Guys,
I think everyone nowadays is quick to judge Android and Google for fragmenting the OS with multiple (4) versions but I think it was a necessary for success side effect. Without the humongous push that Google has done with Android, it wouldn't have been where it is now.
If you haven't heard, Google shared its plans to battle fragmentation which I mentioned as well.
What do you think? Do you think if Google slowed down back then (1.5/1.6), they would have ended up with Android that is as awesome as today?
Right now, Google has set up Android with a low-end version (1.5/1.6) and a high-end version (2.0, 2.1) and the market is sorting itself out. I think the two options were to fragment or be unsuccessful. With the fragmentation comes some issues, but it also comes with a wider range of devices that are capable of running it, which pushed it's popularity. Fragmentation can be easily solved farther down the line when Google takes the updating into it's own hands and stops letting carriers and manufacturers screw with everything.
In the end, we'll see Android itself being updated via the Market, I'd bet.
thats why google is releasing separate packages for the awesomeness theyre releasing from now on. the browser, ui kits, etc will come in separate apk's on the android market so you can have fun with whatever kernel and not be binded to the manufacturers limits. at least thats what the article today from engadget said.
I'm not a fan of Facebook per se. I don't care for the social media craze that seems to have permiated every facet of technology. When it comes down to it, I see Facebook as an enabler. It allows us insight into the intimate details of people we care about, without actually having to interact with them. It entices us to click "like" instead of personally conveying our appreciation or admiration. To top it off, I'm even less enthralled with Facebook on Android. Update after update that notoriously brings almost no improvement in performance, and many times results in an even worse experience. Not to mention the invasive permissions they keep slipping in with every new feature they implement. So why would I write an article about Facebook Home? Perhaps even more questionable, why in the world would I say they are "Winning"?
For most of us Android geeks/enthusiasts, there's been a quiet war going on behind the front lines of Android for quiet some time. Manufacturers continue to give us devices with their specific flavor of Android such as Samsung's TouchWiz and HTC's Sense, among other variations of Google's "Vanilla" Android experience. Meanwhile Android developers have been working endlessly to bring users more options with modified or custom ROMs such as Cyanogen Mod, AOKP, ParanoidAndroid to name a few. It's about choice - which the manufacturers don't want to give us. They want us to get used to their skins and their custom features, so that it becomes inherently habitual to use them. And we all know how hard it is to break habits.
Regardless of the ROM an Android user chooses, it doesn't end there. Android users are a unique bunch - and most of us want our phones to be unique as well. However, if you have been watching the evolution of the Android user closely (as Facebook undoubtedly has) you might have noticed that despite our yearning to be different, to customize our Android experience to our own taste, there is a sweeping movement taking place within the community: The Android user base has grown so quickly that it is no longer just a haven for the tech-geeks and device tinkerers. There is a large number of users that want to be able to customize their devices without having to learn what rooting is, or how to flash a custom ROM. They have no idea what a bootloader is, or even superuser for that matter. Yet their desire remains the same - to be able to tailor their phone as they see fit. This is where the ROM wars end - and the Launcher wars begin.
When it comes down to it, it doesn't matter if you're running Samsung's TouchWiz or the latest Cyanogen Mod Nightly. You're most likely going to install a custom launcher which will serve as your main user interface. Apex Launcher, Nova Launcher, or perhaps one of the new comers such as Chameleon Launcher or.. yep, you guessed it: Facebook Home.
This is where Facebook's genius begins to show. For the majority of Android users, it's not about what ROM you're running anymore (and for many newer users, it never was). It's the launcher that ultimately defines their device. And when you step back for a second and really dissect what's been going on with Android, it's always been about the launcher. TouchWiz and Sense are just that - launchers. Despite the fact they are deeply integrated with their respective phone's OS version, they're still basically just different user interfaces. Most of what they offer in regard to features can be successfully ported to other phones, other ROMs. The reason for Android user's past frustration with these manufacturer's customizations was their inability to remove them or change them. So where does that leave us today?
Facebook Home is exactly what a vast majority of the Android user base wants. Another option, another way for them to tailor their phone to their own usage habits. And if they don't like it, they can simply change their launcher or uninstall it completely. And let's be honest - there are millions of Android users who are Facebook fanatics. Facebook Home isn't just another app.. it's the new front line of the Android wars. Don't be surprised if you start seeing more of the major social media sites offering their own launcher. After all, it only makes "Sense".
I don't own a smartphone yet, but I'm thinking about getting an Android phone soon. It will be my first smartphone. I’m also new to XDA-Developers. Please help me, as I have questions about Android security and though I’ve posted this message to several other web sites--android.stackexchange.com, Quora.com, and Reddit--no one has answered all of my questions completely and thoroughly. I’ve only gotten short responses that are a few sentences long and only talk about one or two things. I really need more help than that, and I’m hoping that I can get it here!
I know that this message is long, but please, if anyone can read through it and then try to answer all of my questions, I would REALLY appreciate it!
Here are my questions.
1. Is Android’s stock browser updated directly by Google, or do updates to it have to go through phone manufacturers (Samsung, HTC, etc)?
2. If I buy a phone that runs a manufacturer-customized version of Android, such as the TouchWiz version of the S4 or the Note II, will keeping Android’s stock web browser--as well as any other browser I choose to use--up to date keep me safe from web-based exploits, even if that phone’s manufacturer is slow to deliver updates? (Edit: I want to add that I'm interested in technical details.) By “updates” I mean updates to everything provided by or customized by the phone’s OEM: the customized version of Android, the manufacturer’s pre-installed apps, etc. (Edit: what I'm asking here is whether the OS needs to be kept up to date to protect against web-based exploits, or is that accomplished solely by keeping the web browser up-to-date, whatever web browser it is).
3. I have read that OEMs are often slow to update their devices, and because of that I have limited myself to only looking at Nexus devices and Google Play Edition devices. But I really need to know if I SHOULD limit myself to Nexus and GPE devices for the sake of web security. (Again, I'm interested in technical details.) I don't want to buy a phone from a manufacturer that takes months to release security updates, leaving me vulnerable to web browser exploits and malware in the interim. But if I am wrong about ANY of this, please tell me so, because I would like to be able to consider devices that run manufacturer-customized versions of Android, such as the Touchwiz version of the S4 or the Note II (or maybe the future Note III).
(Edit: the answer to question #3 would depend on the answer to question #2; if the answer to #2 is ‘no, the underlying OS does not need to be kept up-to-date to protect you from web browser exploits’, then I guess the answer to #3 would be that I can consider buying a device that runs a manufacturer-customized version of Android that won’t receive OS updates as quickly as a Nexus does. If, on the other hand, the answer to #2 is ‘yes, to protect yourself from web browser exploits you need to keep both your browser AND your OS up-to-date’, then I guess for maximum web security I’d need to buy either a Nexus or a Google Play Edition device.)
4. I’ve read that in-app advertising can be a security risk. I’m really hoping that someone here will explain this to me. (Edit: again, I'm interested in the technical details, but keep in mind that I'm new when it comes to smartphones.)
I’d like to add a few comments:
1. I will only get my apps from the official app store--Google Play--or maybe Amazon.com’s Appstore for Android.
2. I'm concerned about web security and in-app advertising.
3. I don't plan on rooting my phone. I'm not saying I won't, I'm just saying that I don't plan on it.
1. Only nexus devices are updated directly by google. Even htc one Google edition will be updated by htc, so as the browser since it's a part of the software.
2. Manufacture updates are slower than Google. Most of the good apps available should receive updates and solve security issues.
3. If you want to disable advertising then use adaway, notice that you will need root.
1. The stock browser I believe does get updated when the OS is updated. I've read about people getting OS updates to find the stock browser is then faultering and assume this then gets updated. The update of the OS is usually done by the device manufacturer unless you are using a custom rom. Whomever creates the rom used on the device, is responsible for the internal updates for it, to whatever level they wish to support it. I have read that google don't mainstream care about the stock browser as they are pushing Chrome for the win and a separate team deals with the stock browser.
2. The world and his hedgehog are not safe from hack exploits. The quality of protection out there in any sense is mirrored by the quality of hacker. If you have a crap security level, any old hacker can exploit it. If you have the worlds most renowned secure, then the best hackers will break in at some stage while the wannabe hackers struggle to threaten their way out of a paper bag. However with some people, they need gold bullion and jail style security while others wonder why they need it. People can recommend you do this or do that, and some recs are excellent while others are not quite but almost hilarious but at the end of the day, if a child can hack into high security places, our devices are not so hard to get into. That said... we can run paranoid while there may be no threat at all. If you are concerned, just be careful of what you do with your device. Myself, I use it for every day communication and have not yet used a credit card on it with no real need to.
3. Even the greatest have not updated their OS. The Motorola Xoom promised one from purchase yet people were moaning long after the stock sold out that it never came. Granted it surely must be true that certain companies are quicker to advocate update releases than others. But the higher paying vs the cheap low end thing isn't something to run with either. I have a very cheap quad core tablet and that has just had a firmware update from last week and as far as I can see, it's an almost brand new device, market wise so it seems the update from them was fluid. Again, that said, the updates seem to be more about the OS running well, with the hardware and app capabilities than security although I dare say there are some inevitable security fixes in there too. My quad tablet was sluggish to some extent and a bit crashy but so far, it is fine after the update although I have only done it a few hours ago... everything me and the kids have tried, has either worked better of been flawless. No sign of lag yet anyway.
4. In-app advertising can be dangerous for a few reasons i guess. but the reality again, is I think any file can have dangerous code attached and configured in a way that the OS or security cannot smell it. Of course there is the ability of spam links to scam sites. There is also false flag things that are or maybe are possible too. For example, using x file with y file and requesting a cup of tea from z file can make a security team think your couch is about to disappear and your granny is about land bump on the floor, when indeed an app just wanted to execute a command using an ancient method of pressing Q. This is something I learned in windows based operating systems where using certain dll files with certain other files can trigger an alarm, as innocent as the intentions were. I built a website not so long ago and called some iFrames in that had no < head > or < body > tags. the pages worked perfectly but some chinese company employed to protect a british isp flagged the site as a security risk and blocked any visitors from viewing it. Thankfully, long gone are the days that visiting a website would fry your motherboard.
On your remaining comments.. seems like wise advice as of course there are scammers out there who will give your granny that bumpy ride off the disappearing couch onto the floor or steal your account and all those types of greed based madness which is a shame because it ruins the experience of say if a friend is trying to build an app and they ask you to give it a go, you are somewhat rightfully not willing to play ball.
FYI I have been around computers for a long time but am by no stretch of the imagination an android expert at all. I hope what I have wrote above is helpful and not by any means, wrong. I have not long posed the question about rooting and security as I do not qualify understanding the realm at all. I dare say it is a huge question, to some extent.
Also, security risk aside as no smartphone tablet or computer escapes that realm, Android for me is the best device, then IPhone, then Windows Phones, then Crapberry. I would never purchase the latter three.
Hi codQuore,
Thank you for your responses to my questions. I need to clarify two of my questions in my original post. (I have edited my original post to include these clarifications.) In question #2, I was attempting to ask whether the OS needs to be kept up to date to protect against web-based exploits, or is that accomplished solely by keeping the web browser up-to-date (whatever web browser it is). In question #3 I asked whether I should only look at Nexus and Google Play Edition devices for the sake of web security, and the answer to that would depend on the answer to question #2; if the answer to #2 is ‘no, the underlying OS does not need to be kept up-to-date to protect you from web browser exploits’, then I guess the answer to #3 would be that I can consider buying a device that runs a manufacturer-customized version of Android that won’t receive OS updates as quickly as a Nexus does. If, on the other hand, the answer to #2 is ‘yes, to protect yourself from web browser exploits you need to keep both your browser AND your OS up-to-date’, then I guess for maximum web security I’d need to buy either a Nexus or a Google Play Edition device.
What are your answers to those two questions?
Truth_Seeker1 said:
What are your answers to those two questions?
Click to expand...
Click to collapse
At a guess I would say, for browsers that are built in to the OS, there will be two ways this can update, via the OS update and independently. The OS update would be a total OS replacement that is not automated and you would need to use a built in checking feature (if available) or manually check yourself periodically. Browsers that you add yourself will be offered updates from notification unless the ability to auto update is allowed then it should happen seamlessly of course letting you know. Google "android chrome update" to see something along the lines of what the update history shows.
Yes, you would want to update but I would recommend having a read first as on any computer device, an update can be flawed or give more problems than it's worth. Although more often than not, an update should be an improvement on performance and stability and of course for security.
If you are working blind, then do an update and assume security improvements are happening and go for it. If not, then you will know what is happening. I have never gone to the lengths of checking an update list before updating for android, but with pcs I do depending on what is updating, check what the update is worth and how people are getting on with the update. I did beta testing for years (hence the knowledge of flawed updates and reluctance to do the updates) so for me it's one of those do you risk it scenarios.
Sadly as I said above, we are never safe from hacks but with some hindsight and genuine attempt to protect, we are safe from the majority. For me it's 90% "what are you worried about?" and 10% "I don't blame you for being paranoid!"
As for the preference of buying google branded devices, the foundation of an android release is surely never set for these devices "out of the box" so to speak. I would assume that the team who look after these devices have the same process of having to streamline the OS thereafter before they can release it for their device update. This is somewhat proven by people wanting to put a custom rom on their Nexus and such. For some reason, people aren't happy with the normal rom and want or need to replace it. naturally, it is easy to think a nexus device for example, is closer to home and should by rights get updated a bit quicker than my Ampe tablet but in some respects I think this could be a bit of swings and roundabouts, again depending on the company and their apportioned team force to output the update. Yes you should be better off with a more directly linked device, to google but in my opinion, the concern is not a great one. You would be better off thinking about your budget, what you can save and ultimately do with the extra cash alongside the knowledge of which devices and companies actually do spend an effort on looking after them.
I'm in no position to afford these devices and if I were, I would rather throw my money in the bin (or spend it on my loved ones) than give it to the highest bidder.
So in the end, yes updates are 99/100 important and should be done. Be careful of what you browse and do all secure data passing before you go out on the internet highway and risk getting robbed. It is probably safer to "remember my password" to avoid future keysniffers than worry about indepth data mining. Of course, anyone can give you a sniffer but data mining is more clinical, I would say.
Finally, i wouldn't worry about these things too much but as concerned as you are, do some research. But do remember that in one hand, the UK government said "the internet isn't safe so we don't use it" yet on the other, the majority of secure usage is 'watched' by paid professionals for banking and such and is alot safer than you may think aswell as protection for credit card fraud and such.
Thanks again codQuore. I understand your point that there is no such thing as 100% bullet-proof security, but I still need to know whether both the OS and the browser need to be kept up-to-date to protect against web-based exploits, or is that accomplished solely by keeping the web browser up-to-date (whatever web browser it is).
You are most welcome, TS. I would say generally yes, to both, to be on the safe side. I'd like to guarantee the OS update will update the browser if it has been updated in the update and that the browser can be updated on it's own. However, I think I am right in saying you have to check for OS updates yourself and the same for certain apps whilst some apps will auto offer the update. You may be able to force this auto update for all apps, but how this is done per different version of android, escapes me. I do remember seeing the option come up after a factory reset or buying a new device and running the first time setup of playstore and such. There's an option for it somewhere. but I don't think the OS itself offers an auto update, it has to be checked for, in my experience. I have just done my tablet and it required installing some software on my pc from the tablet manufacturer and getting that to update the firmware/os. It was a 525MB download and everything was in chinese lol. I managed it with the help of google translate but it also helped that I had previously done the same thing on a t-mobile vivacity for my daughter after her OS died and got stuck at the rotating t-mobile logo on first boot.
It is essential to update but across the board it's not majorly important to check every minute, so to speak. You'll be fine. For the record though, my quad core tablet cost £70 from singapore and I knew I was taking a bit of a gamble but was protected by returns if all went wrong and get my money back. A similar tablet is something like £120. I plan on doing the same thing for my next phone upgrade too... but I don't have a contract phone running, I am on pay as you go and all I use is internet, no calls. Incidentally, I pay £20 for 6months net from t-mobile and the only limit is 1gb per month on video. when that expires, youtube and such stops working, some video sites carry on and everything else, FB mail, tethering, ftp via pc and stuff, all still works. I have even streamed radio from my android phone, flawlessly.
codQuore said:
I'd like to guarantee the OS update will update the browser if it has been updated in the update and that the browser can be updated on it's own.
Click to expand...
Click to collapse
LOL, I had to read that sentence several times in order to process it because you used the word "update" so many times :laugh:
If I remember what you said earlier, I think you said that the stock browser doesn't get updated on its own, but only as part of big OS updates? So it won't receive security patches as vulnerabilities are discovered, and won't be updated until the next version of Android arrives?
If this is true, then I'll use a different browser. But even if I use a different browser, is code from the stock browser used in other things, meaning that it is STILL a security risk if it isn't kept up-to-date?
It also occurred to me that if an OEM is slow to release OS updates for its phones, will it be just as bad at keeping its pre-installed apps up-to-date, and if so, does that pose a security risk.
Haha, looking back I can't believe I wrote that and am wondering if its a valid statement. I'll leave it for someone else to contradict lmao.
The core of the os and apps that run built are updated I guess separately and together. EG, say the browser gets an update to 1.1 the next update of the OS will most likely carry that updated version but if it doesn't it should still offer an update after you hit the playstore setup. naturally, these apps use core parts of the OS and i think some updates for apps will carry their own additional bypass of outdated os core, where applicable. That said, the bypass could be more secure in one sense and less secure in another. I'm guessing this is even possible. One thing I am yet to see, knowing how windows and linux works a little, is android have to update x- because something app wise has been installed that requires it. Alot of software on windows, requires things like framework to be added, linux is or can be the same.
The chances are you will be 99% secure in any event. The core defence for mobile phones is the phone companies themselves as that is in the realms of trillions of dollars at risk. They've been cracked before and they know it, so there is some possible reassurance for the devices, from that angle.
So its about time that Google make a new version of Android which requires OEM's to have a Launcher which is treated more like a 3rd party launcher, so Google can throw out new updates to the OS via a Windows update style updater...
if the OEM's wish to adjust the OS's deeper code, then they lose Google's Auto OS Updater support for that device.
And if the main reason for not implementing this is US carriers, then make it available in the parts of the world where carriers care more about user experience, and just disable it in the states and if any carriers request that Google enables it on their network, then they can go ahead and do so...
and to be honest I think that after so long, most US carriers will have to add their support for this in order to avoid customers from switching to a different carrier for a better experience...
if US carriers ever try to stop innovation, then innovate everywhere else to put pressure on US carriers to implement these innovations... don't let them stop us from moving forward.
Also, if Google don't implement an Auto OS updates system (ie: to update from 4.4 to 4.5, or for security updates) then we may see Ubuntu phone becoming the better platform over time...
Edit:
Also I'd like to mention that as a developer myself, it really does my head in when I'm developing an app which uses all of the latest Android features, but I have to consider work arounds or removing those features all together because of the fact that most users devices wont be updated to the newer version of Android containing these extra features for developers to take advantage of...
I’ve been a CyanogenMod user since CM6 for the HTC EVO. While I can’t claim to have contributed much directly to the community (I’m no developer and more of a sys admin kind of guy), I have installed CM on countless phones over the years - basically any friend or family member who sat their phone down long enough. As soon as it was available, I snagged a OnePlus One, and it’s still the phone I have today. While I was initially excited to see where the foundation of Cyanogen Inc. would take the project, I’ve become increasingly disappointed with the direction that things have gone (both CM and COS), and I think my next phone will likely be a Nexus device with stock Android. I’m fairly certain that this post won’t accomplish much (aside from starting a flame-war/trolling/what-have-you), but I thought I would post it just to see what might come of it.
What I initially loved about CM was the fact that it added a number of useful features to stock Android, it allowed a ton of functional customization, it seemed to be more efficient and stable, and it let me continue to update devices that manufacturers had artificially sunsetted. I was impressed by the fact that lead developers were more interested in code quality and security than by shiny features. Amidst the desire to make Android better, there was also a sense of perfectionism to CM as evidenced by the “don’t ask for ETAs” mantra - it would get done when it was ready, and I was always willing to wait.
When Cyanogen Inc. formed, I was curious to see how they planned to make money. I actually decided to be a bit bold, contacted Kirt and Steve via LinkedIn, and offered to share some of my ideas. One of my biggest suggestions was that they should do something to fill the gaping hole left by Blackberry. At that point (and even still today), no manufacturer had really been able to provide the enterprise-grade functionality provided by Blackberry and BES. MDM solutions were (and are) a double-edged sword that are really just a patch for the solution. Given the huge priority that Cyanogen placed on security, I thought it would be a good direction to take. I’ve sent a few other suggestions over the years (including attempting to get the OnePlus One on the shelves at Walmart when I worked at the corporate offices), but it never seemed to go anywhere.
Right now, when I wake my phone, I have a reminder that there is a system update ready for my OnePlus One that will install COS 13.1. This update adds “new mods for Cortana, OneNote, Microsoft Hyperlapse, Skype, and Twitter.” I have yet to hit install. My issue is far less that Cyanogen is working with Microsoft and more with the fact that the company, much like Canonical/Ubuntu, seems to have the not-invented-here syndrome. (Side note: here’s a great article from the Turnkey Linux team that serves as partial inspiration for this post https://www.turnkeylinux.org/blog/ubuntu-not-invented-here-syndrome). Instead of offering new and useful features, Cyanogen is reinventing wheels and cramming the OS full of things that aren’t really at the top of anyone’s list for issues that could be solved or features that could be added. The innovation just seems to be gone. Most of the features that were exclusive to CM and drew me to the project are now part of stock Android. It makes me wish Cyanogen had taken up Google on their $1B offer.
Here are a few examples. Who remembers when ADW was the stock launcher of CM? I do. In contrast, who actually uses Trebuchet? I think it’s a featureless piece of junk. No gestures? No ability to hide icons in the drawer? No useful functionality that really sets it apart from other launchers? Why develop something new just for the sake of doing it yourself when it only provides basic functionality? Right up there with it is the File Manager application. There are plenty of other more feature-rich applications on the market, and I frankly never use the app provided by Cyanogen because it isn’t nearly as functional as something like ES File Explorer.
Similarly (but more egregiously), is the Browser application. Show of hands: who uses the browser provided in AOSP? No? Me, neither. Be it Chrome, Firefox, Opera, or something else, no one uses the browser built into the ROM. Why did Cyanogen feel the need to create another browser that lacks functionality, is rarely updated for security patches like mainstream offerings, and is basically just another piece of lint on everyone's phones? I fail to see the innovation, there.
I initially loved the idea of having a Cyanogen Account because it was pre-Google Device Manager. However, now that Device Manager exists, I don’t see a reason to use my Cyanogen Account because there haven’t been any additional additions to the feature set. I emailed Kirt and Steve once about potentially folding the WebKey project into Cyanogen and linking it to the Cyanogen account. That would provide remote access, remote file management, a remote shell, and countless other features (most or all of which could be made to work without needing root if baked into the ROM). How much would that add to the ROM and set it apart from other offerings? Neither Google, Apple, Microsoft, or Blackberry have anything close, and it would be a game-changer.
The Themes engine. Alright, so some may disagree with me, here, but I don’t really care about theming my phone or my computer. For me, that was cool back when Compiz/Beryl were the hotness for Linux. Now, I’m more interested in function over form. Why spend so much time building this thing when there are actually useful additions that could be made to CM/COS?
In conjunction to this, there are a number of features provided by CM that are now part of AOSP and make me wonder why I'm still on CM/COS. Google has added permissions management. They have included tethering. The majority of Developer Options are baked in. They switched the whole tap/long press to turn on/off/open settings feature in the notification panel. There isn't much to set Cyanogen apart, anymore.
Instead of just complaining, I wanted to start a list of things that I really thought Cyanogen would have provided by now (or would have at least considered). Some of these would provide Cyanogen with a revenue stream so they wouldn't have to keep cozying up to Microsoft, something that I'm sure most of us would appreciate (does anyone actually use Cortana?) I’d be interested to hear what other features the community would like to see added to CM/COS:
WITHOUT root, implement NFC tag actions that are available with the screen off. For example, allow a user to unlock/wake their phone, turn certain settings on or off, switch to a different profile, or perform a set of pre-defined actions by tapping a NFC tag. Obviously, there would have to be some security mechanisms built in order to whitelist trusted tags so the functions can be used with the screen off, but I’ve always wanted to be able to set my phone down on a tag at my desk and have it automatically connect to my company’s WiFi, put my phone on vibrate, etc.
Partner with an existing developer or independently build parental controls into COS.
Add a login manager for public hotspots to accept terms and conditions on subsequent logins after the first connection (would need to use MAC address, GPS, or some other unique identifier since some companies use the same provider, e.g. Starbucks and McDonald's both use ATTWiFi as their network name but have different captive portals)
Make a Kiosk version for customers at coffee shops and the like.
Create a mobile pay kiosk version similar to the Chili’s tablets since Cyanogen is known for security.
Make a version tailored toward the elderly (lock certain features, provide a restricted set of capabilities that are easy to access, etc).
As previously mentioned, build in WebKey or similar functionality that is tied to a Cyanogen account.
Include Tor without needing root.
Allow the ability to modify DNS settings.
Develop AirPlay compatibility for the Cast feature.
Right now, I’m at the point that I was at with Ubuntu about five years ago. Canonical had “improved” Debian into a bloated nightmare complete with in-house developed projects such as Unity, Ubuntu One, the Ubuntu Software Center, Mir, and others that no one asked for or wanted. If Distrowatch rankings are to be believed, Debian (and Mint) is now more popular than Ubuntu, likely as a result of Canonical’s decisions.
This is not a call to arms but rather a suggestion. Perhaps it is time that the community creates, by way of analogy, a Cyanogen Mint. Maybe we need to go back to the foundation of AOSP just like many users have done by going back to Debian. For me, at least, Cyanogen isn’t satisfying the same needs that it did two years ago, and I’d like to have a mobile OS or ROM that does. There are a lot of custom ROMs out there like Paranoid Android, AOKP, and OmniROM, but they are incredibly fragmented in the devices that they support, and none of them have the level of backing that Cyanogen gained. Perhaps as a community, we need to consolidate our efforts, focus on a common project, and bring forth a high-functioning ROM that can fill the void that Cyanogen no longer does.
In light of today's news about the layoffs at Cyanogen, thoughti might bump my thread to see if anyone would be interested in joining this conversation.