In Response to The Register “MITM” Article

On Monday, The Register put out an article reporting that CyanogenMod was open to a Man-in-the-middle (MITM) attack via a “0-day” vulnerability relating to a SSL vulnerability in Android’s JSSE from 2 years ago.

There are a number of issues we could point out regarding the nature of this report – the least of which was the lack of contact regarding this topic prior to publishing. Our followup request to the author for direct references to his claims (or a retraction) has gone unanswered, so we are left to refute this article on our own. This is odd as The Register has historically had good messaging with respect to CM, but mistakes happen.

First, JSSE is not used in Android 4.4, which would mean any vulnerability would be applicable to Android 4.3 or below only.

Second, CyanogenMod does not customize this particular level of code – meaning if such a vulnerability was left untreated, it would affect upstream Android as well (the article pinpoints CM as the point of failure).

Third, the age of the vulnerability’s public disclosure is 2 years old. This itself is odd in that CM prides itself on addressing disclosed vulnerabilities as soon as possible, with many being addressed faster than OEMs (Towelroot is a good example of this). Other examples include the ‘Master Key’ vulnerabilities, one of which AOSP itself merged a patch for submitted from a CM member. Point is, we are usually exceptionally good at addressing security issues, and this is one of the many reasons people are attracted to this project.

Which brings us back to the article. We can say that after investigating the claims, albeit without the help of the author, there is no known reference to the item they are discussing within CM11.

Responsible Disclosure
If in the event we are wrong & in the case of any past or future vulnerability found unaddressed, we welcome security researchers to contact us directly.

CM Developer Relations Email:
devrel (at) cyanogenmod (dot) org

Cyanogen Inc. Android Security Email:
Android-security (at) cyngn (dot) com

  • Mauricio Medina

    Dont fucking ask about ETAs (Estimated Time of Arrival). Thats the rule n 1

  • RainMotorsports

    It hasn’t even been published to AOSP so no work can even begin. You can’t ask about something that doesn’t even exist lol

  • Martin

    10.1 /10.2 are irrelevant. That code is no longer being maintained. This is like asking Microsoft to keep pushing fixes for windows 98 or IE6. If you want a fix, upgrade (or if the device isn’t supported, get a newer device)

  • Sid

    I just wonder what got him, Darren Pauli (the author of “MITM” article), interested in focusing on CM rather on the bug. Come-on Darren, we are all experimenting here and we know whats working and whats not.

    Not to mention, “These ROMs are largely untested, and as advised by CyanogenMod, not meant for use for an average user. These releases, are meant to test untested waters that may or may not break your phone.”

  • Luiz Fernando de F. F.

    Wow, nice strawman, comparing Win98 / IE6 to CM 10.1/10.2 – of which the latest release is from less than a year ago. Bonus points for dismissing the fact that there are many devices that didn’t get CM11 by just telling the guy to get a newer device. Classy. Why don’t you go ahead and give him the cash for him to get a CM11 supported device then?

    I’m not saying CYGN is supposed to maintain older releases forever, but at least security fixes would be desirable, at least for a couple of older point releases, and it shouldn’t be that hard to do – in fact, it happened in the past that cyanogenmod patched older releases past their final release.

    But as ciwrl said in the post, the disclosure is too old, so it’s likely fixed anyway and the reporter on The Register just got everything wrong, so it doesn’t matter. And then again, the CM source is out there, so he can always fix it himself or pay someone to do it, if it’s really important to him.

  • Charlie

    Towelroot did not get patched in 10.2, as far as I know.

    I’m on PagePlus with a hated Qualcom device running an unofficial. Patches would be great! Not gonna happen.

  • mutaman abdulhasan

    will Android L CyanogenMod ? I have S3 i9300

  • Vitaly Gurevich

    WTF OnePlus preorder FAILED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1

  • guidance

    What is there to add to the positive points below? You guys show that you keep your eyes on possible security issues, you do patch them as quick as possible AND you hold the ettiquette high of keeping an open mind.

  • Andrea Verocio

    I don’t trust CM anymore. I feel like he has let me down by stopping support for so many older devices. I don’t see why such a position is warranted when it costs CM ‘s devs such very little but gives the public so much to gain.

  • dasarathy

    just not updating old phones is ur problem eh……lol….this is about MITM artlicle. CM are one of the best devs for updating various phones faster than the OEM’s do. if u dont find any roms here means shut ur big mouth and go buy a new fone you whacko

  • Andrea Verocio


  • Noak Sten, aka The Pimp

    Where is the M11 release to Nexus 7 2012 Grouper?

  • Noak Sten, aka The Pimp

    Yeye open source…. Google hates open source

  • ethd

    The source was being uploaded to AOSP pretty much by the time you posted.

  • Martin Spacek

    Yeah, that and their illustrious status as anthropogenic global warming deniers has turned me off in a big way.

  • rtreffer


    could you publish keys alongside disclosure addresses?

    should be regarded public (at least in post-Snowden times), thus
    disclosures about vulnerabilities should not be send via unencrypted
    e-mail. (Note that this is only true for responsible disclosure, public
    disclosure is a different beast)

  • dasarathy

    Off topic, um……when will the new m12 available??? and the android Lollipop?????

  • Kirn Gill

    It’s a lot of pain for many smaller devs, if a device is too old, porting becomes a nightmare, lots of bugs need to be fixed and it is incredibly difficult

  • B. Candycrush

    AT&T has been specializing in selling phones that brick if you try to unlock them, lately, so I wouldn’t hold my breath.

  • Kirk Amvrosidis

    It didn’t get it

  • Noak Sten, aka The Pimp

    Why not?

  • Kirk Amvrosidis

    That’s a very nice question that I can not answer. 😛
    Some devices seem to be missing M builds, and that’s mainly because they’ve got some issues that need to be resolved before they get tagged as Snapshots. I don’t know about the Nexus 7 case.
    It’s either that the device missed an M build to instability issues, or it’s missing a maintainer

  • dasarathy

    hello CM developers. i am waiting for your lollipop release.

  • mii

    Seriously guys, since you went corporate your community communication just sucks big time. Where is your “ongoing feature” “This Week in CyanogenMod”? Came out later and less regular every time, changed to “Last Week in CyanogenMod”, then just stopped.
    Regular builds 1st Saturday of the month were great! And it worked some time. Lately that changed as well, first only a few days then weeks.
    You guys forget where you’re coming from. There is contributors but also a community that made you big. WE are your capital, WE are the reason you can collect millions! We are impatient, always have been. So talk to us, what is going on? Will there be an 11M12? L came out and you don’t open your mouth on any channel!

    Don’t get me wrong, I’m sure you’re hard at work. But hell, SPEAK TO US! There is a lot of people that just want and don’t appreciate I get that. I ain’t one of those but I still feel like you owe us more words, more communication.

  • Kirk Amvrosidis

    They’ve objectively changed since Cyanogen Inc became a thing

  • Don

    Well, it appears that the M12 rollover is done. Yet, to my surprise CM Team has skipped S3 i9300. I noticed that they have not provided nighties the last three days. We have questions, but the blog is silenced!!!

  • Kirk Amvrosidis

    Well, they’ve skipped Nexus 5… S3 is not that big of a surprise to me now!

  • Don

    Yeah, you are right! However, Sprint is just rolling OTA Lollipop 5.0 to its Nexus 5 as I’m writing. Samsung quenched our hopes early days of KitKat.

  • Krali

    Dude, Nexus devices don’t even have it yet. Factory images for the Nexus 5 only JUST got released. Calm down.

  • kokoko

    i scanned download post today i saw some m12 updates but no mention or post in cyanogenmod official fb page or in this website.. and no m12 update for gt i9100 :( please enlighten me with this

  • BombayBuddy

    You get what you pay for.

  • BombayBuddy

    Be patient for fucks sake.

  • TedPhillips

    you’re really entitled?

    the means to support those ‘older’ devices is all in the open & you can take any of them and continue maintaining them at your leisure, if there is any support already then CM/others have done the significant legwork to get community builds off the ground. I don’t think CM is under any obligation to continue supporting devices perpetually. If you’ve chosen your device wisely, with regards to SOC and popularity etc, you can get an outstanding shelf life from CM. If you chose something that was a hack to support initially, don’t expect it to get carried around forever. Additionally, major version upgrades are not done easily without updated assets from the OEM & SOC vendors, so if your device is not in that group then it is a massive cost (sometimes impossible) for the community to provide a true upgrade build. Older versions of CM still get security updates as well, so not getting the new version is not the same as being dropped entirely.

    The only devices support is guaranteed for are the ones that Cyngn Inc has a business relationship with, so the N1 and 1+1, and the support terms are well defined there.

    so, i disagree.

  • Joshua Nicholas Bates

    How about YOU give most of your time and commit yourself to developing Roms instead of relying on other people to do the job for you. I bet I wouldn’t be wrong if I said that you had never donated to any of the devs/project?

    Most idiotic comment I’ve heard in long time.

  • Andrea Verocio

    “How about YOU give most of your time and commit yourself to developing Roms instead of relying on other people to do the job for you. I bet I wouldn’t be wrong if I said that you had never donated to any of the devs/project?

    Most idiotic comment I’ve heard in long time.”

    Not that its any of yours or anyone else’s business what my financial contributions are but you would be VERY wrong

  • tasinet

    First of all, this issue is about security trust, not general trust, so saying “I don’t trust CM anymore” is a bit misleading.

    Now on to your point: Which devices? How do you define “stopping support”?

    Older hardware simply won’t run more demanding releases such as CGM 11 – you realise this, right? By putting out a CGM 11 release for a phone with 256MB RAM (say), they’d be advertising that it will work, when it wont.

    Is this what you are talking about?

  • Guest

    And you know about the time i’ve spent in my own dev projects because you have awesome mind reading control right ?

  • Andrea Verocio

    your post lacks anykind of imagination. I love when people start throwing around the word “entitled”. Like they want to look like they know what the fuck they are talking about. Some Good shitz!

  • Gleb

    Thanks, that was really helpful.