Saurik posts exploit and fix for ‘Master Key’ Android vulnerability

Saurik Interview

Jay Freeman, also known as Saurik, is well known by iOS users for his work in the jailbreak community. Not only does he run Cydia, the definitive jailbreak store, but he also develops tweaks and handles a number of other aspects.

But Saurik is also making a name for himself among Android users as well. Back in May, he released a working form of his Cydia substrate for Google’s platform, and this weekend he’s posted a fix for a major security vulnerability…

The fix is for a bug known as the ‘Android Master Key,’ a vulnerability discovered by Bluebox Labs that, at the time, was said to affect a staggering 99% of Android users. And depending on the use, it was considered very dangerous.

“The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years1 – or nearly 900 million devices2– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”

Despite its severity, though, most folks have chosen to ignore Android Master Key until a zero-day for the exploit exists. And since manufacturers rarely, if ever, update their firmware, there are many devices still extremely vulnerable.

And that’s where Saurik comes in. As noted by 9to5Google, the Cydia store owner has posted the Android Master Key vulnerability to his website this weekend, for anyone who wants to gain root access to their unpatched device.

“In true jailbreak fashion, the exploit runs from a Mac or PC and in a few steps gives your su/Root access to the infected phone/tablet. While it isn’t as plug and play easy as recent iOS jailbreaks, it is easy enough for anyone who wants to root their unpatched phone to do in a few minutes.”

The good news is, Saurik has also posted a fix for the Android Master Key, for those who want to manually patch the bug. More details are expected to be divulged next month at the annual Black Hat security conference in Las Vegas.