Bitcoins at risk of theft on flawed Android apps By Pia Gadkari

BBC News Published duration 12 August 2013

image caption Bitcoin is the best-known virtual currency

A weakness in the Android mobile operating system has left users of the virtual currency Bitcoin vulnerable to theft, the Bitcoin Foundation has said.

The issue affects some Android "wallet" apps, the organisation said, including Bitcoin Wallet and BitcoinSpinner.

To protect an Android wallet, the developers said users must update their apps once a new version was available.

The news came as a US banking regulator ordered companies to co-operate with a probe into the way Bitcoin is used.

Bitcoin said the wallet problem had to do with Android's ability to generate sequences of secure random numbers needed to keep the wallets safe.

Analysts say Android's SecureRandom Java program sometimes repeats the number sequences, which must be unique in order to keep each Bitcoin secure.

Members of a Bitcoin forum have suggested that the equivalent of thousands of US dollars may have already been stolen.

Number sequences

"Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app," the Bitcoin statement said on Sunday.

The issue affects only programs where the number sequences - or private keys - are controlled on the user's device.

For wallet apps that were vulnerable, Bitcoin said it would be necessary to change keys.

This involves "generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself", according to the Bitcoin statement.

Some of the affected apps were in the process of updating their wallet apps to fix the problem, including Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and blockchain.info, Bitcoin said.

But experts say virtual currencies could face ongoing problems of a similar nature because of the way they have been designed.

Dr Joss Wright, a research fellow at the Oxford Internet Institute, said that cryptographers relied heavily on a computer's ability to generate random numbers in order to keep information secure. But, he added, that computers did not always do this reliably.

"Choosing good random numbers is the key issue," Dr Wright said. "If the random numbers can be predicted by somebody else, this could lead to all sorts of security problems."

Meanwhile, The New York Department of Financial Services has told about two dozen firms associated with Bitcoin it wants information on anti-money-laundering programmes, consumer protection measures and investment strategies, .

The newspaper said there were concerns that virtual currency companies did not comply with money transfer rules and the state of New York was considering legislation aimed specifically at virtual currencies.