back to article Can't unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass

A newly disclosed vulnerability in Skype for Android could be exploited by miscreants to bypass an Android phone's passcode screen to view photos, contacts, and even launch browser windows. Bug-hunter Florian Kunushevci today told The Register the security flaw, which has been reported to Microsoft, allows the person in …

  1. mark l 2 Silver badge

    No doubt while fixing this bug MS will mess around with the UI as well as that is all they seem to do with Skype these days.

    Skype had its hey day in the early 2000s, it time to take it out back and put it out of its misery along with Myspace and Yahoo.

    1. Tom Paine Silver badge

      Sorry to break it to you, but the (admittedly subjective and anecdotal) evidence I've seen is that Skype for Business / MS InTune is remorselessly eating the corporate VOIP market via O365.

      1. hellwig Silver badge

        Not for long

        My company switched to Skype, and now we're switching off (probably back to WebEx). Skype eats up so much bandwidth, it crippled our networks. The company thought they could replace most phone calls with Skype calls, but most people make video Skype calls.

        Anyway, apparently those wonderful cost savings (it's FREE!!!!1111!!!!), didn't work out in the end.

      2. K Silver badge

        O365 It might be eating the market, but as a product Skype for Business sucks, the only thing that blows harder is Webex. Personally, I hate to admit this, but the only browser-based VOIP/Video Conf solution I've found that works relatively well is....

        1. BlueTemplar

          facepalm

          Why would you expect a "browser-based VOIP/Video Conf" to work well ?!

          The Web is not the place for Apps - use a dedicated program, for god's sake !!

      3. Anonymous Coward
        Anonymous Coward

        Re: Enterprise VoIP

        "Sorry to break it to you, but the (admittedly subjective and anecdotal) evidence I've seen is that Skype for Business / MS InTune is remorselessly eating the corporate VOIP market via O365."

        SfB is doing well in the Enterprise VoIP market in terms of market share, but the reality is enterprise voice lost to the convenience and portability of mobile phones around five years ago (i.e. Enterprise VoIP annual revenue halved between 2007 and 2017). While there are reasons for large systems to remain on the traditional enterprise PBX's, most are historical rather than supporting enterprise growth and the majority of revenue is in on-going support rather than new systems or expansion.

        SfB with per-user licensing and minimal hardware investment is a convenient enterprise voice exit strategy. SfB is particularly good at getting users used to sub-G.711 audio quality that mobile provides...

      4. Paul Crawford Silver badge

        If your current corporate choice is WebEx then practically anything, Skype included, is going to suck so much less it would be a joy!

        1. Glen Turner 666

          The only video conferencing which doesn't suck is Zoom. To cut a long story short, it's the product Cisco's WebEx team wanted to build whilst they were at Cisco.

          1. Zonker Zoggs

            Zoom is great, but https://appear.in/ is my current goto meeting app.

        2. Anonymous Coward
          Anonymous Coward

          We tried lots, including WebEx and Skype, and Google's offering destroyed them all. Much lower bandwidth, better quality and more reliable.

      5. Anonymous Coward
        Anonymous Coward

        Skype for Business

        I've heard the exact opposite: even though Skype for Business might nevertheless come with Office 362.5, it apparently cannot communicate with ordinary people using ordinary Skype with ordinary Skype accounts, which is a pretty serious facepalm. Given that a common use case for teleconferencing is to communicate with other people Far Away (yes, Dougal) rather than people within your own organisation, that's a pretty stupid design decision.

        1. Anonymous Coward
          Anonymous Coward

          Re: Skype for Business

          "even though Skype for Business might nevertheless come with Office 362.5, it apparently cannot communicate with ordinary people using ordinary Skype with ordinary Skype accounts"

          In an on-prem deployment, as long as Skype is federated and not restricted to block unknown domains, you can communicate with ordinary Skype accounts. (https://docs.microsoft.com/en-us/skypeforbusiness/set-up-skype-for-business-online/let-skype-for-business-users-add-skype-contacts)

          For Office365 Skype accounts, it also requires federation to be enabled although there appear to be some restrictions for Germany and a specific provider. (https://docs.microsoft.com/en-us/skypeforbusiness/set-up-skype-for-business-online/allow-users-to-contact-external-skype-for-business-users)

          Other than that, it's likely to be a security policy issue or a configuration issue preventing the integration. Unless something has changed since 2018...

    2. Kicker of Metaphorical Cats

      Skype is dead. Teams is the replacement. VoIP to a phone number requires a per-user dial plan so it is not super attractive. The fact that MS keeps changing communication platforms (all started with Exchange Conferencing Server being replaced by LCS) is a major red flag for many an organization.

      AWS has Amazon Connect (call center), Amazon Chime (conferencing), and a rumored soon to be announced desktop VoIP served up via AWS, and everything else will be in jeopardy of becoming background noise.

  2. A.P. Veening

    Taking it back out

    When they do, can Flash be taken back out as well? It needs to be put out of our misery.

  3. elvisimprsntr

    Seems like Android should not grant access unless the device is authenticated/unlocked vs something implemented in every single app on the device.

    1. anthonyhegedus Silver badge

      Skype would need access to contacts and photos BEFORE authentication to display the contact details of the incoming Skype call. It’s access to the rest of the Skype app that should be blocked.

    2. Anonymous Coward
      Anonymous Coward

      They haven't got access to the browser, they have access to skype webview. The files bring shown are again from emptying the app browser, the contacts are Skype contacts.

      In short, it never breaks outside the application sandbox, and isn't really anything to do with android, it's to do with how Skype handles a locked device and it's OWN data.

      Clearly as I am the only person to understand this, this automatically makes me also a self opointed security researcher (a title that you can clearly give to yourself and requires no formal qualifications, even McDonald's burger flippers are likely more certified in their field)

      1. Tom Paine Silver badge
        WTF?

        So... there's no bug, after all?

        Then what have Microsoft "fixed"?

        1. Antonius_Prime

          Re: So... there's no bug, after all?

          A revenue Stream, I believe...

          XD

          Mine's a pint! It's Friday after all!

      2. Tigra 07 Silver badge
        Trollface

        RE: AC

        "Clearly as I am the only person to understand this, this automatically makes me also a self opointed security researcher"

        Just as long as you don't try and call yourself "Engineer"...

      3. Anonymous Coward
        Anonymous Coward

        It's not true you can access pictures and files inside the phone including those that are not used in Skype. The video explains it self that the albums are not only from Skype. Also contacts of the Skype are not only from Skype there are Names & Numbers of all contacts registered on the Android Phone, which means that you can forward pictures to your phone, and view also contacts. Check it by your self and download the older version..

      4. Aodhhan Bronze badge

        You're correct--in what you say; but what you're saying doesn't really apply in this case. So I present you with an 'epic fail', in attempting to show off and belittle others.

        The vulnerability doesn't apply to the application--as a matter of having privileged access to the Skype application.

        The vulnerability is due to the privileges the application is provided on top of the O/S along with other applications, and when these privileges are allowed/provided to the application; and/or when the application is available while the operating system is 'locked'.

  4. Notas Badoff

    Are we there yet?

    "... which taught me the most important thing, which is realizing that what you have learned till now is nothing of what should be learned."

    That'd be all of us then?

    ( Recently met someone who'd been through one of those boot camp thingies, and they had a look of - not deer in the headlights - but rather deer with auto grill imprints and fur smelling of tires. Like, "wait, I have to run that fast and faster just to survive?" )

    1. john fisher 1

      Re: Are we there yet?

      Yes,

      That would be all of us. Congratulations to this young lad for possessing the curiosity that leads to a life long pursuit of knowledge.

  5. Spender
    WTF?

    How is alphagoog off the hook here?

    I expect my lock-screen to be impenetrable, with the exception of *only* apps with permission to make lock-screen notifications. That it's possible to install software that allows the spawning of any non-permissioned app over a lock-screen isn't an app developer problem... It's an operating system design flaw. The flaws in the OS that allow this that should really be addressed by alpha-goog-whatever-they're-called, not patched over in apps written by careless 3rd parties.

    1. Argh

      Re: How is alphagoog off the hook here?

      It's common for apps that allow incoming calls (including the phone app itself) to not need the phone to be unlocked in order to answer calls.

      1. shaolin cookie

        Re: How is alphagoog off the hook here?

        Sure, which is why that OS design isn't super simple. But they still should only allow the answering of that call, thereby allow access to microphone and camera for these apps in said circumstances. The app shouldn't have access to photos etc unless the user unlocks the device first. This is basic functionality of a phone OS, shouldn't be delegated to random third-party apps.

        1. ibmalone Silver badge

          Re: How is alphagoog off the hook here?

          It's hard to stop a malicious app that has been given access to something from using it in a context it's not supposed to, unless you put everything behind a system UI all the time. For example, any request for a contact is an api request that brings you to a system contact chooser and then reports the selected number back to the app, and even that approach can't ensure it's not quietly leeching out the data it does get. Similarly pictures, it could simply grab them while unlocked. Taking that route would also prevent things like incoming call display from working, again you can provide a way around this, but also again that becomes a potential security hole.

          Sounds like MS's failure is not to properly observe the locked state and expose functionality that shouldn't be available while locked. Effectively this is one of the things you are trusting an app to do when you give it access, particularly one that you are also allowing to bypass the lock screen. That's not to say Android shouldn't provide as many tools as it can to help with that, but it becomes difficult when applications go so far as providing their own browser. (Of course there's a difference between a malicious app and one that's simply not designed securely, but an attacker can try to turn the latter into the former.)

          1. bigtimehustler

            Re: How is alphagoog off the hook here?

            Is it really hard to stop this? In the case of contacts when the device is locked return an empty list of contacts to the app, in the case of photos, apply the same logic and the same to everything else. That's the easiest immediate solution, done properly, throw an exception and let the app deal with advising the user the device is not unlocked. Done even better, ask the user to unlock when the request to access these resources is requested by the app.

      2. aks Bronze badge

        Re: How is alphagoog off the hook here?

        Possibly so, but such an app should be restricted by the operating system. If that causes the app to fail to function usefully then the app needs to be re-engineered to understand that it's in a locked-down mode.

    2. Anonymous Coward
      Anonymous Coward

      Re: How is alphagoog off the hook here?

      Because clearly it's a problem with Skype, and how they have implemented browsers, bypassing the system services (which are lock aware).

      It seems they intentionally coded around security.

  6. doug_bostrom

    Wait, the operating system allows an application to roam about without authentication being plugged in, but it's the application's fault?

    Oh, the things we have seen-- and forgotten. Securing a file system and other machine resources isn't really the job of an application.

    1. TechnicalBen Silver badge

      Time of authentication?

      Is that the problem? It's already authenticated... but does not check post/pre lock attempt?

      Other apps are not authenticated to open during the lock screen, so are ok.

      It's an error in all or nothing application of the security, when it should be faceted with all, some and nothing?

    2. lhucineaur

      Exactly what I thought

      I think this is more an android issue rather than a Skype issue.

      It either should not allow apps to unlock the phone or if it allowed them, it should block all access unless authenticated.

    3. Persona

      The OS should not permit the application to roam about without authentication, but should provide a discretionary privilege mechanism to allow applications to respond and respond to incoming calls whilst locked.

      It is however the responsibility of the application to protect all data that it had previously cached when operating in an authenticated mode.

  7. redpawn Silver badge

    They fixed it!

    Governments now love for people to use Skype.

    1. hellwig Silver badge

      Re: They fixed it!

      Huh, interesting point. Maybe the FBI or NSA tried to force this backdoor on Microsoft. That might be giving Microsoft too much credit, and I suppose the biggest reason it's probably not correct is how many people would even bother to install Skype on their Android phone in the first place? Is it really that large of an attack vector outside of corporate handsets?

  8. ukgnome Silver badge
    Trollface

    insecure or unsecure

    surely not - I guess this is what happens when the 2 best tech companies work together.

  9. Anonymous Coward
    Anonymous Coward

    This reminds me when old Windows logon could be bypassed by using a help tooltip, then launching a Windows Help full window, then using the Open menu option to fire explorer.exe

  10. Anonymous Coward
    Anonymous Coward

    Hmmm

    No iOS vs Android discussion?

    Apple made the same mistakes with their own ‘trusted’ apps, but they wouldn’t let another app do this.

    This Skype bug is more about the Android philosophy than Microsoft.

    Apple’s approach is more secure but more limiting. App developers are going to be lazy with security, unless forced otherwise.

    The fix really needs to come from Android (Google) but it would probably break a ton of things.

    1. hellwig Silver badge

      Re: Hmmm

      TROLLL!!!

      But I was wondering this myself. It's seems odd that Google trusts all apps to not allow access to data while the phone is locked. Leave it up to every single vendor to not break the security mode?

      Agreed that this wouldn't be allowed in the Apple-verse, but at the same time, Apple's solution is to make the phone less usable. I love widgets on my lock screen and home screen. But those widgets should NOT have the ability to launch other applications while still locked. Definitely something Google/Android needs to fix.

  11. Anonymous Coward
    Anonymous Coward

    does this affect Skype for Business?

  12. mathew42
    Devil

    Is the implication of this that any application which has 'disable your screen lock' vulnerable? This permission is under 'Other'.

    Seems like for some with nefarious intent it would be trivial to slip into an application and trigger via push to a specific phone at a later point in time.

    Fingerprint readers are becoming common place now. An answer call by scanning fingerprint sounds attractive, but would require an alternative with bluetooth.

  13. panoptiq

    BB

    I want my BlackBerry d@mmit!!

    1. Hans 1 Silver badge
      Coat

      Re: BB

      My primary phone is still a z30 ... it is starting to show its age ... my next phone will be based on open hardware and a libre OS ... I'm happy to wait 'till Kingdom come.

    2. Anonymous Coward
      Anonymous Coward

      Re: BB

      >I want my BlackBerry d@mmit!!

      I don't, had a bold once (BB OS 5) as a company phone and it was the biggest piece of bug ridden shit phone I've ever had the misfortune to use, an other collegue had the storm which was even worse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019