Skype for Android leaks user data
Users should remove app until Skype fixes it, says security researcher
Computerworld - A flaw in Skype for Android could let criminals harvest private information from smartphones, including the user's name and email address, contacts and chat logs, the Internet calling software maker confirmed Friday.
One security researcher called it "sloppy coding" and a "disrespect for your privacy."
Last week, Justin Case, a regular contributor to the Android Police blog, disclosed that Skype on Android does not block access to a number of sensitive data files stored on the handset.
The files contain a wealth of information about the Skype account and the smartphone's owner, ranging from full name and date of birth to alternate phone numbers and account balance. Also accessible, said Case, are instant chat logs and all Skype contacts.
"Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them," said Case. "Not only are they accessible, but [they're] completely unencrypted."
Case created an Android application that demonstrated retrieving the unsecured data, and warned that hackers could do the same.
"A rogue developer could modify an existing application with code from our proof of concept, distribute that application on the [Android] Market, and just watch as all that private user information pours in," Case said.
Case's concern is well-founded. Last month Google yanked more than 50 malware-infected apps from its Android Market, while three weeks ago Czech security company AVAST said a different rogue designed to shame software pirates sent personal information to the maker of the "Walk and Text" app.
On Friday, Skype acknowledged what it called a "privacy vulnerability" in its Android client. Although it promised to address the problem, it did not spell out a timetable.
"We are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application," said Adrian Asher, Skype's chief information security officer, in an entry on a company blog.
As of late Sunday, the Skype app for Android had not been updated.
Asher also urged users "to take care in selecting which applications to download and install" on their smartphones.
Chet Wisniewski, a security researcher at Sophos, didn't think much of that advice.
"How you would implement that advice is difficult to know, as an application wishing to steal your Skype information doesn't require special permissions," Wisniewski said in a Sunday blog.
Instead, Wisniewski said the safest move by Android users would be to delete Skype from their smartphones.
Wisniewski argued that the flaw Case uncovered was not really a vulnerability, disconcerting as it was. "This could simply be written up as sloppy coding at best, or disrespect for your privacy at worst," he said. "[But it] makes one wonder about the Skype for iOS application. Is it safer in Apple's App Store?"
The separate Skype Mobile on Verizon app is not affected by the privacy snafu, said Case.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts