Android and iOS phones under threat as secret crypto keys can be stolen for Bitcoin Wallets and Apple Pay March 4, 2016 11:08 GMT Digital data, mainly financial, may be at risk for Android, iOS and other device users as cryptographic keys used in mobile wallets as Bitcoin wallet and Apple Pay can be stolen according to new research.A cryptographic key is the core part of cryptographic operations used commonly in digital asset transactions where a variable data is provided as input to a cryptographic algorithm to execute a specific operation.The attack, in fact, in so non-invasive that it can be conducted by merely placing a magnetic probe in the proximity of the device, or using a power tap on its USB charging cable.It does not require any malicious software to be installed on the device or opening the device's case to tamper with hardware.The attack may seem far-fetched but if carried out will expose the victims to low-cost physical attacks resulting in theft of signing credentials and subsequent unauthorised transactions or false authentication in digital payments.

"An attacker can measure these physical effects using a $2 magnetic probe held in proximity to the device, or an improvised USB adapter connected to the phone's USB cable, and a USB sound card.Using only such measurements, one can fully extract secret signing keys," said the researchers in a blog post.The attacked cryptographic algorithm in this case is ECDSA (Elliptic Curve Digital Signature Algorithm), a common digital signature algorithm used in many applications such as Bitcoin wallets, Apple Pay and many others that rely on vulnerable versions of OpenSSL, CoreBitcoin or iOS.The only way for users to be careful and make the hack impractical is for them to take care to closely inspect USB cables before plugging them in and look for probes near their phones.The researchers stopped short of fully extracting the key on a Sony-Ericsson Xperia X10 Phone running Android.They believe such an attack is feasible and cited recently published research by a separate team that found a similar side-channel vulnerability in Android's version of the BouncyCastle crypto library.The research also lists what are highly vulnerable:

Today we will code our first bitcoin transaction.To achieve this goal we will use JavaScript library called bitcore.JavaScript is the most popular, modern programming language and almost every developer knows it, so it makes this article universal and useful for the wider audience.bitcoin dari gameBefore you continue to read the article, you should have at least basic technical knowledge about how bitcoin blockchain works.bitcoin takIf not please dedicate a few minutes to read brief introduction to blockchain.bitcoin qt wallet crashIf you have more time, like a few hours, I recommend you to read Mastering Bitcoin.nfc bitcoin appLet's start with a new NPM project with following dependencies: Open index.js file and import bitcore library: To spend bitcoins we need an address that contains bitcoins and a private key that allows us to spend it.uber ethereal quotes

We will import the private key in WIF version.WIF is an abbreviation of Wallet Import Format.It is in use to easily import keys between bitcoin wallets.Then we will create a testnet address from that private key: WARNING!In that example, I share with you my private key.bitcoin demographicYou shouldn't do that in real life.bitcoin oggiThe one who has the private key is the owner of the bitcoins allocated to address made from this key.bitcoin price falling 2015It is a sign of the ownership.lucky coin bitcoinIn this case, I just shared with you the key used to create a testnet address.Testnet is a bitcoin network created for software and scripts testing.It doesn't contain real bitcoins, only the test ones.

You can gain them for free.Even if someone steals them it is not a big deal.I can take that risk to provide you a working out of the box example.If someone used/stole all test bitcoins from this address you can recharge it.Copy the address mibK5jk9eP7EkLH175RSPGTLR27zphvvxa and paste it in the form It is time to create our targetAddress where we want to sent our test bitcoins.Let's check our source address if any bitcoins remained there.Bitcoin network use UTXO to store that information.UTXO is an abbreviation of Unspent Transaction Output.Houston, we have a problem.We don't have a bitcoin network client.The full node requires at least 125 GB of hard drive space which is too much for my poor MacBook Air.We have to find a workaround.We have to ask someone to read the Bitcoin network for us.And to broadcast our transaction as well.In this case, we are losing the biggest advantage of bitcoin blockchain.The architecture of the system makes us don't have to trust any parties.The network consensus, the math and the encryption make the data stored in blockchain trusted.

But now we are asking middleman to read this data for us.He might provide us fake or outdated data.We will use Insight from bitcore-explorers library.As it is quite popular and we are only learning here we can assume it can be trusted.The final solution should be to have our own Bitcoin full node.Ok, let's use Insight to check how many Bitcoins we have to spend.The output of UTXOs is an array.Each of its element contains info about the address that is a owner of UTXO and an amount of Satoshis (1 Satoshi = 0.00000001 Bitcoin).It looks like this: It is time to create our transaction: Let's set the received UTXOs as an input of the transaction.An important thing to notice: we are not getting bitcoins from address but from UTXOs Let's set the receiver of our transaction and amount we want to deliver to him.The amount is given in Satoshis, the smallest unit of Bitcoin: 1 Satoshi = 0.00000001 Bitcoin.This is the output of our transaction: It is time to talk about the change.

UTXOs are the output from transactions that point to our address and have not been spent yet.UTXOs are like a bank note.If you have 5 dollar note in your pocket and want to buy 2$ beer you don't cut a part of the bill and give it to a cashier.You give the 5$ note and receive 3$ change.It works exactly the same with UTXOs.You have to use entire UTXO in a transaction and specify the change value and address then the change should be returned.Do I have to specify the change value?In shop when I buy 2$ dollar beer with 5$ note then I receive 3$ change in return.Nothing to be calculated.In Bitcoin, there is a little difference.In reality, the change is just another output of a transaction.And the sum of outputs should be a little smaller than the sum of input.The difference is called mining fee.You pay it to the miners to be included in the transactions block.The wallets or libraries like bitcore.io estimate the mining fee for us.So in our case, we just specify the address where change should be returned.

You can notice that we use our sourceAddress.As a result, some of existing UTXOs for this address disappear (they will be spent already), but there will also be a new one created(the one from the change).In real life, the wallets are using a new address for each of your transactions.The goal of that is to improve anonymity.How is it possible that from one private key the wallet is able to create many public keys and addresses?Read about Deterministic wallet to find the answer Great!The only thing we have to do right now is to sign the transaction with our private key and send it to the Bitcoin blockchain.As I mentioned before we don't have our own bitcoin client.We use external tool to communicate with the blockchain.The question is: can we put trust in it.When we broadcast transaction there is no risk that the tool will capture private key or manipulate the transaction (change targetAddress for example).If the tool makes any changes listed above, then the signature will not be valid any more and transaction will be rejected.