Skype Rings Changes To Fix Android App Vulnerability

Skype has fixed the privacy vulnerability in its Android application that allowed malicious apps to harvest sensitive user data.

The vulnerability has been addressed in the latest Skype for Android, Version 1.0.0.983, and the user data has been properly secured on the mobile device, Adrian Asher, chief information security officer at Skype, wrote on the Skype blog on April 20.

Unencrypted Data Files

Skype for Android was storing names, dates of birth, location information, account balances, phone numbers, email addresses and other biographic details in a non-encrypted and easily accessible file on the mobile device, “Justin Case”, an amateur Android developer, wrote on the Android Police blog on April 15. Any rogue app could have harvested the personal data as well as old instant messages from insecure database files, according to Case.

Android sandboxes applications by default so that data from one app cannot be accessed by another. In this case, Skype overwrote the default by assigning incorrect file-level permissions, Case said. The data-collecting app Case developed to demonstrate the vulnerability did not require any unusual permissions and worked on non-jailbroken Android devices.

“We have had no reported examples of any third-party malicious application misusing information from the Skype directory on Android devices,” Asher said.

Case confirmed that the updated version closed the security hole and that his sample rogue app no longer can access the information stored in the database, David Ruddock posted on the Android Police blog. Skype changed the permissions of the databases where the data was stored so that only the Skype app can access the information, Ruddock said.

Case noted that the database files were unencrypted in his original analysis. Skype did not respond to eWEEK’s requests for information about data encryption in the new version.

Case originally discovered the issue in the beta version of Skype Video that was released last week. The fix will be addressed when Skype launches the official version.

In addition to the security fix, Skype added the ability to make Voice over IP (VoIP) calls over 3G data connections to the app, even for calls in the United States. The 3G calling feature in the app will not be supported for Android phones over the US Verizon Wireless network because Verizon already allows 3G Skype calls, thanks to an exclusive partner agreement signed in 2010.

The Android app previously allowed users to only send instant messages or place calls using the phone’s existing service or over WiFi. With this new version, users can call anyone without using up any minutes on their calling plan because the calls are carried over the mobile data plan. Bypassing the mobile carrier is not entirely free, as users are still subject to Skype fees.

Major carriers have opposed the practice in the past, and only Verizon customers had Skype’s VoIP capability up until now. Even if users are not interested in 3G calls, they should upgrade just for the security fix.

Asher reminded users to download the app only from Skype or the official Android Market links to avoid malicious apps.