Root (almost) Any Android Device using the Master Key Bug

Security on the Android platform is a topical issue. Those of you who keep a keen eye on the matter must have heard of  the vulnerability discovered by BlueBox security a couple of months ago. The obviously talented team behind that start-up actually provided substantial detail of the bug at the Black Hat USA 2013.

Jay Freeman, aka saurik, makes very clever take to the bug. You can read his article on the bug here(it gets pretty technical). Basically, this vulnerability, called bug 8219321 by Google, allows the modification of APK files in such a way that the integrity of the packages remains intact. Now that must be a very a serious loophole that can be used for all kinds of hacks.

“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control.”

Saurik’s article is actually very comprehensive and will excite anyone who would like to get a actual understanding of how to exploit this bug. He surveys various hacks and gives actual implementation examples. However, if you want to see  just how these exploits can be used, he has developed a simple GUI-based automated tool that can be used by anyone to tinker with Android, called Cydia Impactor

Cydia Impactor

Cydia Impactor

“In order to fully automate this exploit, Impactor scans all of the APK files on your device to find one that can be used as a system application (with some heuristic checks for common APK names); it then includes a custom implementation of the Java Debug Wire Protocol for automating the debugger.”

And now, obtaining root:
Devices running Android 4.1 and below can easily rooted using /data/local.prop to set the “running in the emulator” property, causing adb to run as root. Saurik describes how to manually do. But using Cydia Impactor is straightforward. I did root my Intel BT210 Android phone running Ice Scream Sandwich 4.0.4 using this exploit. So it works folks.

Patches
The whole purpose of exposing bugs is to provide patches. Of course waiting for Google to provide a patch is a quest in futility. CyanogenMod were among the first to provide a workable patch. Bluebox also has to tool to check for the bug. And saurik, in his usual manner, signs of with his own patch.

By the way,
Just as the sources  for Android 4.4 are being released, saurik says  he has discovered yet another Android Master Key Bug. I can’t believe this.