The Skype application for Android contains a flaw that allows a rogue app to access and harvest users’ personal information and things like chat logs from the device without needing root access or special permissions.
The flaw was discovered by Justin Case at Android Police while he was analyzing the code of a leaked beta version of Skype that will allow users to video conference via their Android devices.
Hoping that the vulnerability was present only in this version but wanting to be sure, he decided to test the latest official release of the app which dates back to October 2010. He wrote an exploit for the flaw, and the results were disappointing.
“I discovered the same vulnerability – meaning this affects all of the at least 10 million users of the app,” he says, but points out that the “Skype Mobile for Verizon” version of the app seems the only one to be unaffected.
So, what information is available to the rogue app? Luckily for the users, their credit card number and Skype password are safe, but profile their account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, e-mail addresses, webpage, bio, contacts and instant message logs are accessible because the directories where Skype stores all this data are unencrypted.
“This means that a rogue developer could modify an existing application with code from our Proof of Concept (without much difficulty), distribute that application on the Market, and just watch as all that private user information pours in,” explains Case. “While the exploit can’t steal your credit card info, the data it’s harvesting is still clearly very private.”
Skype has been made aware of the flaw and is currently working at fixing it. In the meantime, it advises users to be careful when selecting which applications to download and install onto their device.
But, since Case says that no special permissions are needed for an app to harvest the information, it seems to me that better advice would be to remove the Skype app from the device until the hole is patched.
UPDATE: Skype has released an update (v220.127.116.113) to its Android app, and has patched the hole by changing the permissions of the databases which contain the information in question. Case has verified that his exploit does not work on the new version, but it is still effective when turned against the leaked video version of the app.
“Skype will incorporate the fix into the video version of the app when it is officially released,” says David Ruddock at Android Police.