Skype for Android leaks user data
Users should remove app until Skype fixes it, says security researcher
Computerworld - A flaw in Skype for Android could let criminals harvest private information from smartphones, including the user's name and email address, contacts and chat logs, the Internet calling software maker confirmed Friday.
One security researcher called it "sloppy coding" and a "disrespect for your privacy."
Last week, Justin Case, a regular contributor to the Android Police blog, disclosed that Skype on Android does not block access to a number of sensitive data files stored on the handset.
The files contain a wealth of information about the Skype account and the smartphone's owner, ranging from full name and date of birth to alternate phone numbers and account balance. Also accessible, said Case, are instant chat logs and all Skype contacts.
"Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them," said Case. "Not only are they accessible, but [they're] completely unencrypted."
Case created an Android application that demonstrated retrieving the unsecured data, and warned that hackers could do the same.
"A rogue developer could modify an existing application with code from our proof of concept, distribute that application on the [Android] Market, and just watch as all that private user information pours in," Case said.
Case's concern is well-founded. Last month Google yanked more than 50 malware-infected apps from its Android Market, while three weeks ago Czech security company AVAST said a different rogue designed to shame software pirates sent personal information to the maker of the "Walk and Text" app.
On Friday, Skype acknowledged what it called a "privacy vulnerability" in its Android client. Although it promised to address the problem, it did not spell out a timetable.
"We are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application," said Adrian Asher, Skype's chief information security officer, in an entry on a company blog.
As of late Sunday, the Skype app for Android had not been updated.
Asher also urged users "to take care in selecting which applications to download and install" on their smartphones.
Chet Wisniewski, a security researcher at Sophos, didn't think much of that advice.
"How you would implement that advice is difficult to know, as an application wishing to steal your Skype information doesn't require special permissions," Wisniewski said in a Sunday blog.
Instead, Wisniewski said the safest move by Android users would be to delete Skype from their smartphones.
Wisniewski argued that the flaw Case uncovered was not really a vulnerability, disconcerting as it was. "This could simply be written up as sloppy coding at best, or disrespect for your privacy at worst," he said. "[But it] makes one wonder about the Skype for iOS application. Is it safer in Apple's App Store?"
The separate Skype Mobile on Verizon app is not affected by the privacy snafu, said Case.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!