Skype For Android Can Leak Data To Malicious Apps 79
An anonymous reader writes "It appears that Skype account information on an Android phone remains readable by all in a standard installation, at least for certain versions of Skype out in the wild. That allows another potentially malicious app to know everything about you that Skype knows (contacts, history of whatever you've chatted about or who you called, phone numbers, personal information). Skype is said to be working to fix for what appears to be a simple file permissions issue. This sheds some more light on how much private information everybody gives away for free by just owning a phone with half a wrong chmod."
Something looks a little fishy here (Score:4, Informative)
The dude is in as root (via adb shell?). note the '#'. I guess he's still got a point about 666 on private files. As long as you have execute perms on the directory, you can read files tagged o+r.
Goatse link (Score:4, Informative)
Warning, Goatse link.
Re:This flaw not possible in iOS (Score:4, Informative)
If they store data on the small internal memory it's supposed to be private and only readable by a single app, but if you put the app on the SD card Google considers that data public:
"The SD card system is intended to be a shared resource that all apps can access. The functionality you described is the purpose of internal (app private) storage."
http://code.google.com/p/android/issues/detail?id=16019 [google.com]
Which, of course, I think is poor security-wise... so feel free to add your own comments and star that if you think the same. ;)
It doesn't help that Google considers user settable security "would vastly increase the complexity associated with writing applications"
http://code.google.com/p/android/issues/detail?id=3778#c44 [google.com]
Re:This is completely wrong (Score:1, Informative)
To read a subdirectory under /data/ you need exec premissions [goo.gl] on /data, but you don't have them.
He was using root shell, thus the story is moot.
Being the OP of the article, you are completely wrong. I had no problem reproducing it on stock, unrooted phones. Research, then comment. Test it? Still doubt? Once its fixed I will release source.
Someone can't read (Score:3, Informative)