Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype For Android Can Leak Data To Malicious Apps

Posted by Soulskill on from the we-know-what-you're-really-doing-with-skype dept.

An anonymous reader writes "It appears that Skype account information on an Android phone remains readable by all in a standard installation, at least for certain versions of Skype out in the wild. That allows another potentially malicious app to know everything about you that Skype knows (contacts, history of whatever you've chatted about or who you called, phone numbers, personal information). Skype is said to be working to fix for what appears to be a simple file permissions issue. This sheds some more light on how much private information everybody gives away for free by just owning a phone with half a wrong chmod."

79 comments

  1. Why is this news? by Anonymous Coward · · Score: 1

    This just in, information written readable by other apps is readable by other apps!

  2. Re:I wonder... by Jeremiah+Cornelius · · Score: 1

    "Half a wrong chmod"

    What DOES that EVEN MEAN!?

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  3. Re:I wonder... by WrongSizeGlass · · Score: 1

    "Half a wrong chmod"

    What DOES that EVEN MEAN!?

    It means they meant it to be one thing but it is another. The first half (intent) was correct, the 2nd half (execution/implementation) was incorrect. Therefore 'half wrong'.

  4. Um... by mysidia · · Score: 0

    That allows another potentially malicious app to know everything about you that Skype knows (contacts, history of whatever you've chatted about or who you called,

    News flash. Malicious apps are not constrained by file permissions.

    If your device is pwn3d by an app, nothing Skype does can really protect you.

    How come there wasn't an article about how Windows PCs can leak data to malicious applications? The same flaw exists in Skype for Windows. Nothing stops KeyloggerXP (or whatever) from gathering all info entered into the PC that it wants, and all files in the user's profile are (of course) owned by the same user, including the skype files, and malicious apps can change file permissions anyways, and defeat other security (by way of privilege escalation).

  5. Re:I wonder... by Jeremiah+Cornelius · · Score: 1

    Parse?

    My head bursteth asunder!

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  6. Phew by tripleevenfall · · Score: 3, Funny

    I'm glad I have an android phone, lord knows I couldn't deal with those insecure iphones and blackberries ;)

    1. Re:Phew by Anonymous Coward · · Score: 0

      This is by far the biggest problem facing Android. Openness is a double edged sword.

      I hear they are working on encryption but good grief, a lot of this stuff should have been done in Android 1.0

    2. Re:Phew by JustinCaseAP · · Score: 3, Insightful

      Why does it have anything to do with the OS? The app developer more or less "chose" to share information, even if they did not do it on purpose. No reason proper permissions nor encryption could not of been used.

    3. Re:Phew by Anonymous Coward · · Score: 0

      Most mobile OS's segregate applications by default and it requires much more work on the part of the developer if they want to break that.

      Android on the other hand works more like a desktop OS, leaving most of the security details up to the developer. Not the greatest model to use with embedded mobile systems and a practically wide open app store.

      I mean I love my Android based phone because I like hacking on it but I don't consider it very secure at this point in time.

    4. Re:Phew by markkezner · · Score: 1

      You're blaming a flaw in a particular application on the OS. If this was a problem with the OS, wouldn't all apps that use SQLite be exposing their data?

      --
      Dangerous, sexy, turing complete: Femme Bots
    5. Re:Phew by bonch · · Score: 0

      It has to do with the ecosystem built on the OS; in other words, the lack of strict quality control.

  7. Re:I wonder... by ThePangolino · · Score: 1

    The problem here is not with the app store. Nor is it with Skype's developers ability to produce neat code as one may think. In this case the problem is just some Anonymous Coward's troll attempt.

    --
    My ignorance is just as good as your knowledge.
  8. Something looks a little fishy here by bl8n8r · · Score: 3, Informative

    # ls -l /data/data/com.skype.merlin_mecha/files/jcaseap

    The dude is in as root (via adb shell?).  note the '#'.  I guess he's still got a point about 666 on private files.  As long as you have execute perms on the directory, you can read files tagged o+r.

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org
    1. Re:Something looks a little fishy here by GweeDo · · Score: 1

      Yes, in his example at the bottom he is using a root shell, but the application (which is shown in the video) isn't running as root.

      --
      Unstable Apps: Our Android Apps Don't Suck
  9. Re:I wonder... by h4rr4r · · Score: 4, Interesting

    Trading liberty for safety, is that what you are suggesting?

  10. Skype permissions by Anonymous Coward · · Score: 3, Insightful

    When you open Skype in the android market, it requests a skyscraper-high list of special permissions. When I saw that, I immediately decided to forget about it. There's no way that it could possibly need that much information to do its job, and now it looks like its even worse that I thought. Sucks that it leaks info like that, but kudos to Google for at least making the risk somewhat visible.

  11. Hang on by Anonymous Coward · · Score: 0

    I'm not Android expert, but I thought each application was given their own UID and could only see their own directory. Is that not the case?

    1. Re:Hang on by geminidomino · · Score: 2

      Not when the file perms are 666 (read/write by user, group, and everyone).

    2. Re:Hang on by alostpacket · · Score: 2

      Which is also not the default, Skype set them this way on purpose. According to a comment in TFA, they use some native libraries to access those DBs that run under a different user than the app does because they are trying to obsfucate the Skype protocol. I'm not sure how true all that it but it seems logical/feasible enough.

      --
      PocketPermissions Android Permission Guide
    3. Re:Hang on by CharlyFoxtrot · · Score: 1

      Which is also not the default, Skype set them this way on purpose. According to a comment in TFA, they use some native libraries to access those DBs that run under a different user than the app does because they are trying to obsfucate the Skype protocol. I'm not sure how true all that it but it seems logical/feasible enough.

      Sounds like the sort of behavior that would cause Apple to exclude it from their AppStore. Of course, that would be evil, right ?

      --
      If all else fails, immortality can always be assured by spectacular error.
    4. Re:Hang on by geminidomino · · Score: 1

      I wasn't trying to suggest that it was an android default, I was just clearing up the permissions confusion for the AC I was responding to.

    5. Re:Hang on by alostpacket · · Score: 1

      didn't think you were, I was just adding to the info :)

      --
      PocketPermissions Android Permission Guide
  12. Re:I wonder... by nitroscen · · Score: 1

    With all the grief slashdot gives the Apple App Store, when was the last time anyone read about a malicious or flawed app leaking personal information.

    Would this really have been more detectable with Apple's approval process? It's been a while, but I've heard of apps getting passed Apple's approval process that should not have - apps that had hidden functionality even. Flaws like this probably get overlooked all the time. In fact, Android may have an advantage here. I don't know how iOs apps communicate with each other, but Android apps are sand-boxed with very specific ways they have to communicate. I'm out of date on my iOs information, though. I'd love to hear comments from some iOs developers.

  13. I don't think anyone ever claimed BB was insecure by Sycraft-fu · · Score: 2

    In fact that is one of the major selling points, they really put security at the top of the list. Extremely fine grained per app access controls, FIPS compliant encryption, secure wiping and so on. There is little to criticize in that regard, and is one of the reasons the US government loves the things so much (seriously, find a government agency that doesn't use Blackberries for all their employees).

  14. This is completely wrong by madradioctiverat · · Score: 0, Troll

    To read a subdirectory under /data/ you need exec premissions on /data, but you don't have them. He was using root shell, thus the story is moot.

    1. Re:This is completely wrong by Desler · · Score: 1

      You can't actually expect the Slashdot editors to actually know enough to filter out these crap stories, right? What's more important is that it has a catchy headline and thus will drive page and ad clicks!

    2. Re:This is completely wrong by JustinCaseAP · · Score: 1, Informative

      To read a subdirectory under /data/ you need exec premissions on /data, but you don't have them. He was using root shell, thus the story is moot.

      Being the OP of the article, you are completely wrong. I had no problem reproducing it on stock, unrooted phones. Research, then comment. Test it? Still doubt? Once its fixed I will release source.

    3. Re:This is completely wrong by Petron · · Score: 1

      I believe madradioctiverat's goal was to get a Goatse link out there. Not post something true.

      --
      if (it != oneThing) it = another;
    4. Re:This is completely wrong by CharlyFoxtrot · · Score: 1

      You can't actually expect the Slashdot users to actually know enough not to respond to a goatse troll, right ?

      --
      If all else fails, immortality can always be assured by spectacular error.
    5. Re:This is completely wrong by JustinCaseAP · · Score: 1

      Ah thanks, I learned long ago not to click comment links, so I didn't follow it

  15. Re:I wonder... by Anonymous Coward · · Score: 0

    No, more like trading a "feature" that is not really a feature for 99% of users for a more secure app store that has far more commercial support than Android especially when it comes to games, multimedia, etc.

  16. Mod Up by Kamiza+Ikioi · · Score: 1

    I completely disagree with you and Apple, but it is a valid point to raise.

    --
    I8-D
  17. Re:I wonder... by MightyYar · · Score: 1

    Trading liberty for safety

    LOL, I don't think Ben Franklin was talking about toys.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  18. Goatse link by recoiledsnake · · Score: 3, Informative

    Warning, Goatse link.

    --
    This space for rent.
  19. Re:I don't think anyone ever claimed BB was insecu by h4rr4r · · Score: 2

    And they let tinpot dictators read your texts and IMs.

    Oh wait, that sounds not that good on second though.

  20. Re:I wonder... by h4rr4r · · Score: 1

    I bet more than 1% of android users have some sort of emulator installed or other app that would not be approved on the app store. Flash is another good example. That sorta kills your 99% number.

  21. This flaw not possible in iOS by SuperKendall · · Score: 1

    Would this really have been more detectable with Apple's approval process?

    No, because a permission based flaw is not possible in IOS, the directory your application goes into is not readable by other applications. It's not something the app sets up, but the system.

    However I'm not convinced this is a flaw in Android either, I thought it sandboxed apps in the same way.

    A potential flaw that may still exist in Android is if you have apps installed on external storage like an SD card - then I am not sure if the contents are really sandboxed.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:This flaw not possible in iOS by nschubach · · Score: 3, Informative

      If they store data on the small internal memory it's supposed to be private and only readable by a single app, but if you put the app on the SD card Google considers that data public:
      "The SD card system is intended to be a shared resource that all apps can access. The functionality you described is the purpose of internal (app private) storage."
      http://code.google.com/p/android/issues/detail?id=16019

      Which, of course, I think is poor security-wise... so feel free to add your own comments and star that if you think the same. ;)

      It doesn't help that Google considers user settable security "would vastly increase the complexity associated with writing applications"
      http://code.google.com/p/android/issues/detail?id=3778#c44

      --
      Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
    2. Re:This flaw not possible in iOS by SuperKendall · · Score: 1

      "The SD card system is intended to be a shared resource that all apps can access. The functionality you described is the purpose of internal (app private) storage."

      That's what I thought although I kept hoping it was not true. That to me seems like a huge, huge oversight since there are many Android devices that basically force you to install apps on external media. It's only a matter of time before you start to see cross-app attacks where code infects other apps, or pulls what should be private data from them. I wonder how much stuff Android banking apps store locally... at least most of that would probably be encrypted. With a key the app held that could also be looked up.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    3. Re:This flaw not possible in iOS by Spykk · · Score: 1

      Which, of course, I think is poor security-wise... so feel free to add your own comments and star that if you think the same. ;)

      Removable media generally uses FAT for portability. How exactly do you intend to store permissions information? What happens when you put your SD card in your computer and copy some files to it?

    4. Re:This flaw not possible in iOS by nschubach · · Score: 1

      You don't have to store permissions information on the file system. Just create a symlink in the internal storage to the appdata folder on the SD Card. Heck, you could call the directory /external and when the dev needs to save something on the SD card they just save it to 'external' which would symlink to /sdcard/data/appname If the user ever decides to change where the app stores it's data, update the symlink.

      The developer would then only have to do:
      FileWriter f = new FileWriter("external/myFile.txt"); // ...that would create the file on the SD Card.

      --
      Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
    5. Re:This flaw not possible in iOS by adolf · · Score: 1

      Removable media generally uses FAT for portability. How exactly do you intend to store permissions information?

      UMSDOS.

      What happens when you put your SD card in your computer and copy some files to it?

      Is this a trick question?

      --
      Kid-proof tablet..
    6. Re:This flaw not possible in iOS by jrumney · · Score: 1

      Skype doesn't allow installing on the SD Card (at least the version I tried and promptly uninstalled a few months ago due to it being a resource hog and a battery drain), so even if your hypothetical permission problem for apps installed on SD exists, I don't think it is the problem here. Skype seems to not really be written as an Android app, but as a native app with a thin Android wrapper. I suspect that is the real problem - the install asks for a bunch of permissions that the app should not really need, since the app has not been designed to fit into the Android sandbox from the start.

  22. Re:I wonder... by h4rr4r · · Score: 1

    Maybe you use it as a toy, some of us do real work on these devices. I doubt Ben would have been a huge fan of people not being able to use tools they bought.

  23. Re:I wonder... by MobileTatsu-NJG · · Score: 1

    Maybe you use it as a toy, some of us do real work on these devices.

    Then you value not spewing your business's data to strangers, right?

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  24. Re:I wonder... by h4rr4r · · Score: 1

    When did I say business data was on the phone?

    I do not use skype, and frankly would rather go without a smartphone than have one I cannot control.

  25. Re:I wonder... by MobileTatsu-NJG · · Score: 1

    When did I say business data was on the phone?

    I must have misunderstood "doing real work" on your phone, my apologies.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  26. Whoooooosh detector by tripleevenfall · · Score: 2

    Is there an app that detects sarcasm?

    1. Re:Whoooooosh detector by CCarrot · · Score: 1

      Is there an app that detects sarcasm?

      How about one that detects puns?

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
  27. Really Annoying on Verizon by Is0m0rph · · Score: 1

    I don't even want Skype on my phone (LG Ally) but Verizon forces it on you along with a bunch of other crap (CityID, etc.) you can't make them not run at boot up, can't uninstall them, can't move them to the SD, etc. You can kill them with a task killer or manage apps but they start back up.

    1. Re:Really Annoying on Verizon by h4rr4r · · Score: 1

      Sure you can remove them. Root it and use titanium backup to remove the apps.

    2. Re:Really Annoying on Verizon by Anonymous Coward · · Score: 0

      Great...except what if your phone can't be rooted. Some of the Android phones are getting some pretty crazy lockdown and it continues to become more difficult to root those phones. (I personally will be looking to make sure I CAN root my phone before I buy my next one.)

    3. Re:Really Annoying on Verizon by h4rr4r · · Score: 1

      You answered your own question already it looks like. All phones can currently be rooted. Replacing the kernel on some phones is not possible, but you can always make an kernel module so that you can chainload another kernel. Replacing the kernel is not needed to gain root, only for custom roms.

    4. Re:Really Annoying on Verizon by Is0m0rph · · Score: 1

      I will definitely do that after the warranty is through. The LG Ally can be rooted easily and use new kernels but unfortunately they also seem to break frequently. I'm on phone #3 and my wife's is on #3. Rebooting issues and the ear piece going out seem to be frequent issues.

  28. im going to take away your unix card by decora · · Score: 1

    chmod is a unix command to modify file permissions.
    android is based on unix(linux).
    the android chmod doesnt work properly.

    1. Re:im going to take away your unix card by Jeremiah+Cornelius · · Score: 1

      I know both of these things - I first used chmod about 1981.

      The sentence doesn't make sense.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    2. Re:im going to take away your unix card by CCarrot · · Score: 1

      I know both of these things - I first used chmod about 1981.

      The sentence doesn't make sense.

      How about replacing "half a wrong chmod" with "a half-assed implementation of chmod". Better?

      I agree, the description in the summary is goofed.

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
    3. Re:im going to take away your unix card by Jeremiah+Cornelius · · Score: 1

      I might be thick, but I'm not stupid. :-)

      I think your explanation is beginning to help me figure this out. With arguments of 7,6,5, or 0 in three positions? I wondered if they meant someone stuck a wrong digit in a command - but that would still be a ridiculous way to say it.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
  29. Someone can't read by JustinCaseAP · · Score: 3, Informative

    I'm that dude, and the POC doesn't use root. It has app level UID. I was showing the permissions with a root shell, because that is what I have adbD running as on my daily phone.

    1. Re:Someone can't read by Anonymous Coward · · Score: 0

      Why would anyone install your POC app without you providing source for it?

      Also, encryption is useless if the user has decided to root their phone. It's only a superficial defense.

  30. Re:I wonder... by h4rr4r · · Score: 1

    My real work involves tools like ssh, the data stays on the servers bucko.

  31. it just plain sucks by Anonymous Coward · · Score: 0

    twice I tried to use it for a conference call and the app was so bad it made me wonder why it was even released. Crashes, sporadically refuses to let me answer calls,... so never mind it being insecure, it just plain sucks.

  32. Re:I wonder... by MobileTatsu-NJG · · Score: 1

    My real work involves tools like ssh, the data stays on the servers bucko.

    And this whole thing isn't giving you pause for thought at all?

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  33. Re:I wonder... by Wovel · · Score: 1

    So just your private keys will be leaking into other apps. Good show bucko.

  34. Oh noes! Linux has the same bug! by Anonymous Coward · · Score: 0

    Holy shit, you guys, I just checked the source code for Linux and it turns out that files with read permission set can also be accessed by anybody there. Somebody better fix this bug fast!

  35. Re:I wonder... by h4rr4r · · Score: 1

    I don't keep those on the SD card, dimmy.

  36. Re:I don't think anyone ever claimed BB was insecu by lgw · · Score: 1

    Yes, that's probably another reason governments like these things - well spotted!

    --
    Socialism: a lie told by totalitarians and believed by fools.
  37. Re:I wonder... by h4rr4r · · Score: 1

    Considering this is about data on the SD card and I don't keep keys there, no it does not.

  38. Seems like phones more secure than desktops by Anonymous Coward · · Score: 0

    On a desktop OS (be it Win or Linux), every app can read any data belonging to any other app... you just get protection between users.
    And I have not heard many people complaining about it.

    While I give kudos to Android for allowing for greater isolation, is it really needed?

    Igor

    1. Re:Seems like phones more secure than desktops by praxis · · Score: 1

      That depends on what you mean by the phrase "data belonging to any other app".

      You haven't heard people complaining about it because most programs have gotten pretty good at storing user data in non-world-readable directories. The mentality is finally becoming a bit more mainstream that "apps" store user data in the user's non-world-readable folder. When they deviate, people start to take notice. Contrast this with 10 years ago where on Windows--while such protections were available--they required knowledgeable configuration and many "apps" were written with assumptions that such protections were not exercised and could not run in sanely configured environments.

      So, these days, on the desktop most "apps" can read "data belonging to any other app", but no one complains or cares because the data they *do* care about is stored in a location with more sane access controls. When "apps" deviate these days, they generally get called out on it.

  39. Re:I wonder... by MightyYar · · Score: 1

    some of us do real work on these devices

    Okay, I've seen "Odd Jobs". Some people have weird jobs and I don't doubt your claims that you get work done on a toy. Some people make money setting up model railroads, too. But for most, I still stand by my assertion that it's a toy. It is certainly designed as a toy. That you can use it as a tool is great, and yeah, for you maybe Ben's advice holds. For the other 99.999% of the smartphone buying public, applying Franklin's statement is very inappropriate.

    As an aside, Ben never got to see microelectronics or mass production. Ben lived in the day where a reasonably educated elite could have a firm grasp of every single scientific book published at the time. It was almost an expectation in some circles. Of course Ben wouldn't be "a huge fan" of people not being to use tools they bought... in his day, anyone could learn to build or alter the tool.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  40. its like half-wrong potato chips by decora · · Score: 1

    half-wrong button holes, half-wrong tube socks.

    i thought everyone knew what these meant!

    1. Re:its like half-wrong potato chips by Jeremiah+Cornelius · · Score: 1

      Half-wrong button holes?

      Is that when you have part of a petunia on your lapel, when the rest of the swells at Epsom are sporting gardenias?

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    2. Re:its like half-wrong potato chips by decora · · Score: 1

      what is a swell at epsom? what does that even mean?

    3. Re:its like half-wrong potato chips by Jeremiah+Cornelius · · Score: 1

      :-)

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
  41. Re:I don't think anyone ever claimed BB was insecu by Anonymous Coward · · Score: 0

    Yes, various middle eastern governments can securely monitor all your traffic. And the only thing different from the western governments is that they're admit they're doing it.

  42. Re:I wonder... by node+3 · · Score: 1

    Liberty? Apple isn't a government. You don't sign away any rights to them. Things like iPhones and iPads let you do *more* with them than you could do without them. How does liberty come into play at all?

  43. Re:I wonder... by node+3 · · Score: 1

    Doubtful. But also mostly irrelevant. There's no way even 10% of Android users have an emulator installed (emulators are allowed in the App Store, btw), and out of all reasonably potential customers, the 99% number is quite reasonable.

    Anyway, even if it's 90%, the point is still valid.