Slashdot Mirror

← Back to Stories (view on slashdot.org)

Skype For Android Can Leak Data To Malicious Apps

Posted by Soulskill on from the we-know-what-you're-really-doing-with-skype dept.

An anonymous reader writes "It appears that Skype account information on an Android phone remains readable by all in a standard installation, at least for certain versions of Skype out in the wild. That allows another potentially malicious app to know everything about you that Skype knows (contacts, history of whatever you've chatted about or who you called, phone numbers, personal information). Skype is said to be working to fix for what appears to be a simple file permissions issue. This sheds some more light on how much private information everybody gives away for free by just owning a phone with half a wrong chmod."

5 of 79 comments (clear)

  1. Something looks a little fishy here by bl8n8r · · Score: 3, Informative

    # ls -l /data/data/com.skype.merlin_mecha/files/jcaseap

    The dude is in as root (via adb shell?).  note the '#'.  I guess he's still got a point about 666 on private files.  As long as you have execute perms on the directory, you can read files tagged o+r.

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org
  2. Goatse link by recoiledsnake · · Score: 3, Informative

    Warning, Goatse link.

    --
    This space for rent.
  3. Re:This flaw not possible in iOS by nschubach · · Score: 3, Informative

    If they store data on the small internal memory it's supposed to be private and only readable by a single app, but if you put the app on the SD card Google considers that data public:
    "The SD card system is intended to be a shared resource that all apps can access. The functionality you described is the purpose of internal (app private) storage."
    http://code.google.com/p/android/issues/detail?id=16019

    Which, of course, I think is poor security-wise... so feel free to add your own comments and star that if you think the same. ;)

    It doesn't help that Google considers user settable security "would vastly increase the complexity associated with writing applications"
    http://code.google.com/p/android/issues/detail?id=3778#c44

    --
    Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
  4. Re:This is completely wrong by JustinCaseAP · · Score: 1, Informative

    To read a subdirectory under /data/ you need exec premissions on /data, but you don't have them. He was using root shell, thus the story is moot.

    Being the OP of the article, you are completely wrong. I had no problem reproducing it on stock, unrooted phones. Research, then comment. Test it? Still doubt? Once its fixed I will release source.

  5. Someone can't read by JustinCaseAP · · Score: 3, Informative

    I'm that dude, and the POC doesn't use root. It has app level UID. I was showing the permissions with a root shell, because that is what I have adbD running as on my daily phone.