Skype Android Client Leaves User Information At Risk

A vulnerability in the way Skype’s Android app locally stores data could potentially exposes users’ sensitive information, an Android developer discovered.

Skype for Android did not securely store sensitive user data on the user’s Android device, leaving the information accessible to any third-party app trying to harvest data, Justin Case, an amateur Android developer, wrote on the Android Police blog on 15 April. The data included names, dates of birth, location information, account balances, phone numbers, email addresses, and biographic details, Case said.

Poor storage

The security issue was discovered while digging into a leaked beta of Skype Video, and confirmed the same bug existed in the standard version of Skype Mobile for Android. Skype Mobile for Verizon is not affected.

“What I discovered was just how poorly this app stored private user data,” Case said.

Case wrote a rogue app that could collect user information without requiring any special permissions. Once the rogue app was installed on a phone with Skype for Android also installed, it could sniff out and collect user data. The app would be able to grab data from standard Android devices–not just jail broken ones, Case said.

“I was in shock at just how much information I could harvest,” Case wrote.

The problem exists in Skype’s data directory folder, which stores user contacts, profiles, and instant message logs. These files have improper permissions, enabling any app with data-collection capabilities to access them. The user name and the folder location are also also stored in a static location, making it theoretically possible to parse the file in order to obtain access to the user information.

A rogue developer could theoretically modify an existing app, distribute the app through the Google Marketplace and harvest the data as it flows in. Credit card information is not included and can’t be compromised with this method, but the exposed data “is still clearly very private”, Case said.

Sensitive information

The main.db file alone yields a lot of sensitive user information, including account balance, phone numbers, location and email addresses from the accounts table. The contacts table contains similar information for user contacts and the chat table lists all Skype instant messages exchanged.

Thinking that the issue was only in the latest beta build, Case examined the standard version, which has been available since October, and found the same vulnerability. The issue affects all of the “at least 10 million users” of the app, Case speculated.

“Imagine if Google accidentally leaked all of your Google Talk logs along with your name, email address and phone number – such a breach might cause a mass user exodus,” Case said.

Skype said on its blog post that it is investigating the issue but acknowledged that users who install malicious third-party applications on Android phones could expose data locally stored on the phone by the mobile application.

“We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application,” Skype said in its blog post.

Skype has had security issues before. In 2008, Skype’s “add video to chat” feature allowed attackers to run scripting code on the victim’s computer and install malicious software. Skype fixed the issue a few weeks after the bug was disclosed.

Skype should employ proper file permissions, encrypt the locally stored data, and review mobile apps before releasing them, Case said.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

View Comments

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

9 mins ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

5 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

20 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

22 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

24 hours ago