Early this week, Bitcoin made an announcement that disclosed a security vulnerability on the Android platform that lead to insecure Bitcoin wallets. The Android security team investigated the issue and has published details about the bug as well as an upcoming fix.

The root of the problem lies with Android’s Pseudo-Random Number Generator (PRNG), a component that generates an “almost” random number which can then be used to generate or sign cryptographic keys. But in order for it to work properly, the PRNG must be initialized properly with a seed value that will determine the randomness of the value produced, ensuring the strength of the cryptography.

Apparently, Android apps that use the Java Cryptography Architecture (JCA) only get weak cryptographic values because the PRNG isn’t being initialized properly, making those apps vulnerable to exploits. Unfortunately, this affects not only Bitcoin apps but a huge number of Android apps that use some form of cryptography, particularly those that use certain classes such as SecureRandom, KeyGenerator, Signature, and more.

Developers in the community, as well as those interested in security systems, might want to take note of this. The Android security team has published an example of how to properly initialize the PRNG and leaves it to developers to decide whether they have to regenerate cryptographic keys from their apps. A patch for Android has also been provided to Open Handset Alliance (OHA) partners, meaning device manufacturers and carriers, but it will probably take some time before it trickles down to end users.

SOURCE: Android Developers