Unsafe ROMS?

Search This thread

unlockMe

Senior Member
Mar 9, 2005
79
2
New York
I've been playing around with all the 6.5 ROMS available on this forum (plus have been lurking for a while so felt like doing some contribution could be appreciated :)).

My company is very stringent about enforcing Exchange ActiveSync policies, especially PIN CODE, timeout to lock and remote wipe.

I noticed that on the 230XX series (I have tested up to 23053) posted here, there are two different behaviors, one serie works with my Exchange Active Sync, one does not.

Since the PIN request and lock timeout work fine with them, I have to assume the remote wipe feature has somehow be disabled by this ROM.

I have been able to identify that a ROM will give me this problem even without connecting with my Exchange Server.
in 100% of the case, if I try to import a root certificate on a "hacked" ROM, it will be installed without any warning, just a "Certificate successfully installed, press OK" dialog.

Now, on a ROM that is not "hacked", when you try to import a root certificate, you are warned that this may be an unsafe operation and have actually to confirm.

This is very concerning to me, because the warning being removed means that any bad guy can leverage these ROM to deploy a rogue root certificate to your device and your device can start trusting wrong sites.

I do not intend this to be an exhaustive list, but as of my testing only the following two ROMs work correctly:

- NATF
- RRE

All the others do not. The source of the non-working ones is either the same, or these people have purposedly altered the ROM to change the security settings. But the result is the same, security altered ROMS.

If anyone could confirm they are experiencing the same, I would not feel alone on the planet


UM
 

ktemkin

Senior Member
Jul 25, 2007
179
0
Binghamton, NY
I'd just like to reiterate that this is a development community- most of the cooked ROMS you've tried are experimental works in progress. We tend to take our experimenting a bit far here- but as none of our 'products' are really production tested, it's fairly safe to say that all of them are just a bit unsafe.

A stock ROM has the benefit of being tested in a production environment- and while performance on these ROMs may not be optimal, they are composed of a set recipe of components established between the OEM and Microsoft.

Many of our ROMs are conglomerations of various different components- so it's not exactly safe to say that any of them can be held completely accountable for device security- there may be plenty of exploits present behind the scenes that never have been exposed or rectified.

We're small-scale individual developers. Most, if not all of us, do this for fun. Many of our packages deliberately alter the way in which devices handle certificates and signing- because it allows us to expand the boundaries we develop within.

If you're looking for guaranteed security, your best bet is to stick with a completely stock device. If you choose to use another ROM, any insecurity is not on the developer, but you.
 

tyguy

Senior Member
Feb 11, 2008
2,214
2
SoCal
Very well said! On top most, actually all of the 6.5 based ROMs have a microsoft beta as a base. Though it may be a save bet that the latest built # may be the closest to the final release at Oct. 9 it's a common practice to reduce/alter some "security" settings an policies for an "easier" way to success. None of these facts is to blame on any ROM chef or developer or however you want to name these creative heads here.
Their work is just incredible and I bet that ms or HTC would be proud to have such guys on board.
Note:
I bet that some individuals of both companies keep a close eye on what's going on here.
 

unlockMe

Senior Member
Mar 9, 2005
79
2
New York
Guys,

Don't get me wrong, I know what I'm doing when installing a beta that has been leaked.
First, it's illegal, we are stealing non published source code, infringing intellectual property and probably making ourselves guilty of too many felony counts to be able to get out of jail without a long white beard.

But, joke aside, this was not the point of my post and I am sorry if I didn't explain myself clearly.

There are 23053 builds that work well are 23053 that do not, as was the case with any previous build number and, consistantly, I have had two out of the pack working exactly as expected from a security perspective, and all of the rest not working as expected.

So, since I do not believe MS is deliberately compiling one tree of the code with embedded security and another without, it means that someone in the middle is affecting it.

That was my point.
UM
 

Kevlar-Source

Senior Member
May 22, 2005
675
22
Sintra
Hummm...

Wrong approach fellow...
Wrong place, wrong time and wrong people.
Don't expect to be received with an open heart while commenting such things...

Imagine the following scenario:
A priest enters a strip bar and tells the owner of his concerns of moral ground, about the practices that take pace there... LOL

I may understand your point, definitely not your purpose.
If you are lucky enough not the get flamed, you will at least see some frown faces...

Leave it...

As someone suggested before, remember this is a development community...
If what you find doesn't suit your needs simply suggest changes or don't use it at all.

If you concluded, after experimenting, that the only functional ROMs are NATF and RRE ones, allow me the following suggestion:

Choose between 3 options:

1.
Use a stock ROM so you don't «steal» form anyone and don't risk having to spend 5 days in a row shaving...
2. Use a NATF ROM
3. Use an RRE ROM

I believe i made my point as gently as I could...
If i may have hurt some feelings, i am deeply sorry for that.

Cheers :)
 

unlockMe

Senior Member
Mar 9, 2005
79
2
New York
Well, 2 points in answer to your post where you obviously did not read mine:

1) Did you miss the sentence that starts with "Joke aside" ??

2) Don't care of being flamed, I provided evidence to people that want to make up their miind, they don't need you to tell them what is safe or not for them


Bottom line is:

- if you do not want to have a phone crashing on you, use a stock ROM (that's actually a good joke... Stock ROMs do not crash less than their beta counterpart).
- if you do not want your passwords, contacts or personal data to end up into some hackers site, be careful about what ROM you install


wearing my flame proof vest.

UM
 

Kevlar-Source

Senior Member
May 22, 2005
675
22
Sintra
Well, 2 points in answer to your post where you obviously did not read mine:

1) Did you miss the sentence that starts with "Joke aside" ??

2) Don't care of being flamed, I provided evidence to people that want to make up their miind, they don't need you to tell them what is safe or not for them


Bottom line is:

- if you do not want to have a phone crashing on you, use a stock ROM (that's actually a good joke... Stock ROMs do not crash less than their beta counterpart).
- if you do not want your passwords, contacts or personal data to end up into some hackers site, be careful about what ROM you install


wearing my flame proof vest.

UM

Dear UM,

I had a good laugh reading your last sentence LOL

I believe that wither you misunderstood me either I was not clear...

1. I am not accusing you of anything.
2. I read you whole message (points 1 and 2 included... They were there, weren't they...?)
3. I am not trying to demote you of you purposes... I was only trying to pass a message but given the fact the message wasn't delivered, I will try to rephrase...:

You are expressing both facts and opinions.
That is, indeed, you right given the fact we are in an open community and we, still, are in a free world (so to speak...).
I do not endorse or condemn none of your previous statements.
Knowing this community for quite some time and specially knowing it's member, active ones, passive ones, contributing ones, parasite ones, etc... I just know for sure that your comment in which you address people in such manner will have one of two possible outcomes:

1.
Total ignorance
2. Flaming

Now, after this, do whatever you like :) Don't get me wrong and sorry if I made myself misunderstood :)

Nuff said.

Cheers.
 

12aon

Retired Senior Moderator
Mar 24, 2008
2,437
483
This thread is not development related, moved to the appropriate section