Android, Bitcoin Security Concern

Tuesday, August 13, 2013 @ 12:08 PM gHale


As it seems with most things on Android these days, bitcoin wallets on Android are vulnerable to theft because of problems in a component that generates secure random numbers, developers said.

The problem is in the Android operating system and will affect bitcoin wallets generated by an Android app.

RELATED STORIES
Skype Malware Helps Mine for Bitcoins
Mobile Alert: Android Woes Continue
Mobile Malware: Organized, Profitable
Record Malware Growth Globally

Apps for which the user does not control the private keys are not affected, developers at Bitcoin.org wrote in a blog post. Exchange front ends like Coinbase or Mt. Gox apps are, for example, unaffected by the issue, since the private keys do not generate on the user’s Android phone.

Bitcoin uses public-key cryptography so each address ends up associated with a pair of mathematically linked public and private keys held in the wallet. The user signs a transaction to transfer bitcoins to somebody else with the private key, and the signature ends up validated using the public key.

“We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft,” the developers wrote.

In an alert on a Bitcoin developers forum, software developer Mike Hearn said the Android implementation of the Java SecureRandom class contains a number of serious vulnerabilities.

“As a result all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen,” he said.

Some of the affected wallets like Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and Blockchain.info are in various stages of preparing updates that will resolve the issue, said Bitcoin.org developers.

The developers recommended users generate a new address with a repaired random number generator and then send all the money in the wallet back to themselves.

“If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available,” according to the post. “Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”

Key rotation on Bitcoin Wallet will happen automatically soon after users upgrade, and old addresses will be marked as insecure in the address book.

The virtual currency, which can transfer worldwide using peer-to-peer software, is facing bids to regulate it, including in the U.S.

The Financial Crimes Enforcement Network of the U.S Department of the Treasury, for example, ruled in March that Bitcoin exchanges and administrators are money services businesses (MSB) and must comply with anti-money-laundering regulations.



Leave a Reply

You must be logged in to post a comment.