Bitpay’s open source wallet Copay announced Tuesday that they have fixed a security flaw in Android phones running version six, codenamed ‘Marshmallow.’ Simultaneously, popular Bitcoin web and mobile wallet, GreenAddress, has encountered the same problem and is actively working on a solution.
[Editor’s Note: Bitcoin.com had some inquiries from Blockstream/GreenAddress supporters and we want to clarify that while GreenAddress did have a problem with Android devices, the nature of their problem is different from that of Copay, particularly with regard to their optional PIN rather than private keys.]
Private Keys Kept in the Cloud at Risk
The latest version of Android just included backups for a few more parts of its file system, coincidentally including where Copay has chosen to store their encrypted private keys.
Bitpay noted that:
If you are using Copay in an Android 6 phone and have automatic App Backup enabled, your wallet’s keys have been backed up automatically and uploaded to Google servers.
Even though Google encrypts all app backups, users’ private keys are still backed up and stored in the cloud, making those Bitcoin addresses less secure. Considering that Marshmallow has been around since October of last year, it is surprising that this flaw was not noticed and addressed before this week.
Android bitcoin wallet users of both Copay and GreenAddress noticed the problem recently and alerted their developers who have hammered out the fixes in short order.
In the announcement, Bitpay noted that “This change goes against our security policy and puts user private keys at risk, so we strongly encourage you to move your funds to a new Copay wallet.”
According to Bitpay:
“Today we’re releasing version 2.4.2 of Copay for Android. This security release disables the automatic app backup feature which is enabled by default in Android 6 phones.”
Along with the announcement, the company also gives instructions on how to download the updated Copay app, create a new wallet, and then it urges Marshmallow users to transfer funds away from any old wallets into the new wallet just created, keeping all keys but only storing bitcoins in the new wallet. They also remind users that using the cloud to back up private keys simply defeats the purpose of their project.
“Remember that Copay is a true bitcoin wallet, so you have full control of the funds and the responsibility to make your own backup (rather than backing up to the cloud),” Bitpay wrote.
On the same day, GreenAddress, which was recently acquired by Blockstream, had the same problem as Copay and is actively fixing it. However, instead of private keys being uploaded to the cloud, the data backed up on Google Drive now is an encrypted PIN number:
We want to avoid storing PIN data in the cloud, even though it’s AES-encrypted and our servers allow only 3 attempts to get the encryption key.
A moderator of the GreenAddress Reddit board confirmed the problem for GreenAddress, and provided the link to the Github fix, currently in progress at press time. The user also mentioned that the company’s light version of their mobile wallet, Greenbits, was not affected by the problem in the first place, claiming that “It was already disabled on GreenBits.”
The final solution to the problem does not appear to have been implemented yet at press time to their software. GreenAddress customers, therefore, should keep an eye out for the upgrade it will prompt their Android phones to make, or at least keep watch of the company’s announcements.
Do you want to talk about Bitcoin in a comfortable (and censorship-free) environment? Check out the Forums at bitcoin.com – all the big players in Bitcoin have posted there, and all opinions are welcome.
Images courtesy neurogadget.net, Bitpay, GreenAddress, lifehacker.com.au