Skype Android Client Leaves User Information At Risk

A vulnerability in the way Skype’s Android app locally stores data could potentially exposes users’ sensitive information, an Android developer discovered.

Skype for Android did not securely store sensitive user data on the user’s Android device, leaving the information accessible to any third-party app trying to harvest data, Justin Case, an amateur Android developer, wrote on the Android Police blog on 15 April. The data included names, dates of birth, location information, account balances, phone numbers, email addresses, and biographic details, Case said.

Poor storage

The security issue was discovered while digging into a leaked beta of Skype Video, and confirmed the same bug existed in the standard version of Skype Mobile for Android. Skype Mobile for Verizon is not affected.

“What I discovered was just how poorly this app stored private user data,” Case said.

Case wrote a rogue app that could collect user information without requiring any special permissions. Once the rogue app was installed on a phone with Skype for Android also installed, it could sniff out and collect user data. The app would be able to grab data from standard Android devices–not just jail broken ones, Case said.

“I was in shock at just how much information I could harvest,” Case wrote.

The problem exists in Skype’s data directory folder, which stores user contacts, profiles, and instant message logs. These files have improper permissions, enabling any app with data-collection capabilities to access them. The user name and the folder location are also also stored in a static location, making it theoretically possible to parse the file in order to obtain access to the user information.

A rogue developer could theoretically modify an existing app, distribute the app through the Google Marketplace and harvest the data as it flows in. Credit card information is not included and can’t be compromised with this method, but the exposed data “is still clearly very private”, Case said.

Sensitive information

The main.db file alone yields a lot of sensitive user information, including account balance, phone numbers, location and email addresses from the accounts table. The contacts table contains similar information for user contacts and the chat table lists all Skype instant messages exchanged.

Thinking that the issue was only in the latest beta build, Case examined the standard version, which has been available since October, and found the same vulnerability. The issue affects all of the “at least 10 million users” of the app, Case speculated.

“Imagine if Google accidentally leaked all of your Google Talk logs along with your name, email address and phone number – such a breach might cause a mass user exodus,” Case said.

Skype said on its blog post that it is investigating the issue but acknowledged that users who install malicious third-party applications on Android phones could expose data locally stored on the phone by the mobile application.

“We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application,” Skype said in its blog post.

Skype has had security issues before. In 2008, Skype’s “add video to chat” feature allowed attackers to run scripting code on the victim’s computer and install malicious software. Skype fixed the issue a few weeks after the bug was disclosed.

Skype should employ proper file permissions, encrypt the locally stored data, and review mobile apps before releasing them, Case said.