Android Bitcoin wallets left open to theft by security flaw

An Android security flaw has left Bitcoin wallets open to theft, Bitcoin.org has revealed.

The problem lies with a severe vulnerability in the way Android phones generate random private access keys, which allows data to be stolen from any app that uses the system. It has not been revealed how many Bitcoin users, if any, have been victims.

"We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft," a Bitcoin.org blog post reads.

"Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app."

Wallets which use the Android system and so are affected by the bug include Bitcoin Wallet, blockchain.info, BitcoinSpinner and Mycelium Wallet.

Bitcoin Wallet and Mycelium Wallet have already made updates which solve the problem available through the Google Play Store, whilst the other firms are preparing updates now.

The Coinbase and Mt Gox apps are not impacted by the issue because the systems do not use private keys generated by Android.

Explaining the vulnerability in an email to Bitcoin developers, Mike Hearn, a security engineer at Google said: "A few days ago we learned that the Android implementation of the Java SecureRandom class contains multiple severe vulnerabilities.

"As a result all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen."

Wallets will be re-secured by developing a new private key, known as 'key-rotation', something which the updates will do automatically. This will bypass the SecureRandom system to generate a new random key and then send all funds to the new key.

"Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one," explains Bitcoin.org.

"If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup."

Image credit: Flickr (zcopley)