Skype for Android leaks sensitive data

Filed Under: Android, Data loss, Mobile, Privacy, Vulnerability

Skype in Android MarketWhat is being called a vulnerability in the Android version of Skype could simply be written up as sloppy coding at best, or disrespect for your privacy at worst.

Justin Case at Android Police did some poking around when he found a leaked version of the beta version of Skype that will allow video conferencing on Android devices.

He discovered that just about all the information in your Skype profile, except for your credit card number and password, was stored insecurely by the application.

This allows any application on your phone to simply read, or copy that information wherever they like without any special "root" access or other trickery.

Case thought that this must only be the case for this pre-release copy, but to his dismay it is configured the same way in the current production releases of the Skype for Android product (except the Verizon version).

Case created a proof-of-concept application to demonstrate the weakness in Skype's security. His application can show you your name, address, account name, phone numbers and contacts (and their details) all without any special permissions.

Worst yet, information like your instant messaging chat logs are fully available as well. His application doesn't show those, but none of the Skype data stored on Android handsets appears to be encrypted.

Skype responded on Friday stating that they intend to fix the vulnerabilities as soon as possible, and that in the meantime Android users should be careful what applications they load on their phones.

How you would implement that advice is difficult to know, as an application wishing to steal your Skype information doesn't require special permissions.

I think the safest advice is simply to remove Skype from your Android until we can be satisfied that the problems have been resolved.

Controlling mobile devices is going to be a significant challenge for the next few years, and it isn't just about malware. This type of situation makes one wonder about the Skype for iOS application.

It also makes you wonder whether it is safer in Apple's App Store. Has Apple done a thorough enough check on their 100,000+ applications, including Skype, to know that data isn't leaking here, there and everywhere?

, , ,

You might like

7 Responses to Skype for Android leaks sensitive data

  1. Artur Jonkisz · 1099 days ago

    "This type of situation makes one wonder about the Skype for iOS application" out of curiosity: isn't that the case on iOS that all applications are sand-boxed and one cannot access the data of the other?

  2. steve · 1099 days ago

    The Android Facebook app is reportedly a security hole as well. It sends your data in clear text even when you specify https encryption in your Facebook account settings.

  3. carol875 · 1099 days ago

    Skype on Verizon Droid-X won't uninstall, and won't allow me to change the default "Launch by Default." It must have been one of the packaged apps that came with the Droid-X, since it's not listed on the "Installed Apps" list. How does one get rid of it???

  4. INETmgr · 1098 days ago

    Skype for Android has been a cluge since it first launched. It's no suprise sloppy coding was present allowing access to be gained to the user's dB.

    Android OS is barely past 2 years old since version 1.5 was released to open-source. And yet it ranks number one now and shall likely remain the top mobile OS.

    There are pros and cons to any OS whether closed or open and though Apple was the originator to the "smartphone" marketplace its limited hardware choices will push many more endusers to choose from the wide variety of Android OS based phones.

    Time will mature the Android marketplace but when you have community development and non-engineer level application creators there will remain poorly coded software. It is just a shame a large corporation like Skype was so lazy and sloppy wiith its application. Then again Skype versions in general have had security issues in the past including the recent VoIP problems.

    *Apparently the Verizon Android version of Skype doesn't have the same code vunerability.

  5. JCB · 1098 days ago

    carol, the Verizon version is not affected. Even if it was you would have to have installed malware to let someone have access. The article is a bit misleading and is dumbed down to the lowest denominator. People who install apps from an untrusted source and don't heed the warnings of doing so.

  6. Netminder23 · 1097 days ago

    Chester why the dig at the end about Skype on iOS? Was good informative article up till the end. You know that answer to answer to question you posed! If you don't you not much of a security researcher.

    Answer.... all applications are sandboxed meaning one application can't read another data by design. Note if you jailbreak your iOS device all bets are off but sure that you understand that.

    Here are some link to help your with future research... http://www.apple.com/iphone/business/resources/

    And more specifically http://images.apple.com/iphone/business/docs/iPho...

    So if an application developer writes sloppy code user is protected by default. To add on to this if the developer is good he/she will encrypt data to add further AES-256 on files. Hope this helps answer your question.

  7. ColonelFazackerley · 1088 days ago

    Updates for Android Skype have now been pushed. Is it all good now?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.