Google has pushed out patches to partners to address a cryptographic vulnerability tied to the theft of bitcoins from Android users.
According Android security engineer Alex Klyubin, applications that use the Java Cryptography Architecture (JCA) for key generation, signing or random number generation may not receive cryptographically strong values on Android devices because of improper initialization of the underlying PRNG.
“Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected,” wrote Klyubin. “Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom.”
In addition, Google has developed patches to ensure Android’s OpenSSL PRNG is initialized correctly and provided them to Open Handset Alliance (OHA) partners.
The issue came to light after users of a Bitcoin forum reported Saturday their bitcoins had been stolen. According to Bitcoin.org, the problem can affect anyone with a bitcoin wallet generated by any Android app, including Bitcoin Wallet, BitcoinSpinner and Mycelium Wallet. Apps where users don’t control the private keys are not affected, such as exchange frontends like the Coinbase or Mt. Gox apps.
“If you can’t update your Android app, alternatively, you can send your bitcoins to a Bitcoin wallet on your computer until your Android app can be updated,” according to Bitcoin.org. “You should make sure not to send back your bitcoins to your old insecure addresses.”