate the AES key.  Even if the server generates its own public key, all messages are signed using HMAC-SHA256, where the key is derived from your password and a random salt using PBKDF2.
Otto K
+
1
2
1
 
Am I able to host the Find and Wipe functions (I guess it means the whole CM account) in my own server? Like you can host Firefox Sync service ...
 
+Chris Soyars Does the NSA have the keys yet for any SMS crypto done on the server? Did they help you set it up?
 
+Paul Henning The server does not do any crypto.  I'm not sure what you mean by SMS crypto, this is not for SMS crypto.  Even if it was, the server would not be doing the crypto.  That defeats the purpose.  Why would the NSA help us set this up?  That's just silly.
 
+Chris Soyars I just want to get out there I'm not accusing. Reading the news scares me is all with these revelations.

Keep uo the great work. 
 
+David Fischer The APK in that post is extremely old and not compatible with the server.  Try flashing a nightly build once one is available for your device.  We just merged this today.
 
+Paul Henning If you had read what you had to read, you wouldn't be worried at all. The CM account is exactly a response against stuff like the latest NSA news. Or more exactly, concers about companies like the one developing Prey using their users data.

Each client sets up a pair of keys, unique for each client, the server only gets your public key and never the private. So no one can get your data

They've had the code in the public repository for everyone to review and make sure there aren't any security breaches, exactly because they don't want anyone worrying about anything.
 
+Paul Henning Cerberus sends your location data to their servers, and then to your browser, in plain text.  This means anyone in the middle can read it, and the server can store it. CM Account cannot do that.
 
And then, if it concerns you, CM account is a completely optional thing. I'll use it, and I'd love it if in the future it stored info about my desktop configuration (icons, folders, widgets, etc) and restored it exactly as it was in a previous state, ala iTunes.

Just daydreaming! I like the new feature as it is.
 
How is the service of this account different than the one that Google offers in recent update of 4.3?  It's called Android Device Manager.
 
This is open source, and ADM isn't. So it isn't really different to Cerberus or Prey, all these three have security concerns were your data could be stolen with man-in-the-middle attacks, or companies using your data for whatever they'd like to.

In the end, CM is providing a completely transparent and secure app to find your device, if you're worried or paranoid about your data or being located everywhere.

Not trying to convince anyone, but they've had the code to review and assure everyone this is completely secure and transparent, is up to the users to choose what they want to use.
 
So contact sync is available now? 
 
Thank you team cm will be flashing later and logging in 
 
How about RAM consumption ? My GNex is already on its knees because of a few accounts, I wouldn't like CM to make it much worse yet.
 
Syncing settings would make this awesome
 
oh my oh my oh my :x :x
i'm gonna have it in my device tonight :x :x
 
I wish to have cyanogenmod on my galaxy i8150 but my dad won't gave me to because it was to risky...cyanogenmod please release the official cyanogenmod 10 for galaxy w i8150.
 
just earned another donation from me, love you guys, keep up the amazing work
 
It will work also an the CM10.1 ? Or just in the last CM10.2 ?
 
Is 20130909 working properly at the moment?
 
Good news. "Value added services" sounds a bit like ms mumbo jumbo, though.
 
It looks like the verification mail isn't send if i use a Mail Adress with an "+" in it.
 
Can't see Cyanogen as an option in add account on the 10/9 Nightly on the S3 build of 10.2. But I did create an account on the website so will be ready when it appears.
 
Would it be actually possible to make it work even after factory reset? If somebody nicks my phone and does reset, the whole Locate my phone will become quite unusable. Can it for example transmit my emei and tie it to my CM Account? If the app is is located in the System, pure Factory reset wouldn't affect it.
 
FM radio :(((((( ,,, can't wait please build in ...for 10.2
 
It seems like you cannot log in unless you set your language to English. Well, at least it doesn't work while the device uses German as system language. Kept complaining about the password being wrong.
 
works fine, but it would be better not show the gps icon in the notification bar when the gps sensor is activated
 
Can't wait to have this in CM10.1 Stable builds. =)
 
When setting up the account on my SGS2 (10/9 nightly) , I have choosen that the app is allowed to use location functionality but without GPS. However when testing the app, it took long to respond and it did active the GPS. When unticking the function in the device administrators, the CM account icon disappeared. Yet after a reboot it was back but again enabled. Did I do something wrong or is this a known bug?
 
+Chris Soyars if there is a server exploit, could they not modify the browser code to send through the user's password to the attacker? Thereby allowing them to write a device.
 
Unrelated: If you're on an older CM ROM running Jb 4.2.2, how do you keep the phone from downloading the 4.3 OTA system update? Disable service & Autorun manager freeze it, but the battery still drains in half a day. 
 
+Matthias H Check your spam, I've been testing this for weeks with + in my email address, I've never had an issue.

+Jason Schwarzenberger  Only if said server exploit allows the attacker to modify the Javascript code that is sent back to the browser.  The Javascript is just static content, nothing in the server ever writes to any files anywhere on disk, so I highly doubt this will ever be an attack vector.

+Jachym Kokesh Lukes Your account is tied to a hash of your WiFi MAC address right now.  Unfortunately there is a bunch of information stored on data that is required to negotiate the encryption with the browser.  That data gets wiped during a factory reset.  We are going to look into solutions to make this work after a wipe eventually.
 
+bror de jonck this is working as designed.  We figured if you want to locate your device, we should do anything we can to allow that.  We will turn GPS on if it is not on already to accomplish this.
 
Jemand auch aus dem deutschen raum dabei? Hab da paar fragen :>
Translate
 
Was bringt mir dieser Acc? Sehe nur mein Device ,... gibbet da sons noch was?
Translate
 
Wurde dein Gerät gekaut oder hast du es verloren, kannst du es per GPS orten und/oder alle Daten löschen.
Feine Sache. Eventuell kommt in Zukunft noch mehr dazu.
Translate
 
oh ja genau wipe stand ja da auch ,.. ja das is echt ne gute idee
danke schonmal :>
Translate
 
+Chris Soyars Thanks for that.

Now if I could only figure out how to stop it from trying to get my location on my GPS after leaving the website. Needs some way way to cancel searching for your device.
 
Flashed paranoid android 3.99 last night. Lost 1500 points on antutu
 
+Bill Puckering I'll implement this, it should be very simple.  It will attempt to get down to 5m of accuracy or 11 location updates, whichever comes first, so it won't stay on for very long.
 
I just signed up for a CyanogenMod account when I updated to the newest ROM. I received a verification email. When I tried to use it on my phone I got an error. When I tried to verify it via my laptop I got a message “The link you followed is no longer valid.”. Retrying it on my phone returned the same error message. Can anyone tell me what to do? And once I get this properly installed, will there be some sort of app on my phone? Confused!
 
+Jeffery Anderson To fix the OTA update bug, you go to About Phone -> CM update and install the 10.1.3RC2 update.  Its one of the important bug fixes.
 
Never mind!!!! Figured it out. Duh!
 
+CyanogenMod If you don't mind a suggestion, it would be nice to have the ability to nickname / rename devices on the CyanogenMod Account website. I currently have 2 items listed as Asus Nexus 7... it would be easier to distinguish between them if I could tag one as "wife's tablet", for example.

Looks great otherwise! :)
 
+Bob Becker The link in the email verification is only valid for one email verification.  If you clicked it, then your email should be verified.  Let me know if that isn't the case.
 
+Adric Norris This is coming soon, the database already supports it, we just need to wire up the user interface.
 
I am extremely impressed with how smooth the new account works, and how professional the interface is, great job guys.
 
Doesn't work behind my employers firewall, which for some reason blocks C2DM, and other google ports. Cerberus always worked though.
 
Awesome!! Just tested it, with GPS turned off, and it turned on by itself and I got the map location in the browser on my laptop. Major kudos Cyanogen!! No better android developers, bar none!!!
 
Notification sound is not working, does not sound at any Notification.... :(((((((((((((((((((((((((((((((.................can someone help me???
 
Everyone wants to get access to our devices(
 
+Chris Soyars Just want to say thanks for all this stuff (and then some :) ). Now I've been trying to setup  own server for this tho I've no knowledge of JS or Node. So far all I get is bunch of Error reading from remote server returned by /api/localedetect.js or /_ah/channel/jsapi in apache logs and  "Loading..." in web browser.
 
It would be great if we were able to save and sync all the rom settings with this account :D
 
Hurrah. Worked for me this time. 
 
+Robert Ramiega The server is not open source, only the Javascript client.   When you run "grunt devserver", it expects a copy of the server to be running locally (which you do not have).

You can run "grunt server", and it will proxy requests to https://account.cyanogenmod.org/, so you can run the user interface locally, however, you cannot run your own copy of the server.
 
Oh... ok got that.... are there any plans to open source of the server? 
 
I get permanent fc after flashing latest build on my N4, "unfortunately cyanogen account has stopped" help
 
+Robert Ramiega not at this time. The server is just there to pass messages between your browser and phone more or less. You could pretty easily implement a lightweight version yourself. 
 
That's just awesome... Maybe some services like find my cm?
 
Any idea when the RC of 10.1 get it?
 
So...it's been out for a bit...has anyone come up with a solution for those who have never been able to "locate" their phone?  Prey works.  Cerberus works.  Google Device works.  This, never had in a dozen tries.
 
my login on https://account.cyanogenmod.org/login and my login via the add account in the nightlies used to be the same account, but are now different.

Before I could see my device and locate it, but recently the website said it couldn't find my login, so I clicked register with the same email address and new password and saw no devices, but in the phone, I removed the account and could not login with that new password, but could still login with the old, original password, weird...
 
Was there ever a solution for the problem of  the repeated, 'unfortunately, cyanogen mod account has stopped'?  
 
hello every body))) i cannot add cm account)) from my desktop pc and my android gadje(((
look my steps  
1 go to the settings- accounts-add account and no any names with cyanogenmod
2 go to the browser i testeв on native explorer and google chrome from my android phone. in both cases i see this warning
You do not have any devices registered with your CyanogenMod Account. Please login to your device using your CyanogenMod Account to register it.


help me please!!!!  i have samsung galaxy note from ntt docomo sc-05d 
Add a comment...