In a rather embarrassing state of affairs Skype for Android has been found to be leaking personal information, including the users name and email address and contacts and chat logs.
A security researcher has called it ‘sloppy coding’ and ‘a disrespect for your privacy’. Not mincing his words, thats for sure.
Justin Case, a contributor to the Android Police Blog found out that Skype on the Android operating system is not blocking access to a number of sensitive data files stored on the handset. These files contain a lot of information tied into the Skype account, such as the owner of the phone, full name and data of birth and alternate phone numbers and even the account balance. Chat logs and Skype contacts also fall into the potential unsafe data storage. He said “Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them. Not only are they accessible, but [they’re] completely unencrypted.”
He added “A rogue developer could modify an existing application with code from our proof of concept, distribute that application on the [Android] Market, and just watch as all that private user information pours in.”
This is not the first major security issue, with Google’s Android Market hosting 50 malware infected files. Three weeks ago AVAST also said an application was sending personal information to the maker of ‘Walk’ and ‘Text’ applications.
Skype did acknowledge that there is a ‘privacy vulnerability’ in its Android client. They are fixing the issue, although still haven’t announced when this would be. Adrian Asher, Skype’ chief information security officer said “We are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.”
Asher also said that users should “take care in selecting which applications to download and install”. We would assume he didn’t include Skype in this list, even though it has a potentially huge security weakness.
Chet Wisniewski, a security researcher at Sophos, didn’t warm to his advice either. “How you would implement that advice is difficult to know, as an application wishing to steal your Skype information doesn’t require special permissions,” Wisniewski said in a Sunday blog. Wisniewski said the safest move was to actually deinstall Skype from their phones. Ouch.
Wisniewski said that the flaw Case uncovered was not really a vulnerability, bad as it was. “This could simply be written up as sloppy coding at best, or disrespect for your privacy at worst,” he said. “[But it] makes one wonder about the Skype for iOS application. Is it safer in Apple’s App Store?”
KitGuru says: Skype comes with warnings right now on Android, use it at your own risk.