Cydia Accounts Vulnerable To Payment Info Hack

Cydia Accounts Vulnerable To Payment Info Hack
Image: from Alibaba

If you’re a fan of jail-breaking iOS devices then its a fair bet you’ve spent a few bucks on apps that probably would not have been released via Apple’s App Store. If that’s you and you saved your Paypal information with your Cydia account, it’s time to pop over there and clear the decks. There’s no leak but a vulnerability has been detected and the Cydia store’s founder, Jay Freeman, is recommending that people remove their Paypal information.

While you can still jailbreak iOS devices and download apps from the Cydia store, Freeman, whose online moniker is Saurik, says “there is no concern about the information in your Cydia account that I know of at this time”.

Saurik was planning to shut down the store this year and the discovery of this vulnerability has accelerated that process a little. He added that the “service loses me money and is not something I have any passion to maintain”.

When the first iterations of the iPhone were released, Apple’s limitation on apps – remember that the original iPhone had no App Store for the first few months of its life – made jailbreaking a popular option for people who saw the potential of the iPhone as a mobile computer that could be far more than Apple intended. There were many challenges.

The big hassle for the jailbreak movement was the ongoing game of “whack-a-mole” Apple played. Most jailbreaks relied on finding a flaw in iOS that could be used to load unauthorised software. But each time a new jailbreak appeared, Apple plugged the hole.

Alongside this, the App Store grew and provided developers with a potential revenue mechanism. Although the folks in Cupertino take 30% of all sales to run the store and associated infrastructure (and, one assumes, some profit on top) developers could focus on creating software and not worry about managing a shop-front to promote and sell their software.

Apple also did a good job of promoting just enough FUD to cast doubt on the safety of the jailbreak ecosystem which kept the vast majority of users within its walled garden

Freeman/Saurik said in the Reddit post announcing the closure of the Cydia store that the vulnerability is “is “only”… the ability to force a purchase by a user who is currently logged in to Cydia; there is no concern about the information in your Cydia account that I know of at this time”.

He also says “I am intending to maintain the ability to download existing packages: the accounting and backend execution burden of this is much lower than continuing to allow purchases and removing the payment code means I don’t have to worry that I messed up anything else in the payment backend, security-wise.”

So, while you’ll still be able to access free packages for jailbroken devices, the era of paid off-market apps for iOS is over.


Show more comments

Log in to comment on this story!