Google Determines Root Cause of Android Bitcoin Vulnerability, Offers Patch to Developers
You have to give a little credit to Google; just a couple of days after Bitcoin announced that it found vulnerabilities with Android wallets, the Android dev team figured out the root cause of the problem and issued patches to developers. (Google credited Soo Hyeon Kim and Daewan Han of ETRI and Dong Hoon Lee of Korea University for the heads-up.)
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” wrote Android Security Engineer Alex Klyubin in a blog post. “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.”
He also stated that applications using the HttpClient and java.net classes that make use of TLS/SSL connections aren’t affected. Klyubin offered suggestions for how to update applications to properly initialize the PRNG with entropy and offered patches to make sure it initializes as it should.
Cheers to the Android dev team for diving in and patching these vulnerabilities so quickly, although of course it would have been preferable that the problems never existed to begin with.
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” wrote Android Security Engineer Alex Klyubin in a blog post. “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.”
He also stated that applications using the HttpClient and java.net classes that make use of TLS/SSL connections aren’t affected. Klyubin offered suggestions for how to update applications to properly initialize the PRNG with entropy and offered patches to make sure it initializes as it should.
Cheers to the Android dev team for diving in and patching these vulnerabilities so quickly, although of course it would have been preferable that the problems never existed to begin with.
