Developers find Android flaw that makes bitcoin wallets vulnerable to theft

Android wallet users were sent into a panic over the weekend, after Google discovered a flaw in its mobile operating system that rendered generated bitcoin addresses unsafe.

According to Mike Hearn

, the forum contributor who reported the bug, the way in which random numbers are generated in Android is flawed. Random numbers are used along with a private key to sign a transaction when sending from a bitcoin address. The flaw means that any random number used more than once with the same public bitcoin address enables that address to be compromised.

This problem will affect any Android-based bitcoin wallet user who has used a bitcoin address more than once. It means that a person could recover that user’s private signature by analyzing the transaction in the block chain, enabling them to spend bitcoins from that address.

If you have used the same random number more than once with the same bitcoin address when sending from an Android wallet, your bitcoins are in danger.

The solution is to generate a new bitcoin address using a repaired version of the random number generator, and then to send all your money in your wallet back to yourself, according to Bitcoin.org. However, this relies on getting an updated version of your Android wallet if you're still going to use an Android-based app.

A report from Hearn suggests that an update of Andreas Schildbach’s Bitcoin Wallet has been prepared and is undergoing testing (a manual install is available via this forum posting for bitcoin users).

BitcoinSpinner

is preparing an update, as is Mycelium Wallet. Blockchain.info has released an update, according to Hearn, which allows users to manually rotate keys. Another update in the next few days will automatically send all coins controlled by previous keys to the new one.

In the meantime, however, bitcoins are reportedly being stolen from compromised addresses. Over 55 bitcoins are said to have been sent to this address from compromised addresses.

The upshot of all this is that bitcoin users will learn something: never use the same bitcoin address twice. We have always known that not reusing addresses makes you less trackable online. It is also a way to protect against exploits such as these, which aren’t a fault of the bitcoin network at all, but are rather down to a flaw in a platform supporting third-party bitcoin wallet services.

It’s also worthwhile transferring coins from an online bitcoin address to a ‘cold’ offline wallet, leaving just enough coins in your hot wallet to cover basic transactions.

Finally, once your bitcoins have been transferred to the new, safe address, back up your wallet.

Image credit: Flickr / pittaya