Skype for Android users are potentially at risk for having malicious apps steal sensitive user data from their phone because of incorrectly assigned file permissions
A vulnerability in the way Skype's Android app locally stores
data could potentially exposes users' sensitive information, an Android
Skype for Android did not securely store sensitive user data
on the user's Android device, leaving the information accessible to any
third-party app trying to harvest data, Justin Case, an amateur Android
developer, wrote on the Android
on April 15. The data included names, dates of birth, location
information, account balances, phone numbers, email addresses, and biographic
details, Case said.
The security issue was discovered while digging into a
leaked beta of Skype Video, and confirmed the same bug existed in the standard
version of Skype Mobile for Android. Skype Mobile for Verizon is not affected.
"What I discovered was just how poorly this app stored
private user data," Case said.
Case wrote a rogue app that could collect user information
without requiring any special permissions. Once the rogue app was installed on
a phone with Skype for Android also installed, it could sniff out and collect
user data. The app would be able to grab data from standard Android devices-not
just jail broken ones, Case said.
"I was in shock at just how much information I could
harvest," Case wrote.
The problem exists in Skype's data directory folder, which
stores user contacts, profiles, and instant message logs. These files have
improper permissions, enabling any app with data-collection capabilities to
access them. The user name and the folder location are also also stored in a
static location, making it theoretically possible to parse the file in order to
obtain access to the user information.
A rogue developer could theoretically modify an existing
app, distribute the app through the Google Marketplace and harvest the data as
it flows in. Credit card information is not included and can't be compromised
with this method, but the exposed data "is still clearly very private," Case
The main.db file alone yields a lot of sensitive user
information, including account balance, phone numbers, location and email
addresses from the accounts table. The contacts table contains similar
information for user contacts and the chat table lists all Skype instant
Thinking that the issue was only in the latest beta
build, Case examined the standard version, which has been available since
October, and found the same vulnerability. The issue affects all of the "at
least 10 million users" of the app, Case speculated.
"Imagine if Google accidentally leaked all of your Google
Talk logs along with your name, email address and phone number-such a breach
might cause a mass user exodus," Case said.
said on its blog post that it is investigating the
issue but acknowledged that users who install malicious third-party
applications on Android phones could expose data locally stored on the phone by
the mobile application.
"We take your privacy very seriously and are working quickly
to protect you from this vulnerability, including securing the file permissions
on the Skype for Android application," Skype said in its blog post.
Skype has had security issues before. In 2008, Skype's
"add video to chat" feature allowed attackers to run scripting code
on the victim's computer and install malicious software. Skype fixed the issue
a few weeks after the bug was disclosed.
Skype should employ proper file permissions, encrypt the
locally stored data, and review mobile apps before releasing them, Case said.