Skype For Android Can Leak Data To Malicious Apps

An anonymous reader writes "It appears that Skype account information on an Android phone remains readable by all in a standard installation, at least for certain versions of Skype out in the wild. That allows another potentially malicious app to know everything about you that Skype knows (contacts, history of whatever you've chatted about or who you called, phone numbers, personal information). Skype is said to be working to fix for what appears to be a simple file permissions issue. This sheds some more light on how much private information everybody gives away for free by just owning a phone with half a wrong chmod."

Phew

[tripleevenfall]

I'm glad I have an android phone, lord knows I couldn't deal with those insecure iphones and blackberries ;)

Re:Phew

[JustinCaseAP]

Why does it have anything to do with the OS? The app developer more or less "chose" to share information, even if they did not do it on purpose. No reason proper permissions nor encryption could not of been used.

Something looks a little fishy here

[bl8n8r]

# ls -l /data/data/com.skype.merlin_mecha/files/jcaseap

The dude is in as root (via adb shell?).  note the '#'.  I guess he's still got a point about 666 on private files.  As long as you have execute perms on the directory, you can read files tagged o+r.

Re:I wonder...

[h4rr4r]

Trading liberty for safety, is that what you are suggesting?

Skype permissions

When you open Skype in the android market, it requests a skyscraper-high list of special permissions. When I saw that, I immediately decided to forget about it. There's no way that it could possibly need that much information to do its job, and now it looks like its even worse that I thought. Sucks that it leaks info like that, but kudos to Google for at least making the risk somewhat visible.

I don't think anyone ever claimed BB was insecure

[Sycraft-fu]

In fact that is one of the major selling points, they really put security at the top of the list. Extremely fine grained per app access controls, FIPS compliant encryption, secure wiping and so on. There is little to criticize in that regard, and is one of the reasons the US government loves the things so much (seriously, find a government agency that doesn't use Blackberries for all their employees).

Re:Hang on

[geminidomino]

Not when the file perms are 666 (read/write by user, group, and everyone).

Goatse link

[recoiledsnake]

Warning, Goatse link.

Re:I don't think anyone ever claimed BB was insecu

[h4rr4r]

And they let tinpot dictators read your texts and IMs.

Oh wait, that sounds not that good on second though.

Re:This flaw not possible in iOS

[nschubach]

If they store data on the small internal memory it's supposed to be private and only readable by a single app, but if you put the app on the SD card Google considers that data public:
"The SD card system is intended to be a shared resource that all apps can access. The functionality you described is the purpose of internal (app private) storage."
http://code.google.com/p/android/issues/detail?id=16019

Which, of course, I think is poor security-wise... so feel free to add your own comments and star that if you think the same. ;)

It doesn't help that Google considers user settable security "would vastly increase the complexity associated with writing applications"
http://code.google.com/p/android/issues/detail?id=3778#c44

Whoooooosh detector

[tripleevenfall]

Is there an app that detects sarcasm?

Re:Hang on

[alostpacket]

Which is also not the default, Skype set them this way on purpose. According to a comment in TFA, they use some native libraries to access those DBs that run under a different user than the app does because they are trying to obsfucate the Skype protocol. I'm not sure how true all that it but it seems logical/feasible enough.

Someone can't read

[JustinCaseAP]

I'm that dude, and the POC doesn't use root. It has app level UID. I was showing the permissions with a root shell, because that is what I have adbD running as on my daily phone.