On 11th August 2013, Bitcoin.org reported that a component of Android responsible for generating secure random numbers contains critical weaknesses. The organization concluded that this may have rendered all Android wallets generated to date vulnerable to theft.
As the problem was particularly with Android, the organization suggested the users that all those who have a wallet generated by any Android app need to correct it. Earlier the Bitcoin.Org had reported that Apps that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android have also been affected.
Then there were complaints from the affected customers who claimed that they have lost Bitcoin. To avoid any such issues, Bitcoin.Org then suggested that customers should re-secure existing wallets by key rotation i.e. generate a new address with a repaired random number generator and send the whole money in a wallet to the account.
Upgrade to the Latest Android Version
Bitcoin.Org also recommended the Android wallet users to upgrade to the latest version. Using Play Store, users can upgrade the Android wallet and do key rotation that has been strongly recommended. They will also need to contact all those who have stored addresses generated by their phone and give them a new one.
The organization also recommends that all the users who are unable to update their Android app, may use an alternative, that is, they can send their Bitcoins to a Bitcoin wallet on their computer and once their Android app is up and ready to work, it can further be transferred to a new address. However, Bitcoin.org warns users that they should not send back their Bitcoins to their old insecure addresses.
“Google Distributing Patches for Cryptography Flaw in Android” Alex Klyubin, an Android security engineer
Realizing the gravity of the problem, Google is distributing patches for a cryptography flaw in Android. Now, it is passing patches to partners belonging to the Open Handset Alliance, a trade group dedicated to development of Android. Alex Klyubin said that affected applications are the ones that rely on the pseudo random number generator or PRNG within the Java Cryptography Architecture.
He also said that this may also be with the ones that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android. Reports are ripe that some Android Bitcoin clients like Blockchain, Bitcoin Wallet, Mycelium Bitcoin Wallet and BitcoinSpinner have been fixed so far.
To contact the reporter of this story: Jonathan Millet at firstname.lastname@example.org