Skype for Android Security Breach: Get the Details

Sun, 04/17/2011 - 14:49 -- Colin Breck

Recently, AndroidPolice.com discovered a security flaw in a leaked version of Skype Video for Android and subsequently determined that the same flaw is and has been present in the often downloaded Skype for Android already available to users on the Android Market since October of 2010. The security flaw allows a malicious app installed on a user's Android device to harvest all sorts of personal information.

Skype for Android

The information below summarizes what information can be leaked, current progress with a fix and response from Skype, as well as some basic information on how you can protect yourself against would-be thieves trying to collect your personal data from Skype.

So, What's At Risk?

A lot. Details such as your name, phone number, chat/messaging logs, account balance, full name, date of birth, email addresses, your webpage, biography, geographical location, and more. Much of this same information can be accessed for everyone on your contact list as well. Credit card information is not at risk.

For anyone even lightly concerned about digital privacy, this is a huge breach.

Why Did This Happen?

As surprising as it would seem, Skype evidently released their app with no detectable effort to conceal the information contained in users' profiles. The files which store this information have open read permissions, which allows any application on your Android device to read the files. To make matters worse, the files which store profile information are completely unencrypted. Harvesting the data from these files is perplexingly elementary.

Is Skype Fixing This?

Skype has released a statement indicating they are working hard to remedy the problem as quickly as possible. According to Skype, "we take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application."

Unfortunately, Skype has yet to provide a timetable on how soon Skype for Android users will see an update. Considering the fix seems relatively simple, the expectation is that Skype will release a remedied version sooner than later.

How Can You Protect Yourself?

Now that the cat is out of the bag regarding the vulnerability, there's a decent likelihood that a malicious app (or apps) may appear on the Android Market that will attempt to harvest this data, especially considering that AndroidPolice.com released their proof of concept app demonstrating how to access the unsecured data. Any not-so-nice developer can quickly and easily modify that code to exist within their app, and use it to harvest a shocking amount of private user info. Also, it's quite possible that this vulnerability was already discovered by the wrong person, and that a malicious app already exists on the market.

The best way to protect your data is to scrutinize every application you install on your device. This, of course, should be your general policy, as malicious apps have appeared several times before on the Android Market. Do your due diligence to investigate the reputation of the developer, not just the rating of the app. If you're not comfortable with the app's origin, don't install it.

Check out AndroidPolice.com's proof of concept video demonstrating the security flaw below.