An Android security issue that led to Bitcoin theft


Google-Android’s security warning that Bitcoin wallets based on Android are susceptible to theft has been confirmed earlier this month.  The problem apparently originates from a security issue with regards to the randomly-generated secure numbers. It appears that it is Android’s fault, meaning that a wallet created with any app is at risk.  Google has acknowledged this problem on the Android blogspot.

This security issue does not affect apps where end users have no control over the private keys, but the people who fell into the other group.  Many of them have discussed this on Bitcoin forums.  This prompted Google to investigate the matter further, resulting in them finding the problem.

As per Android Developers blogspot, the problem stems from Java Cryptography Architecture issues.  Alex Klyubin an Android security engineer says the following: “We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG. Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.”

Google will rectify this issue by rolling out some patches that should ensure that Android’s OpenSSL PRNG initializes properly.  Additionally, it advises that developers must take some specific steps in updating their applications to remedy the situation.  To find out more, please refer to the Android Developers blogspot.

The people at Ars Techinca points out that this problem may extend beyond Bitcoins.  Symantec actually posted a write-up of the issue before Google, stating that the number of apps affected can be in the six-digit range.