Security flaw leaves Android Bitcoin wallets vulnerable to theft

Summary:Bitcoin wallets generated on Android are thought to be suffering from a random number generation weakness.

Bitcoin wallets generated by Android devices are vulnerable to theft caused by a problem in the way Android generates random numbers.

Developers at Bitcoin.org issued an alert on Sunday strongly recommending Bitcoin owners using Android wallets update to new versions of their preferred wallet once they became available.

A number of Android Bitcoin wallets — such as Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and blockchain.info — were preparing updates that address the flaw, according to the Bitcoin.org notice.

According to a description of the flaw by Bitcoin Wallet, which has released a beta fix, "Android SecureRandom class has multiple severe bugs that render it useless for cryptographic purposes".

Bitcoin apps by exchanges such as Mt Gox and Coinbase are not affected since the private keys for those apps are not generated on the Android device.  

Technical details of the Android flaw have not been released. However, Bitcoin Magazine suggests the affected random number generator produces numbers that are not so random and points to a number of thefts that have occurred as a result of the flaw.

The fix involves generating a new address with a repaired random number generator. Users would then send the money in their existing wallet to the new one.

"Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one," Bitcoin.org developers noted. 

A member on the Bitcointalk.org forum also noted that keys generated by blockchain.info wallets on desktops or iPhone can also be vulnerable if payments were also made from an Android device. 

Topics: Security, Android

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.