Skype admits security flaw in Android app

Tools

Skype has admitted to reports that its VoIP application for Android devices contains a flaw that could give hackers access to private user information that includes names, email addresses, contacts and chat logs.

Android Police first reported the flaw, which grants malicious third-party Android apps access to locally-stored Skype user files.

"We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application," wrote Skype Chief Information Security Officer Adrian Asher on the company's blog. "To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device."

Data security solutions provider Sophos, however, took issue with Skype's response. "What is being called a vulnerability in the Android version of Skype could simply be written up as sloppy coding at best, or disrespect for your privacy at worst," wrote Sophos' Senior Security Advisor Chester Wisniewski on the firm's blog. "How you would implement that advice [to take care in downloading and installing apps] is difficult to know, as an application wishing to steal your Skype information doesn't require special permissions. I think the safest advice is simply to remove Skype from your Android until we can be satisfied that the problems have been resolved."

Skype's revelation follows an incident last month during which Google (NASDAQ: GOOG) discovered some 58 malicious applications in the Android Market that had been downloaded onto some 260,000 devices before Google took them off the market and invoked its "remote kill" switch to remotely erase apps from Android-powered devices infected by hidden malware

The apps contained an exploit that had been discovered in August and was patched before the Android 2.2.2 version was released. Most Android devices were using earlier versions of the OS, however, because the system updating is done by carriers and manufacturers rather than automatically by Google. Android devices tend to be left unprotected from this kind of exploit because the carriers and device makers don't have the same incentive to update devices after they've been purchased. 

For more:
- read this Computerworld article
- see Skype's official response

Related Articles:
Google opts to trigger 'remote kill' switch
Android could cause problems in the enterprise
Researchers bring attention to USB attack via Android phone
BlackBerry vs. All Other Smartphones