Mike Hearn | 11 Aug 18:28 2013

Android key rotation


I hope you are having a pleasant weekend. A few days ago we learned
that the Android implementation of the Java SecureRandom class
contains multiple severe vulnerabilities. As a result all private keys
generated on Android phones/tablets are weak and some signatures have
been observed to have colliding R values, allowing the private key to
be solved and money to be stolen.

The public security alert is here:


I will shortly post in the bitcointalk forums as well.

An update for the Bitcoin Wallet app has been prepared that bypasses
the system SecureRandom implementation and reads directly from
/dev/urandom instead, which is believed to be functioning correctly.
All unspent outputs in the wallet are then respent to this new key.

The process is automatic and does not involve user intervention.
Andreas can control the process via a percentage throttle, which we
will use to slow things down if the memory pool load gets too high.

A fixed APK is available here:


Andreas plans to release this to beta either today or tomorrow. Once
some reasonable population of users has completed testing the
automated re-keying process, it will be released via the Play Store.
All users will get a notification informing them of the new version
and some will be upgraded automatically.

Other wallet maintainers have also been notified and are working on
similar updates.