The Skype for Android app puts your sensitive data at risk, possibly exposing it to other apps without your knowledge or consent. Skype is working on a fix, but what should you do in the meantime to protect your data?
Justin Case at the Android Police first uncovered the flaw, and developed an app called Skypwned as a proof of concept to demonstrate how sensitive information such as the Android device owner's full name, phone number, email addresses, contacts, and even Skype chat logs can be accessed without even requiring a username.
The potential data breach is not, however, a result of a flaw or vulnerability per se, but rather poor security configuration by Skype. Randy Abrams, director of technical education for ESET, explains, "Unlike many Android apps that are written to simply take the data, the Skype app exposes data through sloppy programming practices. It is the difference between malice and incompetence."
Andrew Storms, director of security operations for nCircle, clarifies, "There are two problems here that point in Skype's direction. First, the files should be better protected with stricter permissions. Second, and more importantly, all the customer/user data should be stored encrypted," adding, "The application is not going out of its way to ex-filtrate your data but it is making it very easy for some other rogue application to do exactly that."
In a Skype Security blog post from Friday, Skype acknowledged the issue. The post states, "We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application."
Skype recommends that users exercise caution in selecting and installing apps on an Android device to avoid installing malicious apps that might take advantage of the holes in Skype to access exposed information. The problem with that guidance, though, is that there is no way for a user to actually tell if an app might be malicious or attempt to access the exposed data because no suspicious or additional permissions would be required of such an app.
So, what are Android users supposed to do to watch out for issues like this and avoid installing any malicious apps? Geoff Webb, product marketing director for Credant Technologies says that due to a lack of transparency for how information is stored by mobile apps, it is difficult to know whether an application is secure, insecure, or actively attacking your Android device. Webb cautions that businesses in particular should be more careful about allowing devices like these to connect to the network and access sensitive data of any kind, stating, "Until these devices are being managed and secured in at least the same way as your corporate laptop or desktop system, the risk to data on them is going to be high."