We often rely on our devices’ operating systems to keep us safe from malicious apps and people but what if the operating itself gets compromised behind people’s backs. That’s the almost nightmarish possibility that may go into some people’s heads whenever they think of security breaches that may happen or have already happened at places like Microsoft, Apple, or Google. That nightmare almost became reality for the developers of one of the most popular Android community ROMs but, thanks to a more agile and open team, LineageOS’ lived to see another day.
Those new to Android might not be that familiar with LineaoeOS, but while the name is new, the spirit and people behind it are not. Its lineage goes back to CyanogenMod, which is probably considered to be the most popular third-party, community-developed Android ROM in the ecosystem. That ROM community has dwindled a bit in the past years but it still exists and remains a haven for those who want to flee from the clasps of commercial Android makers.
Unfortunately, those can also be a target of people with less innocent objectives. LineageOS reported that an attacker used two vulnerabilities in the Salt server software it uses to gain access to the server. Fast action allowed LineageOS developers to take down the servers once the incident was detected. It probably also helps that LineageOS wasn’t running anything critical to the continued use of phones running the ROM.
The developers assure its users that nothing was compromised in terms of the ROM’s source code, its build system, and the cryptographic keys used to verify the integrity of those bits. Being an open source project, it may be possible for others to audit LineageOS’ code and server to verify that.
Some might take the incident as proof of how a small community of volunteers might not stand a chance against a more serious hacking attempt. To some extent, that may be true if considering only human resources. It is, however, equally probable that giant corporations regularly get hacked but, because of their closed nature, we just don’t hear about them and simply trust them on their word rather than on code we could verify.