SuperSU and CCMT - clarifying privacy questions

[Phil3759]

Hi,

Many people are more and more concerned about privacy and security. The goal of this post is not to hear that people concerned about security and privacy should run stock.

Many threads over internet, over xda and reviews in Play are spreading assumptions about the security concerns since SuperSU is taken by an unknown, discrete and rather secret organisation, CCMT.

We all know the concerns spread over King root in the past.

There are no clarifications either from Chainfire or CCMT about their privacy policy. The supersu.com site has no indications about any physical identity or headquarters. There is no mention of any privacy policy statement. Any post related to these questions in other threads is wiped by mods as out of topic.

Many people over the years never trusted SuperSU as an app, but rather a human known as Chainfire. His reputation over xda community made him above any questioning.

Now, the privacy concerns around a so powerful application rely on a new owner: CCMT. The new owner is secret, has no physical identity, no previous reputation, no nationality and no privacy policy at all. It is releasing new GUI versions that even Chainfire states he is not aware of.

So, like many people, I am questioning my self about CCMT, their origin and their privacy policy. Over the years, I never thought a second to question on Chainfire, but, like many, I feel the right to ask it now.

I am expecting from this thread more clarifications about basic things: CCMT identity, headquarters, privacy policy, national affiliations (Europe / US vs Asia...)... so that anyone can decide to trust them or not

 

[fhfuih]

Many people over the years never trusted SuperSU as an app, but rather a human known as Chainfire. His reputation over xda community made him above any questioning.

I can't agree more about this. That may be why lots of SuperSU users become worried after this transaction.


As far as I know, Whois says SuperSU.com belongs to a company in Hangzhou, China. And as a Chinese, I see many local SuperSU users hurrying to rollback or uninstall SuperSU. If CCMT is really a company from my country, I deeply understand their anxiety, because that's something related to the whole Chinese software industry:

The most renowned Chinese companies, like Tencent(Wechat, QQ, etc), Baidu, Alibaba(Alipay, etc), Qihoo(360 security, etc), Kingsoft(CleanMaster apps, not that CM for CyanogenMod), run in same strategies, that is to make free, but heavily bundled, bloated, privacy-peeking apps. Some even require hundreds of permissions, run hundreds of services and/or activities, install bloated apps automatically, or open camera to take photos on background. And they will do another clean version for Play Store for foreigners. So you won't experience that disaster, but in China thanks to GFW we can't use Play Store, but to download apps from other unofficial sources.

If CCMT is really Chinese, they, however I must point out, seems not to do anything far-fetched in the new release. SuperSU seems as pure as it used to be. And I believe a new company can't afford the risk to do that thing worldwide right after it takes off.

If CCMT is not Chinese, or wherever it locates, there's still possibility that SuperSU may be used to do something we dislike. We can remain cautious for a period of time. But we also have to beware that this decision was carefully made by Chainfire, and CCMT was introduced by XDA leadership. None of them want to see things go wrong.

But, yeah, I want to know more about CCMT too. It's indeed weird to see such a invisible company buy SuperSU.

Hi,

Many people are more and more concerned about privacy and security. The goal of this post is not to hear that people concerned about security and privacy should run stock.

Many threads over internet, over xda and reviews in Play are spreading assumptions about the security concerns since SuperSU is taken by an unknown, discrete and rather secrent organisation, CCMT.

We all know the concerns spread over King root in the past.

There are no clarifications either from Chainfire or CCMT about their privacy policy. The supersu.com site has no indications about any physical identity or headquarters. There is no mention of any privacy policy statement. Any post related to these questions in other threads is wiped by mods as out of topic.

Many people over the years never trusted SuperSU as an app, but rather a human known as Chainfire. His reputation over xda community made him above any questioning.

Now, the privacy concerns around a so powerful application rely on a new owner: CCMT. The new owner is secret, has no physical identity, no previous reputation, no nationality and no privacy policy at all. It is releasing new GUI versions that even Chainfire states he is not aware of.

So, like many people, I am questioning my self about CCMT, their origin and their privacy policy. Over the years, I never thought a second to question on Chainfire, but, like many, I feel the right to ask it now.

I am expecting from this thread more clarifications about basic things: CCMT identity, headquarters, privacy policy, national affiliations (Europe / US vs Asia...)... so that anyone can decide to trust them or not

 

[FlemishDroid]

I'm also trust Chainfire and Xda but what in the future when Chainfire has nothing to do anymore with SuperSu? I prefer SuperSu because it's simply the best superuser for Android devices and Chainfire was always the first to root new devices but when Chainfire leaves SuperSu I'm seriously thinking to remove SuperSu and going for an opensource Superuser as PHH Superuser.

I really hope CCMT is a good and fair company but there are lots of bad examples where good apps are sold to questionable company's for example Quickpic and Cheetah mobile.

Thanks to Chainfire for the years of development on SuperSu and I respect your decision.

Sent from my lightning fast SM-G930F (S7)

 

[BeansTown106]

I have to agree I find the whole thing to be shady as **** pardon my French, everything that surrounds it lately is pointing towards them not being a trustworthy entity, I have always trusted chainfire, he has been a stand up guy but money �� talks, obviously he has signed a nda so he can't disclose anything related to this, what I find shady imo is they are going far out of they're way to make their identity hidden, when the company/acquisition was first announced by @Chainfire they were supposed to be a trustworthy Compay who has built root apps that "everyone" has used in the past. Just a quick glance at their website and Google plus you can tell they are not native English speaking people, not that there is anything wrong with that, but it solidifys the only info that we know is that the domain is located in China, so most likely the owners do as well, we all know how bad China is for security/privacy.

There is a couple rumors going around that the actual owner of ccmt is Josh the xda owner/admin. If that is true then just tell the community it will save yourself alot of trouble, many developers etc are arleady working on alternatives to supersu because of the way this had been handled.

To put it frankly and to c/p Phil we the millions of root users would like to know..

CCMT identity, headquarters, privacy policy, national affiliations (Europe / US vs Asia...)... so that anyone can decide to trust them or not

Without this information you are basically admitting you are an untrustworthy company and shouldn't be trusted with literally uncontrollable access to millions of root users devices.

I say uncontrollable because supersu modify and reloads the sepolicy at will and can literally do anything it wants without user consent.

This is why this is such a big deal!!!!


Ps- to xda lets keep this discussion open.

 

[Morningstar]

I have to agree I find the whole thing to be shady as **** pardon my French, everything that surrounds it lately is pointing towards them not being a trustworthy entity, I have always trusted chainfire, he has been a stand up guy but money ? talks, obviously he has signed a nda so he can't disclose anything related to this, what I find shady imo is they are going far out of they're way to make their identity hidden, when the company/acquisition was first announced by @Chainfire they were supposed to be a trustworthy Compay who has built root apps that "everyone" has used in the past. Just a quick glance at their website and Google plus you can tell they are not native English speaking people, not that there is anything wrong with that, but it solidifys the only info that we know is that the domain is located in China, so most likely the owners do as well, we all know how bad China is for security/privacy.

There is a couple rumors going around that the actual owner of ccmt is Josh the xda owner/admin. If that is true then just tell the community it will save yourself alot of trouble, many developers etc are arleady working on alternatives to supersu because of the way this had been handled.

To put it frankly and to c/p Phil we the millions of root users would like to know..

CCMT identity, headquarters, privacy policy, national affiliations (Europe / US vs Asia...)... so that anyone can decide to trust them or not

Without this information you are basically admitting you are an untrustworthy company and shouldn't be trusted with literally uncontrollable access to millions of root users devices.

I say uncontrollable because supersu modify and reloads the sepolicy at will and can literally do anything it wants without user consent.

This is why this is such a big deal!!!!


Ps- to xda I know you helped facilitate this sale, and are probably gonna delete my message to cover this up(this is gonna be posted on Twitter and g+ as well) I should probably say goodbye to my recognized titles as well huh? But honestly this is scary **** and seriously one of the biggest security concerns the development Community has ever seen. Before u delete this just think of how many times you guys closed kingroot threads when honestly supersu could be owned by kingroot/cheetah/etc and nobody knows.

Couldn't have said it better myself, beans.

 

[shiznu]

I have to agree I find the whole thing to be shady as **** pardon my French, everything that surrounds it lately is pointing towards them not being a trustworthy entity, I have always trusted chainfire, he has been a stand up guy but money ? talks, obviously he has signed a nda so he can't disclose anything related to this, what I find shady imo is they are going far out of they're way to make their identity hidden, when the company/acquisition was first announced by @Chainfire they were supposed to be a trustworthy Compay who has built root apps that "everyone" has used in the past. Just a quick glance at their website and Google plus you can tell they are not native English speaking people, not that there is anything wrong with that, but it solidifys the only info that we know is that the domain is located in China, so most likely the owners do as well, we all know how bad China is for security/privacy.

There is a couple rumors going around that the actual owner of ccmt is Josh the xda owner/admin. If that is true then just tell the community it will save yourself alot of trouble, many developers etc are arleady working on alternatives to supersu because of the way this had been handled.

To put it frankly and to c/p Phil we the millions of root users would like to know..

CCMT identity, headquarters, privacy policy, national affiliations (Europe / US vs Asia...)... so that anyone can decide to trust them or not

Without this information you are basically admitting you are an untrustworthy company and shouldn't be trusted with literally uncontrollable access to millions of root users devices.

I say uncontrollable because supersu modify and reloads the sepolicy at will and can literally do anything it wants without user consent.

This is why this is such a big deal!!!!


Ps- to xda I know you helped facilitate this sale, and are probably gonna delete my message to cover this up(this is gonna be posted on Twitter and g+ as well) I should probably say goodbye to my recognized titles as well huh? But honestly this is scary **** and seriously one of the biggest security concerns the development Community has ever seen. Before u delete this just think of how many times you guys closed kingroot threads when honestly supersu could be owned by kingroot/cheetah/etc and nobody knows.

If Beans post gets deleted, its gotta make you think.

 

[pulser_g2]

Ps- to xda I know you helped facilitate this sale, and are probably gonna delete my message to cover this up(this is gonna be posted on Twitter and g+ as well) I should probably say goodbye to my recognized titles as well huh? But honestly this is scary **** and seriously one of the biggest security concerns the development Community has ever seen. Before u delete this just think of how many times you guys closed kingroot threads when honestly supersu could be owned by kingroot/cheetah/etc and nobody knows.

Recognized titles are not based upon arbitrary criteria - your title is based on your achievements and contributions, not whether you agree with people or not.

I wrote an article on the portal discussing the merits of open source in superuser apps. I don't think there's a massive conspiracy here to be honest.

My personal view on the situation is that the community can and should simply take this as a good reason to get together and write a better, open-source superuser app. Go on out there, and let's do it right. There's projects working on it, so let's all get in behind those, and let's get functional parity? If this is something you believe in, let's make it happen? Awesome opportunity to learn a lot about the underlying workings of android and selinux as well.

 

[zelendel]

Recognized titles are not based upon arbitrary criteria - your title is based on your achievements and contributions, not whether you agree with people or not.

I wrote an article on the portal discussing the merits of open source in superuser apps. I don't think there's a massive conspiracy here to be honest.

My personal view on the situation is that the community can and should simply take this as a good reason to get together and write a better, open-source superuser app. Go on out there, and let's do it right. There's projects working on it, so let's all get in behind those, and let's get functional parity? If this is something you believe in, let's make it happen? Awesome opportunity to learn a lot about the underlying workings of android and selinux as well.

Couldn't agree more.

 

[KreAch3R]

I've said it before; Anything can be sold to anybody and we shouldn't care. But when we specifically ask for who is/are the guys that take complete control of our devices over a night and they specifically go out of their way to not answer a simple question, it blatantly shows that they don't want to tell us something. It's so simple.

I'm all in for an opensource alternative and I will try to help as much as I can.

 

[BeansTown106]

Recognized titles are not based upon arbitrary criteria - your title is based on your achievements and contributions, not whether you agree with people or not.

I wrote an article on the portal discussing the merits of open source in superuser apps. I don't think there's a massive conspiracy here to be honest.

My personal view on the situation is that the community can and should simply take this as a good reason to get together and write a better, open-source superuser app. Go on out there, and let's do it right. There's projects working on it, so let's all get in behind those, and let's get functional parity? If this is something you believe in, let's make it happen? Awesome opportunity to learn a lot about the underlying workings of android and selinux as well.

i hear ya, just didnt know, what would/could happen to me if i spoke out on this topic, it seems anyone who voices their opinion in the ccmt thread has been getting deleted. i understand that the there is a good chance nothing shady is going on. but at the same time to completely hide anything about yourself or your company and form a new company just to stay "secret" raises some big flags. i would have to say the chances are greater of their being something fishy going on than not 60/40%? maybe lol.

but on your topic of a open source superuser i fully agree that is what we should all start doing, even if people are not skilled to contribute alot contribute little bits that you know, and help review code/audit it as well.
im on vacation right now but i plan on looking into the open source superuser when i get home.. this is obviously something I will do and im sure alot of others will do, but it sadly doesnt help the millions of users on SuperSU right now which is the scary part.. i just think without demanding info we will never get any, and this is SOMETHING we should definitely have more info on

 

[BeansTown106]

I've said it before; Anything can be sold to anybody and we shouldn't care. But when we specifically ask for who is/are the guys that take complete control of our devices over a night and they specifically go out of their way to not answer a simple question, it blatantly shows that they don't want to tell us something. It's so simple.

I'm all in for an opensource alternative and I will try to help as much as I can.

this. money talks and i dont have anything against chainfire selling supersu, but when the company is doing everything they can to hide themselves we have problems considering every android user post what android 4.0+ is using superSU minus a handful or two.

 

[Darth]

Personally, I'm hoping some of our awesome Dev's around here might pick up the challenge and create an alternative. If the community isn't happy with the present situation, well, xda is all about changing situations when it comes to our devices.

Time will tell where this all goes, but I definitely find lack of faith disturbing, and I have faith an alternative will come.

 

[relagent]

Let's hop on this. PM your github username if you want in.

https://github.com/FOSSUC

 

[pulser_g2]

i hear ya, just didnt know, what would/could happen to me if i spoke out on this topic, it seems anyone who voices their opinion in the ccmt thread has been getting deleted. i understand that the there is a good chance nothing shady is going on. but at the same time to completely hide anything about yourself or your company and form a new company just to stay "secret" raises some big flags. i would have to say the chances are greater of their being something fishy going on than not 60/40%? maybe lol.

but on your topic of a open source superuser i fully agree that is what we should all start doing, even if people are not skilled to contribute alot contribute little bits that you know, and help review code/audit it as well.
im on vacation right now but i plan on looking into the open source superuser when i get home.. this is obviously something I will do and im sure alot of others will do, but it sadly doesnt help the millions of users on SuperSU right now which is the scary part.. i just think without demanding info we will never get any, and this is SOMETHING we should definitely have more info on

I would rather stay neutral on the matter (as with most things), and since I'm not aware of the situation (don't spend as much time on here following the news as I used to), I don't feel in a position to discuss or speculate. I'd be tempted to mention Hanlon's Razor, but as I say I haven't followed things.

What I would say from a business perspective is that forming companies for new reasons isn't entirely unusual. In fact it can be a good idea. I would form a new company for any major new "product" - it's considerably easier to do that, than to attempt to transfer the rights to something between separate companies.

If you have any specific concerns about anything untoward, please do drop me a PM so I can look into it.

 

[Phil3759]

I would rather stay neutral on the matter (as with most things), and since I'm not aware of the situation (don't spend as much time on here following the news as I used to), I don't feel in a position to discuss or speculate. I'd be tempted to mention Hanlon's Razor, but as I say I haven't followed things.

What I would say from a business perspective is that forming companies for new reasons isn't entirely unusual. In fact it can be a good idea. I would form a new company for any major new "product" - it's considerably easier to do that, than to attempt to transfer the rights to something between separate companies.

If you have any specific concerns about anything untoward, please do drop me a PM so I can look into it.

It's not about who owns it, it is about why so much secrets, why no country of origin, why no privacy policy. There are no references despite they were claimed. Also, we all felt some frustration in Chainfire posts when CCMT released versions he is not aware of.

A superuser app must be from a completely trustful source. Even Chainfire mentioned that, if he wanted, he could exploit root to his will. He was honest and trustful.

We still have a good app, but no more a trustful source, that is the issue.

Until the situation is clarified, I feel legitimate that a site like xda officially warns about security concerns with the current app. It won't be fare else that kingroot was banned for the same reasons.

 

[relagent]

It's not about who owns it, it is about why so much secrets, why no country of origin, why no privacy policy. There are no references despite they were claimed. Also, we all felt some frustration in Chainfire posts when CCMT released versions he is not aware of.

A superuser app must be from a completely trustful source. Even Chainfire mentioned that, if he wanted, he could exploit root to his will. He was honest and trustful.

We still have a good app, but no more a trustful source, that is the issue.

Until the situation is clarified, I feel legitimate that a site like xda officially warns about security concerns with the current app. It won't be fare else that kingroot was banned for the same reasons.

Can you hit me up on Telegram? Telegram @nolanroell

 

[mycnam]

Looks like it's a company in Beijing, Chinese users are concerned too (link in Chinese).

As a matter of fact, I don't trust any software from such a company who tried so hard (but not successfully) to hide their identity, especially with root access.

Now Google Play is auto-updating to 2.78 and I have no way of keeping 2.76 unless I disable all auto-update... Shady business. Reverting to stock now.

I can't agree more about this. That may be why lots of SuperSU users become worried after this transaction.


As far as I know, Whois says SuperSU.com belongs to a company in Hangzhou, China. And as a Chinese, I see many local SuperSU users hurrying to rollback or uninstall SuperSU. If CCMT is really a company from my country, I deeply understand their anxiety, because that's something related to the whole Chinese software industry:

The most renowned Chinese companies, like Tencent(Wechat, QQ, etc), Baidu, Alibaba(Alipay, etc), Qihoo(360 security, etc), Kingsoft(CleanMaster apps, not that CM for CyanogenMod), run in same strategies, that is to make free, but heavily bundled, bloated, privacy-peeking apps. Some even require hundreds of permissions, run hundreds of services and/or activities, install bloated apps automatically, or open camera to take photos on background. And they will do another clean version for Play Store for foreigners. So you won't experience that disaster, but in China thanks to GFW we can't use Play Store, but to download apps from other unofficial sources.

If CCMT is really Chinese, they, however I must point out, seems not to do anything far-fetched in the new release. SuperSU seems as pure as it used to be. And I believe a new company can't afford the risk to do that thing worldwide right after it takes off.

If CCMT is not Chinese, or wherever it locates, there's still possibility that SuperSU may be used to do something we dislike. We can remain cautious for a period of time. But we also have to beware that this decision was carefully made by Chainfire, and CCMT was introduced by XDA leadership. None of them want to see things go wrong.

But, yeah, I want to know more about CCMT too. It's indeed weird to see such a invisible company buy SuperSU.

 

[fhfuih]

Looks like it's a company in Beijing, Chinese users are concerned too (link in Chinese).

As a matter of fact, I don't trust any software from such a company who tried so hard (but not successfully) to hide their identity, especially with root access.

Now Google Play is auto-updating to 2.78 and I have no way of keeping 2.76 unless I disable all auto-update... Shady business. Reverting to stock now.

I saw that thread this morning when I hang around v2ex. The company is indeed very shady.

I remember you should be able to disable auto-update in Play Store and you can still use
Chainfire's link

https://download.chainfire.eu/supersu-stable

To download 2.76 by now.

 

[tohtorin]

First I was against magisk because we have superior supersu systemless root. Now I'm glad that @topjohnwu did it.
Going to give a try for phh superuser and magisk. Byebye SuperSU Chinese malware!

 

[KennyG123]

this. money talks and i dont have anything against chainfire selling supersu, but when the company is doing everything they can to hide themselves we have problems considering every android user post what android 4.0+ is using superSU minus a handful or two.

Let me play Devil's Advocate for a second...rooting your phone and leaving it rooted is like leaving your doors not only unlocked but wide open. So say a hacker steals your identity...and you get a fancy lawyer that blames it on your device being rooted...and decides to sue (SU?) the creator of Supersu..or worse creates a class action suit for not making it with better firewalls to prevent this...there are no warnings posted when you root your phone. I am surprised Chainfire didn't spend everyday in court because of idiot lawyers. Here is a fine example of that stupidity. So why not protect yourself from that stupidity with a corporation? And make it a little difficult to find out who is behind it? Not saying I like not having an open presence on XDA...but maybe that is still coming. Let's hope and I understand everyone's concerns. I have faith in Chainfire that he would choose a buyer that would not sully his reputation or harm us, the users.

Now as @pulser_g2 stated this is a chance for the community to come together...all the great devs at XDA's disposal, to create an XDA homegrown root solution. This is just the sort of thing that can make XDA great again in this time of locked bootloaders and declining development. So...let's make it happen! :highfive::good: