The issue means that attackers are able to use these security flaws to access user data, and transfer funds from the Bitcoin wallet without the owner’s consent.
“This is yet another example of how a seemingly innocent mobile application can have disastrous consequences should a security breach take place; a problem that is ever-increasing with the changing dynamics of the work-life balance,” said Stephen Midgley, vice president of global marketing at Absolute Software, in an email to Infosecurity.
He added, “While applications help facilitate our everyday lives, they have opened up a wealth of new opportunities for data hackers, and increase the likelihood of a loss of personal and work related data; a problem that has plagued IT leaders for a while.”
In terms of a remediation plan, having a device management policy in place would allow potentially dangerous applications like Android’s Bitcoin wallet to become blacklisted on work devices, and therefore allow companies to take back control of their critical data, he advises.
Absolute Software conducted a survey of 1,200 IT decision-makers on the worst three apps that an employee can download. Unsurprisingly, gambling sites came out on top, followed by social networking, and then file-sharing sites. While these applications help facilitate the growing mobile working trend, the survey found that 57% of IT decision makers had blacklisted DropBox and YouSendIt on the basis that it could compromise data security. Social networking apps like Facebook had been blacklisted by 63% of those surveyed, with many believing that it could lead to the potential leaking of company secrets.
“It becomes clear that as the mobile working trend only grows stronger and stronger, companies have to work even harder to ensure that their data is kept secure,” Midgley said. “With so many more access points to critical data, hackers have many more opportunities for targeting an organization, and as the work-life balance continues to merge, the chances of an accidental outage by an employee becomes more likely.”
As Infosecurity reported earlier in the week, the New York Department of Financial Services has subpoenaed 22 digital currency companies and investors, and is investigating the regulatory guidelines that should be put in place.
The bitcoin wallet issue arises from a flaw in the Android random number generator which, warned bitcoin.org, renders “all Android wallets generated to date vulnerable to theft.” It does not affect wallets where the user doesn’t control the private keys. “For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.”
The problem lies in Android’s implementation of the Java SecureRandom class. “As a result, all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen,” said Google engineer Mike Hearn, writing on the Bitcoin developers list.