April 18, 2011, 12:14 PM — Not that anyone was really expecting bulletproof security using a free, ad-supported videoconferencing app on a smartphone operating system designed to make it easy for apps to share information with almost anything that's interested without worrying too much about separating private data from public, but...
Skype, running on Android, turns out to be less secure than you might have hoped.
"Sloppy coding" in the Skype client leaves most of the user-data files unprotected and sharable with apps already on the phone and, potentially malware or sniffers nearby that can identify it and send the right query.
"Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them," anAndroid Police contributor and security researcher using the name Justin Case told Computerworld.
In his entry on Android Police, Case said he expected the sloppy security was from a beta version that was posted with more holes than usual.
"But upon examining the standard version of Skype for Android (which has been available since October 2010) I discovered the same vulnerability – meaning this affects all of the at least 10 million users of the app."
The only version he found that was unaffected was Skype Mobile for Verizon.
The others left data files unprotected and unencrypted, including main.db, which stores nearly all a user's relevant information, including real name, account balance, data of birth, location, office, home and cell phones, email addresses, bio information and other data. Chat logs, contacts lists and other usage information is also available.
Case posted proof-of-concept code for an exploit to collect the data and return it to him. Modifying the code and distributing it via the Android Market would give hackers a huge base of potential victims and a distribution network through which to reach them. Once the app is posted, hackers would just ahve to "watch as all that private user information pours in," he wrote.
Skype, Google Talk and other VoIP apps are a great addition to Android because it gives users the option of going around the service provider's own voice services and requirements to make calls or chat – at least to the extent that's possible while tethered to the provider's data network.