Watch your wallets. That was the bracing news for Bitcoin users with Android devices making use of Android Bitcoin apps. On Sunday, developers at Bitcoin.org announced that Bitcoin wallets on Android apps were at risk of theft.
Bitcoin is the virtual currency gaining widespread interest as a "new kind of money" with digital coins you can send over the Internet without going through a bank or clearing house.
According to the Sunday posting, the current problem is not with Bitcoin; it is with the Android operating system. The warning pertains to Bitcoin users with wallets generated by Android apps.
Digital wallets store Bitcoin addresses, which are cryptographic keys, from which Bitcoins are received or sent. The keys can be generated and managed by local apps or by online services.
What They Found
"We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses," according to the August 11 Bitcoin post. Though the list is incomplete, the examples of such apps included Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.
Users of some apps including coin exchanges Coinbase and Mt Gox, can breath easier because the private keys for those apps are not generated on Android devices, the Bitcoin developers said.
However, any affected user was advised to generate a new address with a repaired random number generator. On another site, the Bitcoin Developers' Mailing List, Mike Hearn, Google security engineer, went into more detail.
Hearn said, "The Android implementation of the Java SecureRandom class contains multiple severe vulnerabilities. As a result all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen."
Status of Updates
The good news is that those in charge of wallet apps know about this vulnerability and are preparing updates. Bitcoin Wallet and Mycelium Wallet have already made updates, available through the Google Play Store. Other firms are preparing updates now. Those with Android wallets are advised to check out the latest versions in the Play Store as soon as they are available.
Meanwhile, the Bitcoin developers issued this advice: "In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself."
Once your wallet is rotated, they added, you need to contact anyone with stored addresses generated by your phone and provide the new one. "If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade," they said. "The old addresses will be marked as insecure in your address book. You will need to make a fresh backup."
Cheers and Fears
The Bitcoin Foundation was created in September 2012 to protect and promote Bitcoin. According to Bitcoin, new users join Bitcoin every day. The total value of all Bitcoins in circulation exceeds $1.3 billion.
Nonetheless, not everyone loves Bitcoin or approves of its degree of anonymity. Earlier this year, the European Central Bank warned that money launderers and drug dealers might latch on to Bitcoin as a way of evading the law. Bitcoin is not engaged in criminal activity, but the fear is that criminals will take to Bitcoin for money laundering.
In the U.S., regulators are reviewing Bitcoin practices; American authorities have raised concerns that virtual-currency companies weren't complying with money-transmission laws. In March, the U.S Department of the Treasury said money laundering rules that apply to traditional currency should also apply to virtual currency.