Google Determines Root Cause of Android Bitcoin Vulnerability, Offers Patch to Developers
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” wrote Android Security Engineer Alex Klyubin in a blog post. “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.”
He also stated that applications using the HttpClient and java.net classes that make use of TLS/SSL connections aren’t affected. Klyubin offered suggestions for how to update applications to properly initialize the PRNG with entropy and offered patches to make sure it initializes as it should.
Cheers to the Android dev team for diving in and patching these vulnerabilities so quickly, although of course it would have been preferable that the problems never existed to begin with.