Android Security Vulnerability

11 August 2013

What happened

We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, wallet, BitcoinSpinner and Mycelium Wallet. Apps where you don't control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.

What has been done

Updates have been prepared for the following wallet apps:

  • Bitcoin Wallet: Update 3.15 can be installed from Google Play or Google Code. Key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup.
  • BitcoinSpinner: Update 0.8.3b can be installed from Google Play or Google Code. On startup it will advise you on how to proceed.
  • Mycelium Bitcoin Wallet: Update 0.7.0 can be installed from Google Play or A wizard will guide you through the process of moving your bitcoins to newly generated addresses, and put the old keys into archive mode.
  • Update 3.54 can be installed from Google Play. Version 3.54 and above includes an automatic re-keying wizard. Simply update to the latest version and follow the onscreen instructions. Please make a fresh wallet backup after the process completes.

What you should do

In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.

If you can't update your Android app, alternatively, you can send your bitcoins to a Bitcoin wallet on your computer until your Android app can be updated. You should make sure not to send back your bitcoins to your old insecure addresses.

This notice last updated: Tue, 13 Aug 2013 13:51:00 UTC