Bitcoin and the Android flaw

The Problem

Basically the Java random generator on earlier versions of Android didn’t really generate a random number.  This causes a problem for Bitcoin apps that generate addresses on the device itself because private keys can be compromised.  Once a hacker has a hold of someone’s private key, they can easily determine the address.  With that information all they have to do is send the Bitcoins to another address.  That’s it.

What should users do?

Upgrade to the latest version of Android ASAP.  Just to be safe, you may want to consider transferring all your Bitcoins to another address that is not generated on an Android device.  Online and offline wallets exist to facilitate this.  Some examples include, Armoury, Blockchain, etc.

What should developers do?

I’ve never been a fan of placing business logic within a mobile application.  Instead, I would create a server side application (possibly in the cloud), to generate the address and send it back to the mobile application.

What is the impact?

The impact seems to be minimal.  It appears that some Bitcoins were stolen but not a whole lot.

Final Thoughts

My hope is that people are not discouraged by Bitcoins because of this unfortunate incident.  Keep in mind, this was a flaw in the Android OS (that affects other types of applications), not the Bitcoin movement.

Advertisements