Fixing the Android SecureRandom vulnerability

A vulnerability in Android was recently exploited in mobile Bitcoin wallets to steal some money. This vulnerability involves the random number generation by Java’s SecureRandom API. Although SecureRandom is safe on most platforms, it is very weak on Android.

Here are the parts of Pilot SSH that use this insecure API:

The new version of Pilot SSH (v1.1.1), published on August 16th 2013, fixes this insecure random number generation, but there are additional actions that you should perform to be on the safe side:

I am deeply sorry for this inconvenience. Security is really a priority for me (I assure you, that is NOT some corporate bullshit), but sometimes a flaw can slip through. I can only promise you that any future vulnerability will be handled as quickly and seriously as this one.

Posted on August 16, 2013 by Geoffroy Couprie