Skype App Leaves Android Users Open to Attack

The benefits of having Skype on your cell phone are pretty obvious. However, it seems as though there is also a certain amount of risk for Android users running the official Skype app: a weakness in the application can expose your personal information.

Android Police has discovered that the official Skype for Android application leaves users’ data open to harvesting. Editor Justin Case noticed after recently installing a leaked version of Skype Video. After some examination discovered ‘just how poorly this app stored private user data.’ He rustled up an exploit and was “shocked” by how much information could be gleaned.

More shocking, though, is that this vulnerability isn’t exclusive to the leaked version of Skype Video -- it exists in the regular Skype app too, which means 10 million people are at risk. Case writes that Skype stores users’ information, (including username, email, contacts, bio, date of birth, chat logs and more) in SQLite3 databases, but that these files unencrypted and without any kind of proper permissions. Readable by anyone or any app, if someone were to produce an app to exploit this hole, they could very easily harvest this information.

Justin Case:

“The most interesting file one can gain access to is main.db. The accounts table in this database holds information such as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.
The Contacts table holds similar information, but on friends, family and anyone else in your contact list (that is, more than Skype exposes on other users publicly). Moving further along, looking into the Chats table, we can see your instant messages – and that’s just the tip of it. Scary.”


Commenting on the vulnerability, Skype posted the following statement to its blog:

"It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.

These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.

To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device."

For more on the vulnerability and proof of the exploit, check out the full story here.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
10 comments
    Your comment
  • joytech22
    If nobody noticed the vulnerability Skype would have never done anything to fix that.

    It should be every developers goal to create a safe and secure application right off the bat (not 100% secure, at least put "some" protection there).
    0
  • ThisIsMe
    Somehow I don't really see people that run any form of Google software or use any Google products caring much about their personal info winding up in the hands of "someone else." Just kinda' seems like a given to me.
    0
  • scotv453
    joytech22If nobody noticed the vulnerability Skype would have never done anything to fix that.It should be every developers goal to create a safe and secure application right off the bat (not 100% secure, at least put "some" protection there).

    Maybe they didn't know, thats why they wouldn't have done anything.
    1