Skype for Android is under fire after reports that the application leaves Android users vulnerable to attack.
The benefits of having Skype on your cell phone are pretty obvious. However, it seems as though there is also a certain amount of risk for Android users running the official Skype app: a weakness in the application can expose your personal information.
Android Police has discovered that the official Skype for Android application leaves users’ data open to harvesting. Editor Justin Case noticed after recently installing a leaked version of Skype Video. After some examination discovered ‘just how poorly this app stored private user data.’ He rustled up an exploit and was “shocked” by how much information could be gleaned.
More shocking, though, is that this vulnerability isn’t exclusive to the leaked version of Skype Video -- it exists in the regular Skype app too, which means 10 million people are at risk. Case writes that Skype stores users’ information, (including username, email, contacts, bio, date of birth, chat logs and more) in SQLite3 databases, but that these files unencrypted and without any kind of proper permissions. Readable by anyone or any app, if someone were to produce an app to exploit this hole, they could very easily harvest this information.
Justin Case:
“The most interesting file one can gain access to is main.db. The accounts table in this database holds information such as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.
The Contacts table holds similar information, but on friends, family and anyone else in your contact list (that is, more than Skype exposes on other users publicly). Moving further along, looking into the Chats table, we can see your instant messages – and that’s just the tip of it. Scary.”
Commenting on the vulnerability, Skype posted the following statement to its blog:
"It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.
These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.
To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device."
For more on the vulnerability and proof of the exploit, check out the full story here.
It should be every developers goal to create a safe and secure application right off the bat (not 100% secure, at least put "some" protection there).
Maybe they didn't know, thats why they wouldn't have done anything.
I take that back. I didn't read it all.
8 in a row????
Just download any SQLite reader and you can instantly view all the data since it's just in SQL code. It'll look something like this: http://images.kwokinator.com/web/skype-db-readable.png
It's just that no one cared until now to sift through Skype and find this exploit. Do however note that no other application can read main.db if Skype is running, so all a malware has to do is to kill the Skype process and then read the SQLite database. An easy fix would be to install the app, create a user on the phone, chown and chmod it to that Skype user. So that only the Skype app can read the db.