Google delivers patch for Android SecureRandom implementation
Posted on 16 August 2013.
An Android security engineer has again confirmed the existence of the vulnerability that made the most popular Bitcoin wallet apps for the platform open to attack, and offered help for developers.

As a reminder: the poor Android implementation of the Java SecureRandom class made all private keys generated on Android devices weak and easily worked out by attackers.

As each Bitcoin transaction must be signed with the private key associated with the Bitcoin address of the person that intends to transfer money, it's easy to see how knowing someone's cryptographic private key might allow a malicious individuals to empty that person's wallet.

"We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG," he explained in a blog post.

"Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom. Developers who use JCA for key generation, signing or random number generation should update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random."

He also included a suggested implementation in the blog post, and confirmed that Google has developed patches that ensure that Androidís OpenSSL PRNG is initialized correctly and has delivered those patches to Open Handset Alliance partners.

The Bitcoin Foundation has also updated its initial post notifying users of the problem by confirming that Bitcoin Wallet, BitcoinSpinner, Mycelium Bitcoin Wallet and the blockchain.info app have all been updated to resolve the issue. They have also included instructions for users on what to do after they download and install these latest versions, or in case they can't update their Android app.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //