Aug 15, 2013 by Jasper Bakker
Aug 15, 2013 by Jasper Bakker
News – encryptiegat along Bitcoins are stolen, is an Android-wide security issue, confirms Google. It provides patches, but that is not the solution.
This week is a vulnerability revealed in encryption capabilities on Android. Along there have malicious virtual currency Bitcoin stolen, valued at $ 5700. The random number generator in Google’s mobile operating system does not appear to create. Truly random numbers On the basis of random numbers are encryption keys are generated, which in the case of Bitcoin-apps that serve for the exchange of virtual currency.
Much more vulnerable apps
Google confirms the previously suggested suspect that this vulnerability not only undermines Bitcoin apps. The Android security team concluded after its own research that all apps are vulnerable to the Java Cryptography Architecture (JCA) for different beveilgingsfuncties. These are to create encryption keys, digital code signing or content, and creating random numbers.
Apps that do this via JCA, “could potentially receive cryptographically strong values”, the team blogs. This means that the resulting security is to crack. The reason is that the underlying random number generator (PRNG) is not initialized properly. In addition, apps are also vulnerable to the OpenSSL PRNG Android calls directly, without explicit initialization thereof.
Random and really random
Security Supplier Symantec has blogged that “Bitcoin-hole ‘may lose hundreds of thousands of Android apps. The company has identified through a search of its Norton Mobile Insight data more than 360,000 Android apps that use the Secure Random function. This makes those apps are not inherently vulnerable. Of the 360,000 found there are definitely 320,000 using the number generator in a similar way as the Bitcoin apps that will be proved vulnerable.
various types of Android apps are equally affected by this new cryptolek:
Via:. Symantec
The Android security team eases that not all Android apps that use security no longer be trusted. The security is guaranteed in cases where secure TLS / SSL connections are created by using. The classes HttpClient and Java.net Using these components namely the OpenSSL PRNG by running from the Linux interface / dev / urandom. Those random values This provides Androids Linux underlay the random numbers, not the generator that is included in the Java-derived Dalvik.
Patches, and Android apps
While Google has now released patches for the various Android versions, carries the first advice for app developers to customize their products. Apps should get updates so that they now only use the built OpenSSL PRNG in conjunction with (really random) numbers from / dev / urandom or / dev / random. The Android-maker carries in the blog post also an example implementation of this.
The importance of updates to apps is great because patches for Android itself are distributed in practice. along a detour This is done via smartphone makers and telecom providers that Google’s partners in the joint venture for Android, the Open Handset Alliance. Those companies have Android updates always handle yourself in the software and then cast for their customers.
Android versions and fragmentation
It has been repeatedly proven in the past that a lot of time to go over it. Moreover, it is not always true that updates come through for all Android versions and devices. Sometimes this is for performance reasons. This old versions are still much in use, with newer versions delay trickle down to devices. It does not penetrate updates also concerns also fixes for security holes and vulnerabilities, as is the case with the encryption weakness.
Featured downloads
BYOD, Android and Windows 8
Download
What are the hot topics of European IT Executives? Read discussions on IT transformation.
Social media risks for business data Download
Vulnerability of social media sites on company data is underestimated. Read more …
No comments:
Post a Comment