Security of MIUI Rom

[apxbx]

I was looking at the Circle Icon mod and I noticed the developer had this comment about MIUI:

Sure. Since MIUI is a closed source project, it is impossible for anyone outside the project to review the code, validate its practices and so on. As such, one could argue that MIUI has no business being even represented on XDA at all, but that's another story...

Furthermore MIUI includes its own kernel, and _thalamus discovered that if you flash any other kernel, the system simply stops logging any system activity - the log buffers remain empty. What this means is essentially, "You don't get to see what I'm doing unless I'm able to control what to show you..."

What could it be doing? Well, painting the doomsday scenario, with full control of a rooted phone, it could do anything. Do you have Google Checkout? Paypal? Have you ever you used online banking from your phone or entered your credit card anywhere? Or your social security number? It could theoretically forward all your account info, your messages and pictures to a third party, sell it off to identity thieves, hackers, blackmailers or whatever. It could Tweet that you love Celine Dion, sms your girlfriend that you still love your ex and post your home made nudie pics on facebook.

Or, it could be doing absolutely nothing at all

I don't know and I have no way of finding out... I do know that I would be very reluctant to feed all my accounts into an closed system that actively resists any outside auditing. I'm old fashioned that way.

Original post here

Is there cause for concern? Could any rom devs elaborate perhaps?

 

[ringer13]

it seems everyone in that thread has ignored the post...i wonder why?
this sort of scares me....

i am having second thoughts about miui now, luckily i dont have any sensitive accounts set up on my phone, and definitely will not in the future if i even continue with miui

 

[narrowpath]

Im very interrested to hear more about this.

Sent from my PC36100 using the miui-dev.com Forums App

 

[Augoza]

What the hell

Sent from my PC36100 using the miui-dev.com Forums App

 

[r47z]

I am able to use MIUI w/other kernels and obtain logcat... hmmm

Sent from my HTC Desire using the miui-dev.com Forums App

 

[trout]

Probably the original poster is talking about the froyo build. In those releases you needed to replace liblog.so with a compatible version. I used to take this module from cyanogenmod 6 and had no problems with kernel logging.

If you are truly worried about security in MIUI you can use tools to capture network traffic on the phone. "Shark for root" is an excellent app for this.

 

[narrowpath]

it would be interesting to see what would result from a test on this

 

[Augoza]

Probably the original poster is talking about the froyo build. In those releases you needed to replace liblog.so with a compatible version. I used to take this module from cyanogenmod 6 and had no problems with kernel logging.

If you are truly worried about security in MIUI you can use tools to capture network traffic on the phone. "Shark for root" is an excellent app for this.

Thanks for the advice!!

Sent from my PC36100 using the miui-dev.com Forums App

 

[ZeD]

it would be interesting to see what would result from a test on this

Its been checked some time ago, and nothing is wrong with Miui.

Sent from my HTC Desire using Tapatalk

 

[verboze]

Scary in deed, and it did cross my mind a few times as well. I've always been wary of storing / using sensitive data on phones anyways. They easily get lost; I would feel the same or worse about losing a phone that stored sensitive information as losing my wallet. Thanks for the bit of reassurance, trout. Does anyone know if MIUI ever plans to open-source their code? I can understand keeping the source closed until they iron out the base functionality, but I am truly hoping MIUI is not staying closed-source forever. Security concerns aside, I think this type of product gets better when a larger pool of developers weigh in they tweaks/fixes, and the system as a whole becomes more stable. This would also allow for porting to a greater range of devices...

 

[Haran]

Its been checked some time ago, and nothing is wrong with Miui.

Sent from my HTC Desire using Tapatalk

Who checked? can you link please?

I personally open this thread about a non exclusive miui "issue" i dont know if it ' s really an issue but i would like to know more if anyone know

however open the source is the best way to have a trusted software

 

[ZeD]

Who checked? can you link please?

I personally open this thread about a non exclusive miui "issue" i dont know if it ' s really an issue but i would like to know more if anyone know

however open the source is the best way to have a trusted software

I can't provide a link cause this was a long time ago, when MIUI was rather new. I know that Mark wrote something about this here at Miui-Dev, search and you will find.

Sent from my HTC Desire using Tapatalk

 

[Haran]

I can't provide a link cause this was a long time ago, when MIUI was rather new. I know that Mark wrote something about this here at Miui-Dev, search and you will find.

Sent from my HTC Desire using Tapatalk

Ah yes, i read that thread month ago.
Mark have all my respect for his incredible work but i dont know if an early version rom tcp dump is enough.

Btw i think that the biggest problem is the total absence of communication between chinese devs and no chinese users/devs, the language is a big issue. If we can directly ask to them (why closed source ecc) maybe they will have no problem to answer us.
I personally dont know even why they start to make this rom and which are they goals

 

[r47z]

The Chinese are THE Chinese. They did it for themselves. Read up about China and you know what I'm talking about.

Sent from my HTC Desire

 

[Scottndville]

I personally think they are developing roms for training.they want to develop a product that can eventually be sold to manufacturers. Like whoever came up with sense for htc. Just my opinion, but in my opinion my opinion is a pretty good opinion. Just saying.

 

[Haran]

The Chinese are THE Chinese. They did it for themselves. Read up about China and you know what I'm talking about.

I know that they develop for themselves and they are not interested to deploy world wide but i dont understand what do you mean with "Read up about China and you know what I'm talking about. " chinese like other people have pros and cons but i think they are great people that work hard and have and incredible desire to demonstrate what they are able to, these are remarkable points.

I personally think they are developing roms for training.they want to develop a product that can eventually be sold to manufacturers. Like whoever came up with sense for htc. Just my opinion, but in my opinion my opinion is a pretty good opinion. Just saying.

Probably they start to training and learn and although i will be very happy to see this rom on official devices, i dont know if this will be possible, the rom breaks alot of patents (first of all the launcher)

 

[EndlessDissent]

Who checked? can you link please?

I personally open this thread about a non exclusive miui "issue" i dont know if it ' s really an issue but i would like to know more if anyone know

however open the source is the best way to have a trusted software

Do you have Chrome to Phone installed? Read this thread on XDA: http://goo.gl/Y7LS6

 

[stiffspliff]

The Chinese are THE Chinese. They did it for themselves. Read up about China and you know what I'm talking about.

Sent from my HTC Desire

wtf does this even mean?

Sense is closed source from the taiwanese! read up on the taiwanese, they are shady!
Touchwiz is closed source from the koreans! read up on the koreans, they are shady!
Motoblur is closed source from the americans! read up on the americans, they are shady!

I've lived in China myself and had nothing but good experiences with the people there. Nobody tried to take my phone from my pocket and steal my precious information.

 

[r47z]

wtf does this even mean?

Sense is closed source from the taiwanese! read up on the taiwanese, they are shady!
Touchwiz is closed source from the koreans! read up on the koreans, they are shady!
Motoblur is closed source from the americans! read up on the americans, they are shady!

I know that they develop for themselves and they are not interested to deploy world wide but i dont understand what do you mean with "Read up about China and you know what I'm talking about. " chinese like other people have pros and cons but i think they are great people that work hard and have and incredible desire to demonstrate what they are able to, these are remarkable points.



Probably they start to training and learn and although i will be very happy to see this rom on official devices, i dont know if this will be possible, the rom breaks alot of patents (first of all the launcher)

Probably speaking from another point of view. Ignore what I just said.

 

[Haran]

Do you have Chrome to Phone installed? Read this thread on XDA: http://goo.gl/Y7LS6

That thread jump to wrong conclusions, if you read my thread you will see that is not chrome to phone.

btw thnks for your interest

 

[Haran]

Probably speaking from another point of view. Ignore what I just said.

honestly I did not understand what you meant on that thread

 

[jladronka]

I can confirm this was spoken to back when the MIUI translation was just starting out. As far as a link, I have no clue, but I'm sure it was on XDA. This was, if I remember correctly, right before miui-dev.com started being used to the extent it is.

There was a full traffic analysis done of the ROM over a few days, if I remember correctly, and nothing sketchy was every found, nor was anything found that could be "construed" as much.

The fact of the matter is that ANY rom dev out there could include holes in their rom to capture information if they wanted to. Don't hate because this is a China product. That's downright crude.

They have closed source because the rom is not out of beta. They have closed source because they can. There is no communication because, as far as I know, they don't formally support anything out of China. What Mark has done has been on his own initiative and his own desire.

But, really, believe me. If someone wants to steal your information and identity, they're going to do it no matter what you do.

 

[Haran]

I can confirm this was spoken to back when the MIUI translation was just starting out. As far as a link, I have no clue, but I'm sure it was on XDA. This was, if I remember correctly, right before miui-dev.com started being used to the extent it is.

There was a full traffic analysis done of the ROM over a few days, if I remember correctly, and nothing sketchy was every found, nor was anything found that could be "construed" as much.

The fact of the matter is that ANY rom dev out there could include holes in their rom to capture information if they wanted to. Don't hate because this is a China product. That's downright crude.

i agree with you and personally but i think i m speaking for al the users, none hate and especially none hate because this is china product.

You are right when you talk about any roms can steal info, but most of other roms are opensourced and this is a big deterrent dont you think?

They have closed source because the rom is not out of beta. They have closed source because they can. There is no communication because, as far as I know, they don't formally support anything out of China. What Mark has done has been on his own initiative and his own desire.

You are sying that after beta they will release the code?

I will never stop to thanks miui developers and mark for their hard work

But, really, believe me. If someone wants to steal your information and identity, they're going to do it no matter what you do.

Yes but this is another story

 

[stiffspliff]

i agree with you and personally but i think i m speaking for al the users, none hate and especially none hate because this is china product.

You are right when you talk about any roms can steal info, but most of other roms are opensourced and this is a big deterrent dont you think?

can you tell me which rom besides cyanogen's is open sourced?
SENSE TOUCHWIZ MOTOBLUR are all closed source

 

[Bruce]

You are right when you talk about any roms can steal info, but most of other roms are opensourced and this is a big deterrent dont you think?

I don't know how to evaluate code to see if it is malicious. I don't know how to build my own ROM from source code and then compare that with the build that the open source ROM maker released. I don't even know how to build a ROM from source code.

The point is that, when I download a ROM I have to have trust in any developer, open source or not. Open source allows more people to have the ability to catch the developer when they do malicious things, but I'm not one of those people. Even with open source, I still have to have trust that people in the community are looking over the developer's shoulder, making sure things are OK.

Another point - I suggest that many of the tools that are used to find malicious activity by a ROM or in an app will work if the ROM or app is open source or not.

I think open source is a great idea for many reasons. For one thing, it speeds up the pace of innovation. For another it can speed the pace of finding and fixing unintentional problems. I do not think open source will keep people from deliberately doing malicious things with computer software. I do not think MIUI developers are deliberately doing malicious things.