The security hole that would have allowed a third-party app to access Skype data has been closed in the latest version of Skype for Android.
Skype
has fixed the privacy vulnerability in its Android application that allowed
malicious apps to harvest sensitive user data.
The
vulnerability has been addressed in the latest Skype for Android, Version
1.0.0.983, and the user data has been properly secured on the mobile device, Adrian
Asher, chief information security officer at Skype, wrote on the Skype blog
on April 20. The problem did not exist for Verizon customers.
Skype
for Android was storing names, dates of birth, location information, account
balances, phone numbers, email addresses and other biographic details in a
nonencrypted and easily accessible file on the mobile device, Justin Case, an
amateur Android developer, wrote on the Android
Police blog on April 15. Any rogue app could have harvested the personal
data as well as old instant messages from insecure database files, according to
Case.
Android
by default sandboxes applications so that data from one app can't be accessed
by another. In this case, Skype overwrote the default by assigning incorrect
file-level permissions, Case said. The data-collecting app Case developed to
demonstrate the vulnerability did not require any unusual permissions and
worked on non-jailbroken Android devices.
"We
have had no reported examples of any third-party malicious application misusing
information from the Skype directory on Android devices," Asher said.
Case
confirmed that the updated version closed the security hole and that his sample
rogue app no longer can access the information stored in the database, David
Ruddock posted on the Android Police blog. Skype changed the permissions of the
databases where the data was stored so that only the Skype app can access the
information, Ruddock said.
Case
noted that the database files were unencrypted in his original analysis. Skype
did not respond to eWEEK's requests for whether the data is encrypted in the
new version.
Case
originally discovered the issue in the beta version of Skype Video that had
been released last week. The fix will be addressed when Skype launches the
official version.
In
addition to the security fix, Skype added the ability to make VOIP (voice over
IP) calls over 3G data connections to the app, even for calls in the United
States. The 3G calling feature in the app will not be supported for Android
phones over the Verizon Wireless network because Verizon already allows 3G
Skype calls, thanks to an exclusive partner agreement signed in 2010.
The
Android app previously allowed users to only send instant messages or place
calls using the phone's existing service or over WiFi. With this new version,
users can call anyone without using up any minutes on their calling plan
because the calls are carried over the mobile data plan. Bypassing the mobile
carrier is not entirely free, as users are still subject to Skype fees.
Major
carriers have opposed the practice in the past, and only Verizon customers had
Skype's VOIP capability up until now. Even if users aren't interested in 3G
calls, they should upgrade just for the security fix.
Asher
reminded users to download the app only from Skype or the official Android
Market links to avoid malicious apps.
Email
Print
