On Monday, The Register put out an article reporting that CyanogenMod was open to a Man-in-the-middle (MITM) attack via a “0-day” vulnerability relating to a SSL vulnerability in Android’s JSSE from 2 years ago.
There are a number of issues we could point out regarding the nature of this report – the least of which was the lack of contact regarding this topic prior to publishing. Our followup request to the author for direct references to his claims (or a retraction) has gone unanswered, so we are left to refute this article on our own. This is odd as The Register has historically had good messaging with respect to CM, but mistakes happen.
First, JSSE is not used in Android 4.4, which would mean any vulnerability would be applicable to Android 4.3 or below only.
Second, CyanogenMod does not customize this particular level of code – meaning if such a vulnerability was left untreated, it would affect upstream Android as well (the article pinpoints CM as the point of failure).
Third, the age of the vulnerability’s public disclosure is 2 years old. This itself is odd in that CM prides itself on addressing disclosed vulnerabilities as soon as possible, with many being addressed faster than OEMs (Towelroot is a good example of this). Other examples include the ‘Master Key’ vulnerabilities, one of which AOSP itself merged a patch for submitted from a CM member. Point is, we are usually exceptionally good at addressing security issues, and this is one of the many reasons people are attracted to this project.
Which brings us back to the article. We can say that after investigating the claims, albeit without the help of the author, there is no known reference to the item they are discussing within CM11.
Responsible Disclosure
If in the event we are wrong & in the case of any past or future vulnerability found unaddressed, we welcome security researchers to contact us directly.
CM Developer Relations Email:
devrel (at) cyanogenmod (dot) org
Cyanogen Inc. Android Security Email:
Android-security (at) cyngn (dot) com