Best Litecoin wallet Android

After reading about the secureRandom java weakness with Android Bitcoin/CryptoCoin clients, I decided to poke around a bit to find more information. It appears this weakness has been around for a long time (well over a year) and some people have already taken advantage of it.

Looking into another article, Recovering Bitcoin private keys using weak signatures from the blockchain, I gained more insight as to what was actually happening and how it was being abused maliciously. I decided to do a search on google for the transaction ID listed in the article and came upon some references to transactions that have been found to have the same issue… Actually, a LOT of transactions found to have the same issue. The user, ‘Greg’, appeared to have composed a nice html formatted list and raw data list of all affected bitcoin addresses… I ended up copying them to github’s gists in case the site was taken down. It looks like most of these were cleared out early 2012, meaning multiple people may have known about the vulnerability for a while and using it to their advantage.

Check out the gists below, if you look at the transaction dates, most are from early to mid 2012:

[gist]

Now, I have no clue how ‘up to date’ this is, and it doesnt take much effort to reproduce what this ‘Greg’ user has done.

Pseudo-code:

Find all transactions where # of inputs >= 2 for each input.scriptsig in transaction check char 0 to 64 matches any other input.scriptsigs if TRUE check char END to -132 matches any other input.scriptssigsThis confirms you should be able to find private key.

jgilmour-mac:code jgilmour$ grep -R secureRandom litecoin-wallet/* litecoin-wallet/wallet/src/de/schildbach/wallet/litecoin/util/EncryptionUtils.java: private static final SecureRandom secureRandom = new SecureRandom; litecoin-wallet/wallet/src/de/schildbach/wallet/litecoin/util/EncryptionUtils.java: secureRandom.nextBytes(salt);