A flaw in Skype for Android could let criminals harvest private information from smartphones, including the user’s name and e-mail address, contacts and chat logs, the Internet calling software maker confirmed Friday.
One security researcher called it “sloppy coding” and a “disrespect for your privacy.”
Last week, Justin Case, a regular contributor to the Android Police blog, disclosed that Skype on Android does not block access to a number of sensitive data files stored on the handset.
The files contain a wealth of information about the Skype account and the smartphone’s owner, ranging from full name and date of birth to alternate phone numbers and account balance. Also accessible, said Case, are instant chat logs and all Skype contacts.
“Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them,” said Case. “Not only are they accessible, but [they’re] completely unencrypted.”
Case created an Android application that demonstrated retrieving the unsecured data, and warned that hackers could do the same.
“A rogue developer could modify an existing application with code from our proof of concept, distribute that application on the [Android] Market, and just watch as all that private user information pours in,” Case said.
Case’s concern is well-founded. Last month Google yanked more than 50 malware-infected apps from its Android Market, while three weeks ago Czech security company AVAST said a different rogue designed to shame software pirates sent personal information to the maker of the “Walk and Text” app.
On Friday, Skype acknowledged what it called a “privacy vulnerability” in its Android client. Although it promised to address the problem, it did not spell out a timetable.
“We are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application,” said Adrian Asher, Skype’s chief information security officer, in an entry on a company blog.
As of late Sunday, the Skype app for Android had not been updated.
Asher also urged users “to take care in selecting which applications to download and install” on their smartphones.
Chet Wisniewski, a security researcher at Sophos, didn’t think much of that advice.
“How you would implement that advice is difficult to know, as an application wishing to steal your Skype information doesn’t require special permissions,” Wisniewski said in a Sunday blog.
Instead, Wisniewski said the safest move by Android users would be to delete Skype from their smartphones.
Wisniewski argued that the flaw Case uncovered was not really a vulnerability, disconcerting as it was. “This could simply be written up as sloppy coding at best, or disrespect for your privacy at worst,” he said. “[But it] makes one wonder about the Skype for iOS application. Is it safer in Apple’s App Store?”
The separate Skype Mobile on Verizon app is not affected by the privacy snafu, said Case.