Skype For Android Exposes Private User Data

These days, protecting one's personal data online is a major concern to almost everyone. If you're not looking out for threats to your identity and private data, you haven't been paying attention.

Yet somehow, in the midst of all of this, Skype, one of the most popular apps for Android (and otther) devices has left a significant security leak on the phones of every user who has downloaded their Android app – all 10 million of them! (The exception to this appears to be the Skype Mobile for Verizon app, which was not found to carry the vulnerability.) Our good friend Justin Case at AndroidPolice has discovered this exploit while digging around under the hood of the Skype app. And frankly, this is not at all a subtle, or hidden flaw.


Where Skype Messed Up

In the course of its day-to-day operations, Skype saves a variety of your data to a folder, which bears the same name as your Skype username, on your SD card. Unfortunately, they appear to have overlooked a fundamental step in the process: setting proper permissions for this folder, leaving all of its contents open and accessible to everyone and any app on your phone. Oh, and they didn't bother to encrypt the data either.

If you're interested in the technical detail, take a look at the file structure of that folder, below. The .db files are sqlite3 databases. For those uninitiated into Unix arcana, the "-rw-rw-rw-" at the beginning of each file listing indicates that anyone can read from or write to this file.

# ls -l /data/data/com.skype.merlin_mecha/files/jcaseap

-rw-rw-rw- app_152 app_152 331776 2011-04-13 00:08 main.db

-rw-rw-rw- app_152 app_152 119528 2011-04-13 00:08 main.db-journal

-rw-rw-rw- app_152 app_152 40960 2011-04-11 14:05 keyval.db

-rw-rw-rw- app_152 app_152 3522 2011-04-12 23:39 config.xml

drwxrwxrwx app_152 app_152 2011-04-11 14:05 voicemail

-rw-rw-rw- app_152 app_152 0 2011-04-11 14:05 config.lck

-rw-rw-rw- app_152 app_152 61440 2011-04-13 00:08 bistats.db

drwxrwxrwx app_152 app_152 2011-04-12 21:49 chatsync

-rw-rw-rw- app_152 app_152 12824 2011-04-11 14:05 keyval.db-journal

-rw-rw-rw- app_152 app_152 33344 2011-04-13 00:08 bistats.db-journal


How Bad is This, Really?

What is the data that's stored in this open, unencrypted folder? Let's start with a few minor details on display in the main.db file, like your full name, date of birth, phone numbers, email address, your bio, etc. (in the Accounts Table). And, in the Contacts Table, we can peek at all the parallel information on everyone in your contact list. And moving on to the Chat's Table, you can see – yep, you guessed it: all your instant messages.

What's the Danger in All This, Really?

But, this is all on my phone, and therefore my data remains in my hands, right? Not exactly. The fact that your data is unencrypted, in an open-standard database, in an unsecure folder, means that any app you install could potentially access all of this information, and then phone home, sending it all to the creator of this rogue app.


But They'd Need the Name of the Folder, Wouldn't They?

In order to find one's way into this folder, they'd need your unique username (which, as we said, is also the name of the folder). Luckily for the rogue app developer, and unlucky for you, Skype made this easy, by storing your username in a fixed location. So anyone with even a cursory knowledge of Unix commands can find your username and the path to the data store:

# ls -l /data/data/com.skype.merlin_mecha/files/shared.xml

-rw-rw-rw- app_152 app_152 56136 2011-04-13 00:07 shared.xml

# grep Default /data/data/com.skype.merlin_mecha/files/shared.xml

<Default>jcaseap</Default>


How Realistic is it For Someone to Write an App Like This?

After discovering the privacy hole, Justin was kind enough to take the time to show just how easy it actually is to exploit, by writing and putting out a Proof of Concept app. {We link to this app strictly for informational and educational purposes, and to encourage the folks at Skype to do something about fixing this before someone with less integrity than Justin or us decides to do something with it.} Install and run this app on any Android phone {read: doesn't need to be rooted} with Skype installed, and take a look at some (not all) of the info available to be harvested. A less scrupulous hacker could be sitting back and gathering all the personal information which would come pouring in. (Fortunately there is no credit card information stored in this folder.)

Here's a video demonstration of what it does:

Justin's Proof of Concept App Demonstrates The Skype Privacy Leak

http://www.youtube.com/watch?v=An8SnCBj-gU


What is Skype Going to Do About It?

It took a day, but at time of writing of this article, Skype had acknowledged the flaw in the program in their privacy blog:

It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.

These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.


To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.

As usual, check back to this space for more security updates on this and other Android apps. And I'll be interested to hear what your next move will be. Are you uninstalling Skype from your phone? Or are you simply going to be more careful in screening other apps you install, to avoid a rogue app that will take advantage of the weakness? Feel free to comment below and let us know.


Source: Android Police, Skype