Tag Archives: Android
Top Bitcoin News Last Week: New York Subpoena, Senate Inquiry, Android
Bitcoin News
A roundup of the top Bitcoin news from August 12 to August 18:
Tuesday, August 13
Wednesday, August 14
Thursday, August 15
Friday, August 16
Saturday, August 17
Google’s Android Security Team Addresses Bitcoin Vulnerability
Last week, it was discovered that a vulnerability in Android may leave users of Bitcoin mobile apps at risk. This week, Google’s Android Security Team confirmed and addressed the security concerns on their blog:
The Android security team has been investigating the root cause of the compromise of a bitcoin transaction that led to the update of multiple Bitcoin applications on August 11.
We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG. Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Applications that establish TLS/SSL connections using the
HttpClientandjava.netclasses are not affected as those classes do seed the OpenSSL PRNG with values from/dev/urandom.Developers who use JCA for key generation, signing or random number generation should update their applications to explicitly initialize the PRNG with entropy from
/dev/urandomor/dev/random. A suggested implementation is provided at the end of this blog post. Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such asSecureRandom,KeyGenerator,KeyPairGenerator,KeyAgreement, andSignature.In addition to this developer recommendation, Android has developed patches that ensure that Android’s OpenSSL PRNG is initialized correctly. Those patches have been provided to OHA partners.
It appears from this notice that consumers should expect their apps to be fixed in short order.
Bitcoin.org also published a synopsis of the problem and suggested solutions.
We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet. Apps where you don’t control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.
Top Bitcoin News Last Week: Bitcoin is Money, BYU, Android Wallets, Mt. Gox
Bitcoin News
A roundup of the top Bitcoin news from August 5 to August 11:
Monday, August 5
Tuesday, August 6
Thursday, August 8
Friday, August 9
Sunday, August 11
Vulnerability Discovered for Android Bitcoin Wallets
Bitcoin.org just published an alert about Android wallet vulnerabilities.
We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.
In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommended you upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.
If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup.
