Bitcoin Wallets on Android at Risk of Theft

A further problem with Bitoin, beyond the government regulatory problem, is the question of how safe Bitcoin use is from a technical point of view. Given the extremely complex technical nature of the product, it is unclear what vulnerabilities surround Bitcoin that may be discovered in the future, similar to the recent discovery of vulnerabilities in the Andriod Bitcoin wallets.

PC World reports:

Bitcoin wallets on Android are vulnerable to theft because of problems in a component that generates secure random numbers, developers said.

The problem is said to be in the Android operating system and will affect bitcoin wallets generated by an Android app.

Apps for which the user does not control the private keys are not affected, developers at Bitcoin.org wrote in a post on Sunday. Exchange front-ends like Coinbase or Mt. Gox apps are, for example, unaffected by the issue as the private keys are not generated on the user's Android phone.

Bitcoin uses public-key cryptography so that each address is associated with a pair of mathematically linked public and private keys that are held in the wallet. The user signs a transaction to transfer bitcoins to somebody else with the private key, and the signature is validated using the public key."We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft," the developers wrote.

In an alert on a Bitcoin developer forum, software developer Mike Hearn reported that the Android implementation of the Java SecureRandom class contains a number of serious vulnerabilities. "As a result all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen," he added.

Some of the affected wallets like Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and Blockchain.info are in various stages of preparing updates that will resolve the issue, according to the developers at Bitcoin.org.