Skype Android app flaw places data in danger

gallery

A vulnerability in the Skype app for Android could be exploited by hackers wanting to get hold of user profile and contact information, according to a report.

Skype did not encrypt files within the app containing data such as contacts and instant message logs, leaving them accessible to third-party sources, the Android Police claimed.

“Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them. Not only are they accessible, but completely unencrypted,” the Android Police said.

“But how do we find this directory from another app if we don’t know the username? Well, Skype stored the username in a static location, we can parse this file, get the username and find the path to Skype’s stored data.”

In theory, a rogue developer could create an application so when it is installed on a Skype user’s Android phone, it will pilfer the data. The Android Police created a proof of concept to test the theory.

“This means that a rogue developer could modify an existing application with code from our proof of concept (without much difficulty), distribute that application on the Market, and just watch as all that private user information pours in,” the Android Police added.

“While the exploit can’t steal your credit card info, the data it’s harvesting is still clearly very private (chat logs linked back to your real name, address, and phone number).”

Skype said it was aware of the issue and was looking at how to protect its users.

“It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files,” said Adrian Asher, chief information security officer at Skype, in a blog post.

“We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.”

Email to a friend

Print this page