Skype Responds to Android Vulnerability

Tom Keating : VoIP & Gadgets Blog
Tom Keating
CTO
| VoIP & Gadgets blog - Latest news in VoIP & gadgets, wireless, mobile phones, reviews, & opinions

Skype Responds to Android Vulnerability

android-logo.jpgSkype's Chief Security Officer, Adrian Asher responded to Android Police's article on a vulnerability in the Skype for Android client. He writes:

It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.

These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.

To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.


He acknowledges the need for Skype to secure the file permissions, but also basically says to take care which apps you install. But how does one know which Androids apps might be stealing Skype personal info, especially now that this exploit is out in the open? Further, he doesn't address whether Skype will be encrypting the locally cached files. Why not encrypt them? I know SQLite supports encryption, but alas, according to Google it's commercial code. Google explained back in 2008, "An encryption module for SQLite exists, but is commercial, and thus cannot be included in Android. Implementing a custom solution is obviated by the Android security model, which is based on Linux processes and prevents applications from reading each others' data and memory. In the final version, only 3 processes will be running as root, all of minimal scope. Since on-device encryption only protects the data from other programs/processes, and since our security model will achieve that, and since there is no readily available open-source encryption module for SQLite anyway, we are not implementing this at this time.

So Skype isn't necessarily at fault here, since if I read this correctly, none of the Android SQLite databases are encrypted. If anything, it sounds like this is the fault of the Android operating system for not offering encrypted databases. However, Google explains that their security model negates the need for encryption - assuming of course the application sets proper permissions on the files, which in this case, Skype failed to do. The Android is not alone in not encrypting databases. The iPhone also natively uses SQLite without encryption, though there is a tutorial how to enable encryption. Even though Android doesn't require encryption to protect each application's database, I'm surprised Android doesn't offer this option. Someone could steal someone's Android device, "root" it, and then get access to the unencrypted SQLite database directly.

In any case, Skype muffed up on the file permissions, which would have blocked access to the unencrypted database, but I can't fault them for not encrypting the SQLite database. That apparently is a "feature" of the Android operating system. smiley-undecided


Related Articles to 'Skype Responds to Android Vulnerability'
android-logo.jpg

vonage-mobile-free-calling.png
skype-send-image-android.png
Featured Events