The Skype for Android app puts your sensitive data at risk, possibly exposing it to other apps without your knowledge or consent. Skype is working on a fix, but what should you do in the meantime to protect your data?
Justin Case at the Android Police first uncovered the flaw. He developed an app called Skypwned as a proof of concept to demonstrate how sensitive information such as the Android device owner's full name, phone number, email addresses, contacts, and even Skype chat logs can be accessed without needing a username.
The potential data breach is not, however, a result of a flaw or vulnerability per se, but rather poor security configuration by Skype. Randy Abrams, director of technical education for ESET, explained: "Unlike many Android apps that are written to simply take the data, the Skype app exposes data through sloppy programming practices. It is the difference between malice and incompetence."
Andrew Storms, director of security operations for nCircle, clarified: "There are two problems here that point in Skype's direction. First, the files should be better protected with stricter permissions. Second, and more importantly, all the customer/user data should be stored encrypted." He added: "The application is not going out of its way to ex-filtrate your data but it is making it very easy for some other rogue application to do exactly that."
In a Skype Security blog post from Friday, Skype acknowledged the issue. The post said: "We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application."
Skype recommended that users exercise caution in selecting and installing apps on an Android device to avoid installing malicious apps that might take advantage of the holes in Skype to access exposed information. However, the problem with that guidance is there is no way for a user to actually tell if an app might be malicious or attempt to access the exposed data, as such an app would not seem suspicious or require additional permissions.
So, what are Android users supposed to do to watch out for issues like this and avoid installing any malicious apps? Geoff Webb, product marketing director for Credant Technologies, said that due to a lack of transparency surrounding the storage of information by mobile apps, it is difficult to know whether an application is secure, insecure, or actively attacking your Android device.
Webb warned businesses to be particularly careful about allowing devices like these to connect to the network and access sensitive data of any kind. He advised: "Until these devices are being managed and secured in at least the same way as your corporate laptop or desktop system, the risk to data on them is going to be high."