Watch your wallets. That was the bracing news for Bitcoin users with Android devices making use of Android Bitcoin apps. On Sunday, developers at Bitcoin.org announced that Bitcoin wallets on Android apps were at risk of theft.
Bitcoin is the virtual currency gaining widespread interest as a "new kind of money" with digital coins you can send over the Internet without going through a bank or clearing house.
According to the Sunday posting, the current problem is not with Bitcoin; it is with the Android operating system. The warning pertains to Bitcoin users with wallets generated by Android apps.
Digital wallets store Bitcoin addresses, which are cryptographic keys, from which Bitcoins are received or sent. The keys can be generated and managed by local apps or by online services.
What They Found
"We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses," according to the August 11 Bitcoin post. Though the list is incomplete, the examples of such apps included Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.
Users of some apps including coin exchanges Coinbase and Mt Gox, can breath easier because the private keys for those apps are not generated on Android devices, the Bitcoin developers said.
However, any affected user was advised to generate a new address with a repaired random number generator. On another site, the Bitcoin Developers' Mailing List, Mike Hearn, Google security engineer, went into more detail.
Hearn said, "The Android implementation of the Java SecureRandom class contains multiple severe vulnerabilities. As a result all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen."
Status of Updates
The good news is that those in charge of wallet apps know about this vulnerability and are preparing updates. Bitcoin Wallet and Mycelium Wallet have already made updates, available through the Google Play Store. Other firms are preparing updates now. Those with Android wallets are advised to check out the latest versions in the Play Store as soon as they are available.
Meanwhile, the Bitcoin developers issued this advice: "In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself." (continued...)