By now, you’re probably wondering where we’ve been for the past few days. The reseller we were going through to purchase hosting from Burst went out of business, and didn’t have the decency to notify us in advance so we could move to a different host. Because the information on this blog is ephemeral, we never bothered to do any backups for it, so what you’re looking at is the new home page of DroidMod. If someone would like to crawl Google’s or WBM’s cache, we might be willing to restore the content, but I’m inclined to believe that no one cares enough to bother.
So then, why the crappy theme? Perhaps because we were feeling nostalgic about how the internet used to look back in the “good old days,” or perhaps we’re trying to encourage everyone to use the RSS feed, or maybe I’m just too lazy to look for a better one. In any case, I’m not a big fan of the canned themes that are out there, and to that end, Vulcan is working on a brand new WordPress theme for us. For a preview of what that will look like, head over to his site. You can also preview our progress here.
I hope that this will end the rumors that we’ve fallen off the face of the planet, but there are other rumors floating around regarding DMUpdater that do need to be addressed. If you haven’t already heard by now, a private build of DMUpdater was leaked to the public last week. It managed to get published on several major Android blogs before we got word that it had leaked, and had a chance to disable it. The things I’ve read regarding why the app was pulled are quite ridiculous; I’ve read reports that it damages sdcards, bricks phones, and even destroys families. This is, of course, all hogwash. The app works flawlessly, and was only pulled because it was not ready for release.
When DMUpdater starts, it downloads an XML file from our server that lists all of the ROMs the app should display, and included in this file is the version information for the latest release of DMUpdater. If you are not using the latest version, the app will force you to update (historically, by sending users to the Android Market to encourage them donate $5 if they haven’t already). I used this feature to disable the leaked version of DMUpdater, but unfortunately this means that even people using the legitimately released DMUpdater 11 are no longer able to use the application. For a few days, before the problem was corrected, users of DMUpdater 11 would be sent to a screen that asked them for $20 for a new version of DMUpdater. What they were actually seeing is the ghost of an application in Market which is not actually published — in fact, if you tried to pay the $20, it wouldn’t even take your money.
By now, you must be wondering what the big deal is – why can’t we just slap together a new build of DMUpdater, fix the version number, and release? Well, the answer is actually rather complicated. The new version of DMUpdater uses a new method of rooting (popularized by Birdman for the Droid X) which actually takes advantage of a horrifyingly simple security hole in HotPlug. The “exploid” source code that was released to the world was released under the GPL license, which essentially means that any modifications that are released must be released with source code. Normally, that wouldn’t be a big deal to me – I’m a huge supporter of open-source software, and make a point to always release source code before binaries. However, in this case, I had to make changes to exploid to make it so that an Android application can become root, and the unfortunate reality is that with this code, any application could become root without the user’s permission. To further complicate matters, every Android device that uses HotPlug (that’s over 98% of Android devices, and 100% of Android phones) is vulnerable to the exploid attack.
In a nutshell, I’m not prepared to be the person responsible for enabling root access to some malicious developer that has an innocent looking application in the Android Market. Therefore, I’ve pulled down the commits to DMUpdater related to exploid, disabled the leaked version, and pulled the binary exploid code down from our servers. I’m currently investigating the possibility of rolling back the version in the XML file to re-enable DMUpdater 11, but it may be necessary to release DMUpdater 12 without the exploid code. Keep your eyes on this site for more news on that front!
In other news, we’ve been discussing putting donate apps ($5, $10, and $20) in Market that don’t actually do anything, but serve for users to donate to the project, since we get a lot of complaints that there’s no donate button. We’d love to hear what you think – should we do this?