Security flaw leaves Android Bitcoin wallets vulnerable to theft

Bitcoin wallets generated on Android are thought to be suffering from a random number generation weakness.
Written by Liam Tung, Contributing Writer

Bitcoin wallets generated by Android devices are vulnerable to theft caused by a problem in the way Android generates random numbers.

Developers at Bitcoin.org issued an alert on Sunday strongly recommending Bitcoin owners using Android wallets update to new versions of their preferred wallet once they became available.

A number of Android Bitcoin wallets — such as Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and blockchain.info — were preparing updates that address the flaw, according to the Bitcoin.org notice.

According to a description of the flaw by Bitcoin Wallet, which has released a beta fix, "Android SecureRandom class has multiple severe bugs that render it useless for cryptographic purposes".

Bitcoin apps by exchanges such as Mt Gox and Coinbase are not affected since the private keys for those apps are not generated on the Android device.  

Technical details of the Android flaw have not been released. However, Bitcoin Magazine suggests the affected random number generator produces numbers that are not so random and points to a number of thefts that have occurred as a result of the flaw.

The fix involves generating a new address with a repaired random number generator. Users would then send the money in their existing wallet to the new one.

"Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one," Bitcoin.org developers noted. 

A member on the Bitcointalk.org forum also noted that keys generated by blockchain.info wallets on desktops or iPhone can also be vulnerable if payments were also made from an Android device. 

Editorial standards