Skype App Leaves Android Users Open to Attack
Skype for Android is under fire after reports that the application leaves Android users vulnerable to attack.
The benefits of having Skype on your cell phone are pretty obvious. However, it seems as though there is also a certain amount of risk for Android users running the official Skype app: a weakness in the application can expose your personal information.
Android Police has discovered that the official Skype for Android application leaves users’ data open to harvesting. Editor Justin Case noticed after recently installing a leaked version of Skype Video. After some examination discovered ‘just how poorly this app stored private user data.’ He rustled up an exploit and was “shocked” by how much information could be gleaned.
More shocking, though, is that this vulnerability isn’t exclusive to the leaked version of Skype Video -- it exists in the regular Skype app too, which means 10 million people are at risk. Case writes that Skype stores users’ information, (including username, email, contacts, bio, date of birth, chat logs and more) in SQLite3 databases, but that these files unencrypted and without any kind of proper permissions. Readable by anyone or any app, if someone were to produce an app to exploit this hole, they could very easily harvest this information.
“The most interesting file one can gain access to is main.db. The accounts table in this database holds information such as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.
The Contacts table holds similar information, but on friends, family and anyone else in your contact list (that is, more than Skype exposes on other users publicly). Moving further along, looking into the Chats table, we can see your instant messages – and that’s just the tip of it. Scary.”
Commenting on the vulnerability, Skype posted the following statement to its blog:
"It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.
These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.
To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device."