Can custom ROM sniff passwords?

[Inquizzitive]

Hello,

So I have decided to upgrade my Galaxy S4 I9505 which currently has 4.3 OS version to 5.01 which is compatible but not available from official sources.

I have downloaded custom ROM from sammobile site (which redirected me to download site)

Now I am thinking, for example, when Gmail app transfers password data, all data goes through OS HTTP/TCP/IP stack. Which means if somebody installs a hook into custom ROM, they can sniff the passwords you send over the net.

Is it possible? How to make sure this does not happen?

 

[psionandy]

Theoretically its possible...
... if you need to be 100% sure, then you would need to to have some way of confirming your trust in the publisher.. and all the components they are using.

Although to be fair, the same could be said about stock Roms from Samsung, apple, ZTE, Sony, oneplus, Huawei etc...

 

[Inquizzitive]

Theoretically its possible...

I wonder how gmail app sends credentials. If it encrypts them inside app itself it should be fine (I trust the app because it comes from google playstore), but if it relies on some OS services, then data can be sent to third party before encryption.

 

[psionandy]

Well... That would assume that a compromised os is allowing the app to do its work as the author of the app intended.


And isn't looking in memory spaces, key logging, snooping, or being dishonest in any way.....

 

[Inquizzitive]

So, is there any way to verify ROM? For example, I downloaded zip file with the name I9505XXUHOJ3_I9505VAUHOJ1_VAU from sammobile. Can I find that somebody used this ROM and it was fine? Maybe that core components haven't been tampered with?

 

[El Presidente]

That's not a custom ROM, if you've got that from Sammobile and it wants you to flash it via Odin, that's an official firmware from Samsung.

Fwiw, I generally think there's less chance of a developer taking your info than the manufacturer of your phone. A few years back there was controversy with an app hidden on most devices called Carrier IQ. It was diagnostic software but it tracked and recorded pretty much everything you did on your device and was put on there by your network/manufacturer. It's was 3rd party Devs who discovered it and most removed it from their ROMs.

 

[psionandy]

And just to reassure People... The Risk in general isnt high...

... It's just that you started with is this possible?

And not should I be worried about?

 

[lunatic59]

OnePlus just got caught collecting telemetry on their phones/users and quickly claimed it was for diagnostic purposes only. I agree that this is much more likely from a manufacturer or carrier than a rom developer.

As for I9505XXUHOJ3_I9505VAUHOJ1_VAU, that rom looks like it's for the S5 sold through Vodaphone in Australia. If that's not your carrier or region, flashing that rom might cause some problems for you.

 

[Inquizzitive]

OnePlus just got caught collecting telemetry on their phones/users and quickly claimed it was for diagnostic purposes only. I agree that this is much more likely from a manufacturer or carrier than a rom developer.

As for I9505XXUHOJ3_I9505VAUHOJ1_VAU, that rom looks like it's for the S5 sold through Vodaphone in Australia. If that's not your carrier or region, flashing that rom might cause some problems for you.

Well, consequences might be quite different. Carrier or manufacturer would hardly steal your credentials to impersonate themselves as yourself and steal your money from bank account )

It's ok, the phone comes from Australia, that's why I chose this particular ROM. I wonder what makes it valid ROM? Couldn't someone just package his custom ROM with OS hooks under the same name? How it can be verified?

PS: There is some md5 checksum that Odin mentioned during flashing, does it have a database of valid checksums?

 

[lunatic59]

The checksum only checks the integrity of the file structure, not a way to verify the package's provenance.

You have to trust the source or take a chance. Sammobile, as @El Presidente pointed out only distributes stock firmware, so you can be pretty sure what you get would be the same as what you'd get from Samsung. Honestly, any rom that packaged malware to steal owner's information would be discovered pretty quickly and the development community isn't shy about making it VERY public.

I think you've seen one to many infomercials from identity protection companies.

 

[Inquizzitive]

I think you've seen one to many infomercials from identity protection companies.

Nah, I'm just paranoid )

 

[lunatic59]

You're only paranoid if the whole world isn't out to get you.

 

[mikedt]

Well, consequences might be quite different. Carrier or manufacturer would hardly steal your credentials to impersonate themselves as yourself and steal your money from bank account )
It's ok, the phone comes from Australia, that's why I chose this particular ROM. I wonder what makes it valid ROM? Couldn't someone just package his custom ROM with OS hooks under the same name? How it can be verified?

FYI Samsung ROMs actually come from South Korea. Or for OnePlus their ROMs come from China, and suspect their 'diagnostic purposes' was actually user data mining, for aggregation and sale to third-party advertisers.
One can't always trust corporations to be totally honest with their firmware, e.g. VW emissions scandal.

 

[Inquizzitive]

One can't always trust corporations to be totally honest with their firmware, e.g. VW emissions scandal.

First things first, let me deal with freelance hackers, I'll worry about evil corporations later )

 

[bcrichster]

Custom ROMs are open source, so you have the right and ability to examine the code yourself