Justin Case, really?
Posting anonymously, but you can call me Mike Hunt.
According to a post at Android Police, confirmed by Skype, the Android version of the popular VoIP app exposes extensive user data. The Android Police report says user IDs, phone numbers, chat logs, and other data is exposed by the vulnerability. User data is stored unencrypted in sqlite3 databases, and Skype for Android uses …
"Justin Case, who published the vulnerability, has also published a proof-of-concept exploit."
It's a shame Justin Time didn't discover the vulnerability. Awesome name.
I would like more info on this "user ID" though. Is it the application's user ID - as in the Unix user account the application is given? Or is it a UID created and maintained internally by Skype and used internally to authenticate for example access to it's content provider or so on?
Not good... At least they managed to send an email out...
Thank you for downloading and using the Skype for Android software. Unfortunately, it has come to our attention that if you were to install a malicious third-party application onto your Android device, it could access the locally stored Skype for Android files. These files include cached profile information and your instant message chat history.
We take our users’ privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application. This update will be available shortly and as always we urge you to install updates to benefit from our continuous fixes and improvements.
Until the update is released, to protect your personal information, we advise that you as always take care when selecting which applications to download and install onto your device from the Android Marketplace.
For more information see our Security Blog at blogs.skype.com/security or our security section at skype.com/security.
Following this article, I removed Skype from my phone pending an update.
Today, (Saturday), I got an email from Skype warning me of the problem. Fair play to them for at least making the effort.
And a beer for the Android Police for spotting the problem in the first place.
Google didn't like all that nasty security stuff in Java getting in the way of them making money, They also didn't like the prospect of paying Sun a few 10's of cents for each phone in royalties. So they rolled their own and threw out all that inconvenient security stuff. Now every week we hear of some new app spewing users information to servers all over the planet.
No one should be surprised by this, security was designed out of Android from the very beginning. But no matter, the money keeps rolling in.
Actually file permissions in android are very simple. They use standard *nix permissions but obviously you don't create files directly but through the android APIs. By default file files are only accessible by the owning application. You have to explicitly use MODE_WORLD_[READ|WRITE]ABLE when creating a file (or in this case, a database) to make it visible to other apps.
I am a bit curious as to how Skype managed to get this wrong.
Biting the hand that feeds IT © 1998–2020