[liberationtech] Google confirms critical Android crypto flaw
Maxim Kammerer
mk at dee.su
Thu Aug 15 03:29:54 PDT 2013
On Thu, Aug 15, 2013 at 7:14 AM, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> The only silver lining from their post was that HTTP/SSL connections
> were not affected, so this only really affects apps that are
> generating keys at the Java layer, which include apps like Android
> Privacy Guard (APG) and our own Gibberbot.
I have a hard time trying to figure out from Alex Klyubin's blog post
[1] just what the problem in affected Android class libraries was. Did
they forget to include a urandom-backed SecureRandom provider? Or set
it as one with highest priority? Or they did it include it, but it
wasn't registered as SHA1PRNG that people used?
Did Google implement its Java standard library subset from scratch
(i.e., not based on GNU Classpath or similar)?
[1] http://android-developers.blogspot.com/2013/08/some-securerandom-thoughts.html
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
More information about the liberationtech
mailing list