Database Users

Researcher To Release Web-Based Android Attack

I hope we get 2.2
http://it.slashdot.org/story/10/11/05/0229205/Researcher-To-Release-Web-Based-Android-Attack
"The attack targets the browser in older, Android 2.1-and-earlier versions of the phones."

http://forums.t-mobile.com/t5/Samsung-Vibrant/Security-vulnerability-in-2-1/td-p/535335
And the thread appears to have already been locked.
EDIT: My bad, the link icon isn't a lock icon.

What an ass. So he figures out something and now hes going to release it?
So is his intensions to piss people off or force Googles hands to fix it?

kizer said:
What an ass. So he figures out something and now hes going to release it?
So is his intensions to piss people off or force Googles hands to fix it?
Click to expand...
Click to collapse
I think its the latter. That, or to light a fire under the OEMs & network operators to get 2.2 out to more devices. Just my $0.02...
Sent from my SGH-T959 using XDA App

The current OEM vendor/carrier model is one of the worst parts of Android. Google attempted to break this model via the Nexus One. Hopefully it does light a fire to improve the security model for these phones.
Google may be forced to rein in some of the rampant variances to secure the platform via enforcing a minimum level of compliance to security updates or else revoke a phone makers ability to use the Android trademark.
The problem has already been fixed with 2.2, so the onus is on the OEMs to get their act together.

Some things make me want to respect this guy, then again it affects me since we have yet to recieve 2.2. But yes I believe all android phones should be running current software.

I wonder if you need to be rooted in order to fall the vicitm, unless you can push superuser.apk via the exploit and run it.
Have to give him props for trying, and like seeing that he is using linux based OS to develop on

lqaddict said:
I wonder if you need to be rooted in order to fall the vicitm, unless you can push superuser.apk via the exploit and run it.
Have to give him props for trying, and like seeing that he is using linux based OS to develop on
Click to expand...
Click to collapse
Youre right! Maybe he works for T-mobile and is secretely making all our phones go back to stock and unrootable. Which in turns means they will never release 2.2 hahaha. <- By the way do not take this as actual fact I know how the paranaoid are here on the forums lol

lqaddict said:
I wonder if you need to be rooted in order to fall the vicitm, unless you can push superuser.apk via the exploit and run it.
Have to give him props for trying, and like seeing that he is using linux based OS to develop on
Click to expand...
Click to collapse
No, this a generic exploit within WebKit. The actual exploit itself doesn't have superuser access, it can only access what the web browser is able to access. It can't make phone calls or generate SMS messages, but it can access files like photos and whatever else is available to non-rooted apps.

I don't know why you guys think this guy is a douche. This is how it always worked. When people find security vulnerbilities, they tell the company, but the company usually doesn't move it up to the top of the list to fix. So they mention the type of security flaw there is, sends the information to the company, and sometimes even mention it at conferences. After publicly announcing it, they give the company time to fix it, otherwise it's the company's fault for not getting their ass in gear to fix the security issue.

DKYang said:
I don't know why you guys think this guy is a douche. This is how it always worked. When people find security vulnerbilities, they tell the company, but the company usually doesn't move it up to the top of the list to fix. So they mention the type of security flaw there is, sends the information to the company, and sometimes even mention it at conferences. After publicly announcing it, they give the company time to fix it, otherwise it's the company's fault for not getting their ass in gear to fix the security issue.
Click to expand...
Click to collapse
I do no see how he is a douche.
Ignoring the issue does not make it disappear, and he clearly has done his work to make the issue public in hopes it gets addressed.
Releasing a code with a security hole that you have to use something to circumvent the security of the device to fix is douche (apple vs jailbreakme.com anyone)

kizer said:
What an ass. So he figures out something and now hes going to release it?
So is his intensions to piss people off or force Googles hands to fix it?
Click to expand...
Click to collapse
I was paranoid by this too. My Vibrant will shackled from having sex with the web until it gets 2.2 Maybe that researcher wants them to release Froyo soon so use this to leverage against them to release ASAP?

I don't think he's a douche. I honestly want to believe that google would push carriers to be on the same OS. Just the fact that not all android phones can handle the 2.2 OS - And so people stuck with those phones and would be affected by this flaw is pretty crappy. But I really hope this makes carriers want their phones updated and running the latest and greatest. Only time will tell.

CopperheadOS

Has anyone else seen this yet? It's a supposed secure OS for nexus devices. https://copperhead.co/android/downloads If anyone checks it out, let us know how it goes.

Wow I never seen this.:laugh:

Looks interesting, Im gonna check it further. Probably a AOSP based with some patches, fdroid, and some anti-gapps apps?

Most definitely curious as to how this runs....they want you to relock the bootloader though...????????????

Runs really nice. But there is no open source support for my android wear watch which I need.

No thank you. I would rather trust google and NSA, instead of some no name offshore company.
Sent from my Nexus 6P using XDA Labs

suhridkhan said:
No thank you. I would rather trust google and NSA, instead of some no name offshore company.
Sent from my Nexus 6P using XDA Labs
Click to expand...
Click to collapse
Toronto is off-shore?

Lol
Sent from my Nexus 6P using XDA-Developers mobile app

Locking the bootloader is good for your security.
Sent from a 128th Legion Stormtrooper 6P

toronto is offshore? do you think they live in igloos still aswell?
also this is just aosp with google signatures,
i tested for fun, boot animation is crap,
some lag going n settings,
no playstore access, no gapps at all from what i saw,
secure unsure, i dont know enough to rip apart the source and see if any holes from the company,

I was intrigued by Copperhead since reading about the Unaphone, another Google free operating system. Unlike Unaphone, whom's developers were providing it only for their proprietary hardware, when I saw CopperheadOS I knew I was going to try it for sure!
Previously running Resurrection, my phone already had an unlocked bootloader. Even if it hadn't, flashing Copperhead using the developer's instructions is very easy.
First impressions were good. The phone was noticeably more responsive, lacking google services normally running, and stable since the OS itself is based on stock which was considerably more stable than other roms I've tried. All the features you would expect from 6.0.1 are present and working. What is not preset however is the Google Play store or services! I didn't appreciate the implications of not having google services before actually trying to use a phone without them. Although it is possible to sideload gapps, one would rather negate the point of this ROM.
Poking around the settings the first thing I noticed were granular security settings with detailed descriptions. There is also a nice security versus performance slider for the layman. The idea of preventing exploits using the techniques in this rom is my main reason for using it.
After an evening of use, the vast majority of closed-source-paid apps I was able to replace with open-source alternatives. There are a few exceptions I am still trying to figure out, but overall, I think if you are willing to cut the google-cloud-services cord its worth a try. If you really must, most apk's for closed apps can be found and installed but these decisions should probably be weighed carefully.
I never realized my reliance on google and closed apps until I tried to use an OS that doesn't rely on them. Trying this rom is a good exercise in living off the google grid; or at the least driving the use of google services back into the browser.
At the end of the day this rom has its place for the privacy and security minded enthusiast, but for the average user, sticking to something with google services is probably more realistic.

longview41 said:
Toronto is off-shore?
Click to expand...
Click to collapse
pacman photog said:
toronto is offshore? do you think they live in igloos still aswell?
Click to expand...
Click to collapse
The 'offshore' part was simply a figure of speech.
What I mean is that if you don't trust google with your data, you have more reason not to trust an unknown company.
At least google is transparent about my data, and gives me control of how much I want to share with them. https://myactivity.google.com/myactivity

Installed it yesterday on a Nexus 5x and so far it runs great. It indeed seems really security orientated with no default root or GApps. Didn't try to activate xposed (which I hope will work) or related stuff yet but so far I intend to keep it.

Copperhead is trusted. They will be working with Guardian Project and Fdroid to build a complete system. Read this post for more info: https://copperhead.co/blog/2016/03/29/crowdfunding-partnership-announced
mg.degroot said:
Installed it yesterday on a Nexus 5x and so far it runs great. It indeed seems really security orientated with no default root or GApps. Didn't try to activate xposed (which I hope will work) or related stuff yet but so far I intend to keep it.
Click to expand...
Click to collapse
Please let us know if you're able to root, install xposed and still relock the bootloader.

mg.degroot said:
Installed it yesterday on a Nexus 5x and so far it runs great. It indeed seems really security orientated with no default root or GApps. Didn't try to activate xposed (which I hope will work) or related stuff yet but so far I intend to keep it.
Click to expand...
Click to collapse
Could you please share some screenshots... Would like to try the OS... But would like to see how it is ...
Also do you see the sRGB mode in developer options... Without it the colors on the Nexus 6P are inaccurate at best...

Stop asking about features or customisation options, this rom has none. Its about security, not features

kbBT4A5e said:
I was intrigued by Copperhead since reading about ...
After an evening of use, the vast majority of closed-source-paid apps I was able to replace with open-source alternatives. There are a few exceptions I am still trying to figure out, but overall, I think if you are willing to cut the google-cloud-services cord its worth a try. If you really must, most apk's for closed apps can be found and installed but these decisions should probably be weighed carefully.
I never realized my reliance on google and closed apps until I tried to use an OS that doesn't rely on them. Trying this rom is a good exercise in living off the google grid; or at the least driving the use of google services back into the browser.
At the end of the day this rom has its place for the privacy and security minded enthusiast, but for the average user, sticking to something with google services is probably more realistic.
Click to expand...
Click to collapse
Thanks for sharing your experience. So we have decide if security is really more important than our investment and dependency in the Google ecosystem. I depend on G too much. My email is like my passport or online identification. I dont sideload unknown or unverified apps, dont visit links i dont know about, etc. Yes, i can still be remotely exploited, but i am not a gov official or some sort of millionaire with top secret info on my phone, as most of us. You saved me couple of hours of my day

A little update since I've been running this for about 2 weeks. I sideloaded gapps and the phone has been running fine, but found out today while trying to install the latest OTA update from copperhead it fails to install due to inconsistencies detected in the system partition since I installed gapps; from a security standpoint this feature is great. Unfortunately I can't function without gapps. In order to get the latest security updates, which is probably more important than the security features cooked into copperhead, I must: reflash the device with the latest full image, install twrp, sideload gapps, restore the copperhead recovery, then reinstall all my apps.
This being the case to get OTA updates, unless you can really commit to opensource with no gapps its not really worth the hassle.
Using it for an extended period I did notice the device was a bit slow even on medium security settings. Originally I had it maxed right out, but it wasn't usable. On medium it was a small price to pay for security but its hard to quantify the value.
I think its time to return to an AOSP rom for me.

I'm running it currently runs great but I can't figure out how to fix the dreaded APN issues :\ Tried almost every fix on XDA haven't gotten Any dev help either :\ other than the lack of data its a great ROM. Apparently I'm not alone judging by the other post on XDA about this. Apparently this is a known issue with no real fix. Sucks since its the only reason I got this phone

Hi guys add me also 09945673600

Qualcomm bug in Nexus 6 found by Checkpoint

According to the BBC, "Serious security flaws that could give attackers complete access to a phone's data have been found in software used on tens of millions of Android devices." This includes the Nexus 6.
Full story here: http://www.bbc.co.uk/news/technology-37005226
App from Check Point for testing whether your device is susceptible: https://play.google.com/store/apps/details?id=com.checkpoint.quadrooter

I never worry for two reasons,
1) I watch what I download and install, trusted vendors and sources only
2) It is a Nexus device it will be patched

Don't worry, yesterday it was stagefright, now it's something else.
With Nexus we will be close to a patch

http://thetechportal.com/2016/08/08/new-android-vulnerability-quadrooter/
This one took six months of reverse engineering qual comm code to find. And that is only to outline theoretical avenue for attack...real exploit can be more challenging.
It is ranked as "high risk"...Not even the highest category (critical is highest). There are many high and critical vulnerabilities patched every month. I think the only thing unique about this one is press coverage drummed up by checkpoint to celebrate their finding and make themselves look more notable

http://www.recode.net/2016/8/8/12403088/android-security-mess-quadrooter
http://www.recode.net/2016/8/8/12403088/android-security-mess-quadrooter
"Google, meanwhile, says three of the four flaws tied to Quadrooter were patched in an August security update while the fourth is set to be fixed soon. "

electricpete1 said:
"Google, meanwhile, says three of the four flaws tied to Quadrooter were patched in an August security update while the fourth is set to be fixed soon. "
Click to expand...
Click to collapse
Hmmmm. I'm running MOB30W (dated 5th August), and the Checkpoint app claims that I'm vulnerable to 3 of the vulnerabilities, so either Google or Checkpoint have got something wrong...

Philip said:
Hmmmm. I'm running MOB30W (dated 5th August), and the Checkpoint app claims that I'm vulnerable to 3 of the vulnerabilities, so either Google or Checkpoint have got something wrong...
Click to expand...
Click to collapse
It needs stock kernel, because it's a kernel driver bug. I'm using my own build but with the stock kernel, and it says only one vulnerability left.

btw.. 3 of the 4 are already patched.

If you are on the August update only one of the four is still an issue. And Franco just rolled the commit in for the fourth one in his update today if yoy are using his kernel.
But as mentioned, just be careful what tou install and it is a non issue. And remember its a report of a flaw, not a report of it being used in the wild. Big difference.

The Checkpoint app is questionable I think. Lots of false positives being reported on the web.

Really guys this is nothing more then more fear mongering. As long as android offered open source code you will always find holes like this. Most are nothing to even worry about. Just like the stagefright issue. Dont sweat it.

Note that THREE of the FOUR bugs are within the closed source GPU (Adreno) drivers.
So this is a very strong argument in favor of getting this crap swapped out in favor of freedreno.

And I've applied the CAF patch to the kernel. Great, but the app still lists it as a vulnerability. So since the fix looks valid, then the app must give a false positive.

zelendel said:
Really guys this is nothing more then more fear mongering. As long as android offered open source code you will always find holes like this. Most are nothing to even worry about. Just like the stagefright issue. Dont sweat it.
Click to expand...
Click to collapse
finally a voice of reason!
thanks man, couldn't agree more. Unfortunately 95% of the people that come here don't get it..

zelendel said:
Really guys this is nothing more then more fear mongering. As long as android offered open source code you will always find holes like this. Most are nothing to even worry about. Just like the stagefright issue. Dont sweat it.
Click to expand...
Click to collapse
100% agree. Exploits usually need to be customized for different makes, models, and Android operating system versions in order for compromise to occur, really, really difficult to own an entire ecosystem.

Every year it's something new, first stagefright, now Qualcomm bug, nothing comes of it and it's packed withing a month or two, it makes you wonder why they even bother reporting on it.

did the scan and my nexus 6 is ok running the dev 5 android 7 rom

Former Cyanogen developer - "if you have a CyanogenOS phone and can disable updates o

Former Cyanogen developer - "if you have a CyanogenOS phone and can disable updates o
https://www.reddit.com/r/oneplus/comments/5k8ppv/former_cyanogen_developer_if_you_have_a/
TL;DR provided by /u/Nickers77
CyanogenOS team was mostly fired, rest quit.
Core developers are gone, don't download any updates.
Reason for this change is so they can monetize android OS, presumably by selling consumers to adware companies.
They can push system-level packages to your phones undetected and with no way to stop.
Google now competitor, but since it doesn't have access to Google calendars and searches like the entire of the Google system, will rummage through your data to find relevant info.
Click to expand...
Click to collapse

How can you do this on a stock device?

Go go Settings ==> Apps ==> Show System (behind the 3 dots on Top right) ==> open "Systemupdates" ==> check "disable"
Info is from the Reddit article from the first post...I don't know if this is enough, but I did this on my Oneplus One.

Boy that went downwards real quick. First the death of CyanogenOS, then the death of CyanogenMod, now this. Guess Cyanogen Inc won't be around for too long.

GXGOW said:
Boy that went downwards real quick. First the death of CyanogenOS, then the death of CyanogenMod, now this. Guess Cyanogen Inc won't be around for too long.
Click to expand...
Click to collapse
It was foolish trying to make profit from CyanogenMOD ...when COS was created I was why? why? ...at least now this is dead so it's LineageOS or roms based on that which is cool
I hate this corporate D, who tried to make profit from open source code

evronetwork said:
It was foolish trying to make profit from CyanogenMOD ...when COS was created I was why? why? ...at least now this is dead so it's LineageOS or roms based on that which is cool
I hate this corporate D, who tried to make profit from open source code
Click to expand...
Click to collapse
Well putting an asshole like McMaster in the CEO position wasn't one of their smartest moves either. The whole company was just one downward spiral. It's a shame, but that's how things went, unfortunately. Let's hope LineageOS will take of as the worthy CM-successor. Hopefully no-one will have the bright of starting something like Lineage Inc.

GXGOW said:
Well putting an asshole like McMaster in the CEO position wasn't one of their smartest moves either. The whole company was just one downward spiral. It's a shame, but that's how things went, unfortunately. Let's hope LineageOS will take of as the worthy CM-successor. Hopefully no-one will have the bright of starting something like Lineage Inc.
Click to expand...
Click to collapse
Well LineageOS inc would be terrible as a name, heck I find the name bad but as long as it's open source and similar to CyanogenMOD I'm fine
Just wish they would try to reduce it's size, ~400MB for a custom rom? that's terrible

I'm baffled that everyone is surprise with this....any manufacturers or devs can push system-levels packages into their rom without user ever noticing it whether in full roms or via OTA updates....
remember this articles http://www.kryptowire.com/adups_security_analysis.html ??? it is the same thing happening on COS and no one notice it until Kryptowire discovered it last month....

I worked at Cyanogen.
They fired the OS team at the end of July. Of the rest, half were gone by the end of November, and the only people who weren't looking for another job were upper management.
They shut down the Seattle office at the start of December. They're selling off all the equipment there (except the large televisions we used for all hands meetings for some reason). That leaves a very small subset of the developers.
They have nobody who knows how to create a new android build. They have nobody who knows how to upload a build to aerios (the OTA system). They have nobody who has write access to aerios (though they could log into cassandra and add someone manually -- hell, that's what I had to do). They have nobody who can authorize a build to go out to end users. I think they have just barely enough technical knowledge to shut off our AWS services (but I can't be sure about that -- we enabled termination protection for some instances, and that might trip them up). They could potentially hire contractors for QA, though.
Given what level of access they have and the things they were discussing when I left, if you have a CyanogenOS phone and can disable updates on it, do so.
Click to expand...
Click to collapse
Taken from Reddit

Vuneralable software should be removed from xda

Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...

Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
What's the vulnerability?

Plain and simple the software needs removed.. doesn't that apply to the devs policy's which they agreed to here on xda not to publish anything which may be a threat to someone... So you know what should of happened is the devs should of removed the software right away. That never happened so I've lost all faith in theses devs and publishers of official software threads...

I ignore all posts where the word "of" is used instead of the correct "have" or at least the contraction ending in 've that sounds like of.
...should of happened

sliding_billy said:
I ignore all posts where the word "of" is used instead of the correct "have" or at least the contraction ending in 've that sounds like of.
...should of happened
Click to expand...
Click to collapse
I ignore all posts that don't make sense like the OP's and this thread.

Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
First, there are no Oreo roms. Secondly, the devs who support our phones for free owe you nothing. Lastly, you need more than 12 posts to be taken seriously about anything around here. And, you can never post enough to attain the right to throw around accusations about the devs who, again, support our phone for free.

Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
Tell us how you really feel!

Windows people ?
Sent from my Pixel using XDA-Developers Legacy app

Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
If this is the case all root and bootloader exploits need removing also.
Any bootloader exploits or method of rooting without and unlocked bootloader is a SIGNIFICANTLY large security risk.
Sent from my Pixel using Tapatalk

Are we going to remove ALL the old ROMs from XDA? SHEESH.

In before the lock.

One thing I've found out over the years with hacking Android you eventually get tired of doing just hacking so you move onto security... Well that's the case with me anyways. Getting rid of vuneralable software is actually a good thing...
There's a reason why malware is successful with Android, and it's one that still hasn't been addressed: most phones are using old software and haven't been patched against it.
Google does a lot of work to make Android secure and keep it that way. It pays people to find security exploits, works with hardware vendors like Qualcomm or NVIDIA to fix them if needed, then writes a patch that can be injected into the existing version with no fuss. If you have a Pixel or Nexus or BlackBerry product, you'll then get these patches. If you have any other phone you roll the dice and hope the people who made it care enough.

Pixelxluser said:
One thing I've found out over the years with hacking Android you eventually get tired of doing just hacking so you move onto security... Well that's the case with me anyways. Getting rid of vuneralable software is actually a good thing...
There's a reason why malware is successful with Android, and it's one that still hasn't been addressed: most phones are using old software and haven't been patched against it.
Google does a lot of work to make Android secure and keep it that way. It pays people to find security exploits, works with hardware vendors like Qualcomm or NVIDIA to fix them if needed, then writes a patch that can be injected into the existing version with no fuss. If you have a Pixel or Nexus or BlackBerry product, you'll then get these patches. If you have any other phone you roll the dice and hope the people who made it care enough.
Click to expand...
Click to collapse
Nobody hacks individual phones. They hack companies and clouds.

****! Hey, can y'all hold it for just a moment? Need to run to the store real quick. I'm out of popcorn.
Seriously, though, just simply rooting your phone is a security risk. Also, from what i've seen, the majority of ROM users are smart about what they download. It's the general public that downloads mischevious apps that spread viruses. And as someone else mentioned, the malware and viruses don't target one person's phone. They are free floating and latch onto whatever moron downloads it. Your phone is not exactly the best place to download all your porn
But seriously, there are exploits with every security patch...it's the reason we get them every month, lol. Android is great and I love it but the OS itself is full of holes that malware developers consistently take advantage of.

Couldnt say this better myself..
Security is engineered into everything we do
Our goal is to make Android the safest computing platform in the world. That's why we invest in technologies and services that strengthen the security of devices, applications, and the global ecosystem.
It's also one reason Android is open source. Being open allows us to tap into a global network of security talent full of innovative ideas that help make Android safer every day. Security experts around the world can review our code, develop and deploy new security technology, and contribute to Android’s protections.
As the Android ecosystem evolves, we continue to invest in leading-edge security ideas. And we want to share our knowledge openly with you. Explore below to learn about the latest technologies and information that help secure Android.
Adrian Ludwig
Director of Android Security

Pixelxluser said:
Now it's clear there's a security problem with the official build of Oreo before Sept builds.. now all the Oreo roms and official roms have this vuneralablity... If you're gonna continue to publish them without replacing them with the sept security patch you may as well put a damn virus in you're roms cause that's basically what you're doing...
Click to expand...
Click to collapse
With some custom ROMs whether or not the have the Sept security patch is probably the least of your problems, if security is a concern of yours... you should be more concerned with things like;
- what keys are they using to sign their ROM (Apks included). Did they generate their own private signing keys and platform keys, or did they just use a devkeys or keys provided in the SDK?
- what changes have they made to aosp sources or not integrate (or revert) that could reduce security?
- have they messed with android's security or permissions model?
- have they included legacy code (like forward porting), that may have been dropped in the first place do to being insecure (legacy mediaserver without seccomp integration).
- have they modified selinux policies in ways that potentially could open up attack vectors.
- does the ROM have odexing enabled? The fact is, odexing while useful for booting/loading programs faster, also has the side benefit of making an apk harder to tamper with...
- have any changes that have been made been audited, or verified for correctness?
...and the list goes on. You are worried about a monthly security patch, with a handful or two of fixes for CVEs, yet make no mention of far bigger concerns that may be present in XYZ custom ROM.
Just saying.

contribute to Android’s protections. Is one thing which is lacking from what I see... I hope you understand that there are underaged people who don't know any better about what's best for them and come running off to try to be the cool kids by rooting or adding unsecured software on their phones.. rooting is so crazy to do now a days you're all really going to the extremes by bypassing security features just so you can have root... That's not the message the younger generation should be taught... They should be taught the importance of how security works not 50 ways to bypass it... There's not a feature out there which Google wouldn't consider adding officially but also Google doesn't go off and use unofficial code to pull features from it would look bad for their business..

And as long as there's a community of underaged people who do go off and root and install unsecured software you might wanna lead by example and provide them with the best security you can... A child with unsecured software is scary that someone would open up security holes for them to be a possible victim and the best you're actually willing to do is try to remove yourself from the responsibility of being responsible for it by saying if you install our software you are responsible for any damages. You can't just publish something then go out and say you take no responsibility when by law you're still responsible for any damages cause you never legally got you're software that way...

Since you're the ones distributing the software you're liable for damages if there was a defect in you're product which was distributed.. security flaws and security bypasses count as defects in a product..
Distributorship and Liability
Even though the distributor is not responsible for manufacturing a product, it can be held liable in the event of defects. Under strict product liability laws, the seller, distributor, and manufacturer of a defective product can be held liable if a person is injured due to the defect. Though manufacturers are typically most responsible since they created the product, the liability can also fall to those that distribute or sell the defective items.
This liability law prevents the plaintiff from the need to prove the chain of supply. In order for any entity in the line of distribution to prove it has no fault, it would need to show which entity is actually responsible for the defect

I suggest you stick with Windows dude
The only thing your posts are good for is making people spit their coffee with humour, and embarrassing yourself.
Sent from my Pixel using XDA-Developers Legacy app