A vulnerability in Skype and Skype Video for Android has been discovered, which can leave sensitive information at the mercy of other, malicious apps.
The detective work came from Justin Case at Android Police, who explains, "On April 11, a leaked version of Skype Video hit the web and, having a Thunderbolt, I had to try it. My first impressions of it were positive, it worked and ran smoothly. My next reaction was, you guessed it: let’s take it apart. What I discovered was just how poorly this app stored private user data."
"I quickly came up with an exploit, and I was in shock at just how much information I could harvest. Everything was available to the rogue app I created, without the need for root or any special permissions," adds Case. "Surely, only this leaked beta build was vulnerable, or so I thought. But upon examining the standard version of Skype for Android (which has been available since October 2010) I discovered the same vulnerability – meaning this affects all of the at least 10 million users of the app."
He also provides the following video showcasing the vulnerability:
Skype has responded:
Adrian Asher posted the following statement on the company's security blog:
It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.
These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.
To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.
Late last month, Skype announced that it had achieved a record 30 million users online at the same time.