Google patches Android flaw that led to Bitcoin theft


Google (NASDAQ:GOOG) is distributing patches for an Android cryptography flaw that renders Bitcoin wallets vulnerable to theft.

On Aug. 11, Bitcoin--a crypto-currency that enables consumers to transfer funds through a computer or smartphone without an intermediate financial institution--revealed that an Android component responsible for generating secure random numbers contains critical weaknesses, opening Android wallets to potential attack. "Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app," Bitcoin said. At least one Bitcoin wallet theft has been reported, with attackers allegedly pilfering more than $5,700.

Google confirmed the Bitcoin vulnerability Wednesday. "We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying [pseudorandom number generator]," writes Android security engineer Alex Klyubin on the Android Developers Blog. "Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Applications that establish TLS/SSL connections using the HttpClient and classes are not affected."

Google Open Handset Alliance partners are now receiving patches that properly initialize Android's OpenSSL PRNG, Klyubin stated. He also urges developers who leverage JCA for key generation, signing or random number generation to update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random. "Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandom, KeyGenerator, KeyPairGenerator, KeyAgreement and Signature," Klyubin added.

More than 360,000 Android apps make use of SecureRandom and roughly 320,000 of them use SecureRandom in the same way the Bitcoin wallets did, security software firm Symantec reports.

For more:
- read this Android Developers Blog post
- read this Ars Technica article

Related articles:
Report: U.S. mobile malware infections drop 63 percent
Bluebox: Android security flaw exposes 99 percent of devices to hacker attack
Juniper Networks: Mobile malware threats explode 614 percent year-over-year
Lookout: 1M U.S. Android owners have downloaded adware in past year
Android malware disguised as mobile ad network infects up to 9 million devices
Consumer irresponsibility abetting Android malware surge