Google confirms Bitcoin-theft vulnerability in Android

An initialisation flaw within the Java Cryptography Architecture has been patched, but not before leaving Android vulnerable to attacks resulting in Bitcoin theft.

Google has verified that a vulnerability that existed within Android allowed for the reported theft of up to 55 bitcoins over the weekend.

"We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialisation of the underlying PRNG (Pseudorandom number generator)," said Alex Klyubin, Android security engineer, in a blog post.

Klyubin said Android applications that used the "system-provided OpenSSL PRNG without explicit initialisation" were also affected by the issue.

The solution to the issue is to properly seed any PRNG with values from /dev/urandom, and Google suggests that developers look to regenerate any keys or random values previously generated by JCA APIs.

The Android security team has patched the issue to Android's OpenSSL PRNG, and those patches have been provided to Open Handset Alliance members.

The issue with Android's cryptography came to light over the weekend, when reports that Bitcoin wallets generated on Android were being drained surfaced. A number of Bitcoin applications moved quickly to resolve the issue.

However, the solution involved creating a new wallet, and transferring all Bitcoins from the old wallet to the new one.