Skype Fixes Critical Android Application Vulnerability

Friday, April 22, 2011



Skype has released an updated version of the company's Android application which contains a fix for a critical vulnerability revealed last week that would have allowed attackers the ability to reveal a user's private data.

The vulnerability was disclosed by an Android Police blogger who writes under the moniker “Justin Case”.

"The exploit gains access to the file “main.db” in the Skype directory. This file holds sensitive information such as your first and last name, birthday, billing address, e-mail addresses, home and cellphone numbers. Information on all the people in your address book is accessible through the contacts database, and all stored chat logs are also accessible through the chat database. The custom app, which the Android Police named 'Skypwned,' doesn’t require root access to the phone in order to exploit Skype’s security loophole," Wired reported.

The vulnerability could have allowed for the distribution of malicious applications via the Android marketplace, potentially exposing tens of thousands of users' data.

“This means that a rogue developer could modify an existing application with code from our proof of concept (without much difficulty), distribute that application on the Market, and just watch as all that private user information pours in,” Android Police revealed.

The Skype team moved quickly to mitigate the privacy vulnerability and released the update within a week.

"After a period of developing and testing we have released a new version of the Skype for Android application onto the Android Market, containing a fix to the vulnerability reported to us. Please update to this version as soon as possible in order to help protect your information," wrote Adrian Asher, Skype’s chief information-security officer.

Skype believes that the vulnerability was mitigated prior to any malicious exploits that may have targeted users of the Android application.

"We have had no reported examples of any 3rd party malicious application misusing information from the Skype directory on Android devices and will continue to monitor closely. Please rest assured that we do take your privacy and security very seriously and we sincerely apologise [sic] for any concern this issue may have caused. Please ensure that you download Skype only from, or from the Android Market links on," Asher said.

As a bonus for Android users, the new version allows calls to be placed over 3G networks. Previously, Skype users in the United States were limited to using Wi-Fi connections to place calls, save for a small percentage who owned certain Verizon issued phones. The iOS version already allowed 3G calls for about a year.

Possibly Related Articles:
PDAs/Smart Phones
Privacy Application Security Vulnerabilities Mobile Devices Skype Headlines Android 3G
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.