An Android security engineer has again confirmed the existence of the vulnerability that made the most popular Bitcoin wallet apps for the platform open to attack, and offered help for developers.
As a reminder: the poor Android implementation of the Java SecureRandom class made all private keys generated on Android devices weak and easily worked out by attackers.
As each Bitcoin transaction must be signed with the private key associated with the Bitcoin address of the person that intends to transfer money, it’s easy to see how knowing someone’s cryptographic private key might allow a malicious individuals to empty that person’s wallet.
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” he explained in a blog post.
“Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom. Developers who use JCA for key generation, signing or random number generation should update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random.”
He also included a suggested implementation in the blog post, and confirmed that Google has developed patches that ensure that Android’s OpenSSL PRNG is initialized correctly and has delivered those patches to Open Handset Alliance partners.
The Bitcoin Foundation has also updated its initial post notifying users of the problem by confirming that Bitcoin Wallet, BitcoinSpinner, Mycelium Bitcoin Wallet and the blockchain.info app have all been updated to resolve the issue. They have also included instructions for users on what to do after they download and install these latest versions, or in case they can’t update their Android app.