|
Title: IMPORTANT: Android key rotation Post by: Andreas Schildbach on August 11, 2013, 05:05:33 PM Please read the post quoted below.
A fixed version 3.15 of Bitcoin Wallet is rolling out now. If you don't want to wait for the Google Play update, you can install directly from these links: Mainnet: http://code.google.com/p/bitcoin-wallet/downloads/detail?name=bitcoin-wallet-3.15.apk Testnet: http://code.google.com/p/bitcoin-wallet/downloads/detail?name=bitcoin-wallet-3.15-test.apk As soon as you upgrade, it will create a "rotate transaction", sending your funds over to a fresh, secure key. Important: You need to backup your wallet again, because of the added key. The old keys will not be included in the backup, so keep your old backups around just in case. Generally, do not use old addresses/keys for receiving payments any more. Also make sure to not import old backups into any wallet. If you have a wallet with unconfirming transactions or if the rotate transaction does not confirm for a long time, consider replaying the blockchain. After replay, your funds should be rotated without problems. Thanks to everyone contributing to fixing this very serious issue! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 http://bitcoin.org/en/alert/2013-08-11-android We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet. In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommended you upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one. If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup. Updates for other wallet apps should be released shortly. Some technical details of what exactly has gone wrong inside Android will be released once the upgrade process is reasonably compete. I will keep track of the upgrade status of each wallet app I know about in the post below. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJSB7jRAAoJEPLkhhyZiIFvpk8IAI34L0HsEj5wztFl18jQxj74 svaY+eY1mwgWZjjyZlCRlP42B3u5zF2jlh2+taRgM9DaXlECqa3euGe+EmHWirTU HTTNNg2ZFf7jvruUZ2tanl4Sv34/q/q8w81zL6uJAKK98ZBWuMQ9oPghW1erCAHv Ke5eoLzGdnwpAN817SLGL2iUgwMpJLu7Jx2HEhF2Yz7Yl1+ScLHzlXSZP65BlpI7 lNeJweQsC0PHPnumde/UIRdcTQqhciY/0xM7HHyrrn00AW56vu4l+/Hb9Mr9rpds Rx2UEvFXQ5KWX7e8E3+Wx2Rs/w5cYRwwsfzwWIYkoZaJ3ssaPaYAEr5YMO1bz24= =AFBd -----END PGP SIGNATURE----- |