Author: Mike Hearn 2013-08-11 16:28:13
Published on: 2013-08-11T16:28:13+00:00
A public security alert has been issued on Bitcoin.org regarding the Android implementation of the Java SecureRandom class, which contains multiple vulnerabilities. As a result, all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen. An update for the Bitcoin Wallet app has been prepared that bypasses the system SecureRandom implementation and reads directly from /dev/urandom instead, which is believed to be functioning correctly. The process is automatic and does not involve user intervention.Andreas can control the process via a percentage throttle, which will be used to slow things down if the memory pool load gets too high. A fixed APK is available for download, and Andreas plans to release this to beta either today or tomorrow. Other wallet maintainers have also been notified and are working on similar updates. Once some reasonable population of users has completed testing the automated re-keying process, it will be released via the Play Store. All users will get a notification informing them of the new version, and some will be upgraded automatically.
Updated on: 2023-06-07T15:47:19.464822+00:00