Menu
Google patches Android after Bitcoin wallet issue

Google patches Android after Bitcoin wallet issue

Applications that used the random number generator within Android could be at risk

Google is distributing patches for a cryptography flaw in Android that may affect hundreds of thousands of applications.

The patches have been passed to partners belonging to the Open Handset Alliance, a trade group dedicated to development of Android, wrote Alex Klyubin, an Android security engineer.

Affected applications are those that rely on the pseudo random number generator (PRNG) within the Java Cryptography Architecture or "directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android," Klyubin wrote.

Random numbers are used in part to generate secure encryption keys and for other cryptography processes. In some cases, the numbers were not "cryptographically strong values," Klyubin wrote.

Application developers are advised to "evaluate whether to regenerate cryptographic keys or other random values previously generated," he wrote.

The flaw became widely known after a Bitcoin developer group warned Sunday that it made bitcoins stored in some Android software clients vulnerable to theft.

According to a post on a popular Bitcoin forum on Saturday, several users reported they were victims of theft, with their coins sent to an address that had amassed 55.82 bitcoins, worth around US$6,200 at market price on Thursday.

In the case of the Bitcoin clients, the random numbers are used to formulate transaction IDs that are entered into the blockchain, the public ledger of Bitcoin transactions.

If the same random number is used in some transactions associated with the same Bitcoin address, it could allow an attacker to figure out the private key. With the private key, an attacker could steal someone's bitcoins.

At least four Android Bitcoin clients -- Bitcoin Wallet, Blockchain, Mycelium Bitcoin Wallet and BitcoinSpinner -- were fixed just before Google's patch release.

Symantec found that as many as 360,000 other Android applications rely on the component in a similar fashion as the Bitcoin software applications.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityGooglepatchesExploits / vulnerabilities

Featured

Slideshows

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Kiwi channel debates GDPR as Reseller News Exchange hits Wellington

Kiwi channel debates GDPR as Reseller News Exchange hits Wellington

This exclusive Reseller News Exchange, in association with Arrow ECS ANZ, ForeScout and StorageCraft, went on the road to debate the early implications of GDPR in New Zealand, extracting opportunities while evaluating challenges for the channel in the year ahead.

Kiwi channel debates GDPR as Reseller News Exchange hits Wellington
Show Comments