If you’re a Skype Android app user, take a deep breath; your security may be compromised. Skype has confirmed that a flaw in their Android app may allow hackers access to confidential information via third party applications.
Late last week, independent Android specialist Justin Case at AndroidPolice.com was trying out a leaked version of Skype Video. He generally thought highly of the app, but after his initial positive experience, he decided to “take apart” the app and discovered “just how poorly this app stored private user data”.
He then applied the same technique used to hack into the flaw in Skype Video and tried it out on Skype for Android. What did he discover? The same security flaw on the beta Skype Video App also applied to the Skype Android App (but not to the Skype Mobile for Verizon), but unlike the beta, the Android App has over 10 million users. 10 million users compromised.
The flaw in the Skype app has to do with the way data saves to the mobile device, making files readable by other apps on the same device. This has two ramifications. The first is that this is not a typical flaw because it requires a third party app on the mobile device in order to exploit the flaw. The second, and most relevant to users, is that the flaw makes the app vulnerable to hackers using third party apps to access personal details, contact lists, and chat logs. Needless to say, this isn’t good. However, there is a bright side: third party apps do not appear to be able to access credit card details.
As of April 18th, 2011 Skype issued an official statement which reads:
It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.
These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.
To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.
But there is something missing from this statement: a timeline. So, while Skype acknowledges the flaw, it doesn’t give any indication of when the flaw might be fixed. This makes the statement appear to be more of a public relations move to appease worried users than an actual effort to fix the flaw.
This may be because the flaw requires a third party app, and as such, there is, technically, some responsibility on the part of the user to make sure none of their apps are infected with malware. On the other hand, being that the data available to third party apps isn’t even encrypted, and the flaw is in not just one but two apps, one wonders if this is a case of sloppy coding on Skype’s part. If this is the case, they should be scurrying to solve the problem.
If Skype wants to keep its Android App users breathing easy, it had better provide an update sooner rather than later.