[liberationtech] Google confirms critical Android crypto flaw

[Nadim Kobeissi]

Hey Libtech,
Hot on the heels of last week's Bitcoin wallet for Android heist, Google has confirmed that this was due to a critical crypto flaw in Android, which could affect security in thousands of apps according to Ars Technica:

"Google developers have confirmed a cryptographic vulnerability in the Android operating system that researchers say could generate serious security glitches on hundreds of thousands of end user apps, many of them used to make Bitcoin transactions.

[…]

"We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG," he wrote. "Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected."

http://arstechnica.com/security/2013/08/google-confirms-critical-android-crypto-flaw-used-in-5700-bitcoin-heist/

NK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130815/bd603ade/attachment.html>