Forgot your password?
typodupeerror
Communications Android Security

Skype For Android Can Leak Data To Malicious Apps 79

Posted by Soulskill
from the we-know-what-you're-really-doing-with-skype dept.
An anonymous reader writes "It appears that Skype account information on an Android phone remains readable by all in a standard installation, at least for certain versions of Skype out in the wild. That allows another potentially malicious app to know everything about you that Skype knows (contacts, history of whatever you've chatted about or who you called, phone numbers, personal information). Skype is said to be working to fix for what appears to be a simple file permissions issue. This sheds some more light on how much private information everybody gives away for free by just owning a phone with half a wrong chmod."
This discussion has been archived. No new comments can be posted.

Skype For Android Can Leak Data To Malicious Apps

Comments Filter:
  • by Anonymous Coward

    This just in, information written readable by other apps is readable by other apps!

  • Phew (Score:4, Funny)

    by tripleevenfall (1990004) on Friday April 15, 2011 @12:11PM (#35830462)

    I'm glad I have an android phone, lord knows I couldn't deal with those insecure iphones and blackberries ;)

    • In fact that is one of the major selling points, they really put security at the top of the list. Extremely fine grained per app access controls, FIPS compliant encryption, secure wiping and so on. There is little to criticize in that regard, and is one of the reasons the US government loves the things so much (seriously, find a government agency that doesn't use Blackberries for all their employees).

    • You're blaming a flaw in a particular application on the OS. If this was a problem with the OS, wouldn't all apps that use SQLite be exposing their data?

  • by bl8n8r (649187) on Friday April 15, 2011 @12:11PM (#35830476)
    # ls -l /data/data/com.skype.merlin_mecha/files/jcaseap

    The dude is in as root (via adb shell?).  note the '#'.  I guess he's still got a point about 666 on private files.  As long as you have execute perms on the directory, you can read files tagged o+r.

    • Someone can't read (Score:3, Informative)

      by JustinCaseAP (2042248)
      I'm that dude, and the POC doesn't use root. It has app level UID. I was showing the permissions with a root shell, because that is what I have adbD running as on my daily phone.
    • by GweeDo (127172)

      Yes, in his example at the bottom he is using a root shell, but the application (which is shown in the video) isn't running as root.

  • Skype permissions (Score:3, Insightful)

    by Anonymous Coward on Friday April 15, 2011 @12:13PM (#35830504)

    When you open Skype in the android market, it requests a skyscraper-high list of special permissions. When I saw that, I immediately decided to forget about it. There's no way that it could possibly need that much information to do its job, and now it looks like its even worse that I thought. Sucks that it leaks info like that, but kudos to Google for at least making the risk somewhat visible.

  • I don't even want Skype on my phone (LG Ally) but Verizon forces it on you along with a bunch of other crap (CityID, etc.) you can't make them not run at boot up, can't uninstall them, can't move them to the SD, etc. You can kill them with a task killer or manage apps but they start back up.
    • by h4rr4r (612664)

      Sure you can remove them. Root it and use titanium backup to remove the apps.

No man is an island if he's on at least one mailing list.

Working...