Google is distributing patches for a cryptography flaw in Android that may affect hundreds of thousands of applications.
The patches have been passed to partners belonging to the Open Handset Alliance, a trade group dedicated to development of Android, wrote Alex Klyubin, an Android security engineer.
Affected applications are those that rely on the pseudo random number generator (PRNG) within the Java Cryptography Architecture or “directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android,” Klyubin wrote.
Random numbers are used in part to generate secure encryption keys and for other cryptography processes. In some cases, the numbers were not “cryptographically strong values,” Klyubin wrote.
Application developers are advised to “evaluate whether to regenerate cryptographic keys or other random values previously generated,” he wrote.
The flaw became widely known after a Bitcoin developer group warned Sunday that it made bitcoins stored in some Android software clients vulnerable to theft.
According to a post on a popular Bitcoin forum on Saturday, several users reported they were victims of theft, with their coins sent to an address that had amassed 55.82 bitcoins, worth around US$6,200 at market price on Thursday.
In the case of the Bitcoin clients, the random numbers are used to formulate transaction IDs that are entered into the blockchain, the public ledger of Bitcoin transactions.
If the same random number is used in some transactions associated with the same Bitcoin address, it could allow an attacker to figure out the private key. With the private key, an attacker could steal someone’s bitcoins.
At least four Android Bitcoin clients — Bitcoin Wallet, Blockchain, Mycelium Bitcoin Wallet and BitcoinSpinner — were fixed just before Google’s patch release.
Symantec found that as many as 360,000 other Android applications rely on the component in a similar fashion as the Bitcoin software applications.