According to a post at Android Police, confirmed by Skype, the Android version of the popular VoIP app exposes extensive user data. The Android Police report says user IDs, phone numbers, chat logs, and other data is exposed by the vulnerability. User data is stored unencrypted in sqlite3 databases, and Skype for Android uses …
"Justin Case, who published the vulnerability, has also published a proof-of-concept exploit."
It's a shame Justin Time didn't discover the vulnerability. Awesome name.
I would like more info on this "user ID" though. Is it the application's user ID - as in the Unix user account the application is given? Or is it a UID created and maintained internally by Skype and used internally to authenticate for example access to it's content provider or so on?
Justin Case, really?
Posting anonymously, but you can call me Mike Hunt.
Unencrypted, badly set permissions, predictable location...
Not good... At least they managed to send an email out...
Thank you for downloading and using the Skype for Android software. Unfortunately, it has come to our attention that if you were to install a malicious third-party application onto your Android device, it could access the locally stored Skype for Android files. These files include cached profile information and your instant message chat history.
We take our users’ privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application. This update will be available shortly and as always we urge you to install updates to benefit from our continuous fixes and improvements.
Until the update is released, to protect your personal information, we advise that you as always take care when selecting which applications to download and install onto your device from the Android Marketplace.
For more information see our Security Blog at blogs.skype.com/security or our security section at skype.com/security.
Does this include the version shipped on Three Android phones as that version was written specifically for Three?
Better late than never...
Following this article, I removed Skype from my phone pending an update.
Today, (Saturday), I got an email from Skype warning me of the problem. Fair play to them for at least making the effort.
And a beer for the Android Police for spotting the problem in the first place.
The Android police wouldn't have been needed if Google weren't so stupid
Google didn't like all that nasty security stuff in Java getting in the way of them making money, They also didn't like the prospect of paying Sun a few 10's of cents for each phone in royalties. So they rolled their own and threw out all that inconvenient security stuff. Now every week we hear of some new app spewing users information to servers all over the planet.
No one should be surprised by this, security was designed out of Android from the very beginning. But no matter, the money keeps rolling in.
Actually file permissions in android are very simple. They use standard *nix permissions but obviously you don't create files directly but through the android APIs. By default file files are only accessible by the owning application. You have to explicitly use MODE_WORLD_[READ|WRITE]ABLE when creating a file (or in this case, a database) to make it visible to other apps.
I am a bit curious as to how Skype managed to get this wrong.
This is a title, it contains letters and or numb3rs...
Justin Case meet Mary Christmas, Ben Dover Mike Hunt and Mike Roch.
Lucky Justin Case was justin time spotting this.
Just checked on a Windows PC, version 4.2. All the same stuff is in AppData\Roaming\Skype. Even information from other accounts can be easily seen with Notepad and some SQLite GUI.
*All* Closed Source applications are vulnerable
Some Open Source applications are vulnerable too, but this is usually just a passing phase.
When are people going to start getting it?
Has this problem been resolved yet?
Wow this is great, especially not smart to have crapware locked in apps!
Why should my droid come preloaded with crap? Case in point, this breach makes Verizon liable.