Sign in with
Sign up | Sign in

Skype App Leaves Android Users Open to Attack

By - Source: Android Police | B 10 comments

Skype for Android is under fire after reports that the application leaves Android users vulnerable to attack.

The benefits of having Skype on your cell phone are pretty obvious. However, it seems as though there is also a certain amount of risk for Android users running the official Skype app: a weakness in the application can expose your personal information.

Android Police has discovered that the official Skype for Android application leaves users’ data open to harvesting. Editor Justin Case noticed after recently installing a leaked version of Skype Video. After some examination discovered ‘just how poorly this app stored private user data.’ He rustled up an exploit and was “shocked” by how much information could be gleaned.

More shocking, though, is that this vulnerability isn’t exclusive to the leaked version of Skype Video -- it exists in the regular Skype app too, which means 10 million people are at risk. Case writes that Skype stores users’ information, (including username, email, contacts, bio, date of birth, chat logs and more) in SQLite3 databases, but that these files unencrypted and without any kind of proper permissions. Readable by anyone or any app, if someone were to produce an app to exploit this hole, they could very easily harvest this information.

Justin Case:

“The most interesting file one can gain access to is main.db. The accounts table in this database holds information such as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.
The Contacts table holds similar information, but on friends, family and anyone else in your contact list (that is, more than Skype exposes on other users publicly). Moving further along, looking into the Chats table, we can see your instant messages – and that’s just the tip of it. Scary.”


Commenting on the vulnerability, Skype posted the following statement to its blog:

"It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.

These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.

To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device."

For more on the vulnerability and proof of the exploit, check out the full story here.

Discuss
Display all 10 comments.
This thread is closed for comments
  • 0 Hide
    joytech22 , April 16, 2011 4:02 AM
    If nobody noticed the vulnerability Skype would have never done anything to fix that.

    It should be every developers goal to create a safe and secure application right off the bat (not 100% secure, at least put "some" protection there).
  • 0 Hide
    ThisIsMe , April 16, 2011 5:38 AM
    Somehow I don't really see people that run any form of Google software or use any Google products caring much about their personal info winding up in the hands of "someone else." Just kinda' seems like a given to me.
  • 1 Hide
    scotv453 , April 16, 2011 6:18 AM
    joytech22If nobody noticed the vulnerability Skype would have never done anything to fix that.It should be every developers goal to create a safe and secure application right off the bat (not 100% secure, at least put "some" protection there).

    Maybe they didn't know, thats why they wouldn't have done anything.
  • 0 Hide
    scotv453 , April 16, 2011 6:20 AM
    scotv453Maybe they didn't know, thats why they wouldn't have done anything.

    I take that back. I didn't read it all.
  • 1 Hide
    wifiwolf , April 16, 2011 1:41 PM
    Damn this is way too much spam. Is someone responsible for this issue in the site?
    8 in a row????
  • 0 Hide
    mayne92 , April 17, 2011 1:42 AM
    So I'm looking at the spam above...the timestamp is 4/17/2011 at 3:03AM. I'm guessing China! Lol.
  • 0 Hide
    mayne92 , April 17, 2011 1:45 AM
    www.vipstores.net -> organization name -> chen hui juan of China. What a business name.
  • 0 Hide
    deltatux , April 17, 2011 3:25 AM
    Problem is that Skype has been working like this since its inception, it's just funny that no-one noticed.

    Just download any SQLite reader and you can instantly view all the data since it's just in SQL code. It'll look something like this: http://images.kwokinator.com/web/skype-db-readable.png

    It's just that no one cared until now to sift through Skype and find this exploit. Do however note that no other application can read main.db if Skype is running, so all a malware has to do is to kill the Skype process and then read the SQLite database. An easy fix would be to install the app, create a user on the phone, chown and chmod it to that Skype user. So that only the Skype app can read the db.
  • 0 Hide
    rantoc , April 18, 2011 10:32 AM
    Nine! adds in a row, have toms hardware forgot how to remove adds in the forums or do TH actually get paid for the unwanted advertisement?
  • 0 Hide
    scuba dave , April 18, 2011 8:22 PM
    Wow, I ain't ever seen that much spam.. and I subscripted to hundreds of pron sites when I was much, much younger, lol
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter