Last week, about $5,720 of bitcoins were stolen out of a digital wallet and the reason is a weakness in Android’s Java Cryptography Architecture. Google security engineer Alex Klyubin confirmed this in a blog post earlier in the week. He also warned that other apps could be compromised unless developers change the way they access pseudo random number generators (PRNG).
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” he wrote. “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.”
Recently, Symantec warned that as much as 360,000 Android apps rely on the SecureRandom, one of the programming services for generating random numbers provided by the JCA. The Android apps that were exploited in this most recent theft may have signed multiple transactions using an identical number that the apps thought were random. “Since transactions are public on the Bitcoin network, attackers scanned the transaction block chain looking for these particular transactions to retrieve the private key and transfer funds from the Bitcoin wallet without the owner's consent.”
Google recommends that developers update all apps that use JCA to “explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random.” They should also regenerate any cryptographic keys or other random values that were originally generated using JCA.
source: arstechnica
Come comment on this article: Google confirms cryptographic vulnerability in Android that resulted in $5,700 Bitcoin heist
No comments:
Post a Comment