CyanogenMod logged lockscreen swipe gestures
A developer has discovered that the popular modified Android firmware CyanogenMod apparently recorded swipe gestures used to unlock smartphones. The CyanogenMod project provides manufacturer-independent open source custom ROMs for Android devices. In August, an update was released which modified the fixed 3×3 grid format for lockscreen gestures to make the grid size configurable (by adding a PATTERN_SIZE variable). In the process, a line of code to log gestures used was also added.
Gabriel Castro has now stumbled on this code, and was unabashed in expressing his astonishment, "I'm really surprised nobody caught this." Logging unlock gestures is comparable to recording passwords entered by users. Neither represent a direct threat, as without access to the device, attackers cannot access the log file. But it nonetheless poses an unnecessary risk that could allow data which should be confidential to fall into the wrong hands – for example by compromising a backup saved to a PC. Castro has now removed the line of code responsible for logging this information and merged this security patch into the CyanogenMod code base.