Google has today confined that a vulnerability in their Android operating system could be used to generate serious security glitches on hundreds of thousands of end user Android applications.
The cryptographic vulnerability in the Android operating system was discovered by Google developers and was published yesterday by Google security engineer Alex Klyubin.
The vulnerability within Android is thought to have been used by malicious hackers carry out a Bitcoin transaction that reportedly was exploited to steal around $5,720 worth of bitcoins from a digital wallet last week.
Google has warned that other Android applications might be at risk if developers do not change the way they access so-called PRNGs, short for pseudo random number generators. However applications that establish encrypted connections using the HttpClient and java.net classes aren’t vulnerable says Google. Alex Klyubin explains a little more in his post:
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” he wrote. “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.”
“Developers who use JCA for key generation, signing or random number generation should update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random. A suggested implementation is provided at the end of this blog post. Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandom, KeyGenerator, KeyPairGenerator, KeyAgreement, and Signature.”
For more information about the Critical Android Crypto flaw jump over to the Android Developers blog for full details.
Source: Ars Technica