Bitcoin wallets on Android at risk of theft, developers say

Users have been advised to generate a new address with a repaired random number generator

Bitcoin wallets on Android are vulnerable to theft because of problems in a component that generates secure random numbers, developers said.

The problem is said to be in the Android operating system and will affect bitcoin wallets generated by an Android app.

[ Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Read Bill Snyder's Tech's Bottom Line blog for what the key business trends mean to you. ]

Apps for which the user does not control the private keys are not affected, developers at Bitcoin.org wrote in a post on Sunday. Exchange front-ends like Coinbase or Mt. Gox apps are, for example, unaffected by the issue as the private keys are not generated on the user's Android phone.

Bitcoin uses public-key cryptography so that each address is associated with a pair of mathematically linked public and private keys that are held in the wallet. The user signs a transaction to transfer bitcoins to somebody else with the private key, and the signature is validated using the public key.

"We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft," the developers wrote.

In an alert on a Bitcoin developer forum, software developer Mike Hearn reported that the Android implementation of the Java SecureRandom class contains a number of serious vulnerabilities. "As a result all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen," he added.

Some of the affected wallets like Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and Blockchain.info are in various stages of preparing updates that will resolve the issue, according to the developers at Bitcoin.org.

The developers have recommended that users generate a new address with a repaired random number generator and then send all the money in the wallet back to themselves. "If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available," according to the post. "Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one." Key rotation on Bitcoin Wallet will happen automatically soon after users upgrade, and old addresses marked as insecure in the address book.

The virtual currency that can be transferred worldwide using peer-to-peer software is facing bids to regulate it, including in the U.S. The Financial Crimes Enforcement Network of the U.S Department of the Treasury, for example, ruled in March that Bitcoin exchanges and administrators are Money Services Businesses (MSBs) and must comply with anti-money laundering regulations.

New York Department of Financial Services has issued subpoenas to about 24 companies associated with bitcoin as part of an investigation into the virtual currency industry, according to The Wall Street Journal, which cited people familiar with the matter. A memo conveying concern about the companies' non-compliance with state money transmission laws is expected Monday, the newspaper said.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies