Tag Archives: Google

Google’s Android Security Team Addresses Bitcoin Vulnerability

Like this? Share it.TwitterFacebookGoogle+LinkedInReddittumblrbufferEmail

Android Bitcoin wallet vulnerability

Last week, it was discovered that a vulnerability in Android may leave users of Bitcoin mobile apps at risk. This week, Google’s Android Security Team confirmed and addressed the security concerns on their blog:

The Android security team has been investigating the root cause of the compromise of a bitcoin transaction that led to the update of multiple Bitcoin applications on August 11.

We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG. Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom.

Developers who use JCA for key generation, signing or random number generation should update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random. A suggested implementation is provided at the end of this blog post. Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandomKeyGeneratorKeyPairGeneratorKeyAgreement, andSignature.

In addition to this developer recommendation, Android has developed patches that ensure that Android’s OpenSSL PRNG is initialized correctly. Those patches have been provided to OHA partners.

It appears from this notice that consumers should expect their apps to be fixed in short order.

Bitcoin.org also published a synopsis of the problem and suggested solutions.

We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Walletblockchain.info wallet, BitcoinSpinner and Mycelium Wallet. Apps where you don’t control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.

Like this? Share it.TwitterFacebookGoogle+LinkedInReddittumblrbufferEmail