14
Apr
android_skype
Last Updated: June 5th, 2012

Update #1: Skype is investigating the issue, we've been told.

Update #2: Skype's official first response can be found here.

The safety of our personal information is often a concern of mine - who has my email address, my phone number, my date of birth? How can I keep my private information safe while still enjoying the internet? These concerns have prompted me to take a deeper look at Android apps more than once, and often this can yield some frightening information.

On April 11, a leaked version of Skype Video hit the web and, having a Thunderbolt, I had to try it. My first impressions of it were positive, it worked and ran smoothly. My next reaction was, you guessed it: let's take it apart. What I discovered was just how poorly this app stored private user data.

I quickly came up with an exploit, and I was in shock at just how much information I could harvest. Everything was available to the rogue app I created, without the need for root or any special permissions.

Surely, only this leaked beta build was vulnerable, or so I thought. But upon examining the standard version of Skype for Android (which has been available since October 2010) I discovered the same vulnerability - meaning this affects all of the at least 10 million users of the app.

Just a side note, the "Skype Mobile for Verizon" version of the app appears unaffected at this time.

How Does This Work?

Inside the Skype data directory is a folder with the same name as your Skype username, and it's here where Skype stores your contacts, your profile, your instant message logs, and more in a number of sqlite3 databases.

# ls -l /data/data/com.skype.merlin_mecha/files/jcaseap
-rw-rw-rw- app_152  app_152    331776 2011-04-13 00:08 main.db
-rw-rw-rw- app_152  app_152    119528 2011-04-13 00:08 main.db-journal
-rw-rw-rw- app_152  app_152     40960 2011-04-11 14:05 keyval.db
-rw-rw-rw- app_152  app_152      3522 2011-04-12 23:39 config.xml
drwxrwxrwx app_152  app_152           2011-04-11 14:05 voicemail
-rw-rw-rw- app_152  app_152         0 2011-04-11 14:05 config.lck
-rw-rw-rw- app_152  app_152     61440 2011-04-13 00:08 bistats.db
drwxrwxrwx app_152  app_152           2011-04-12 21:49 chatsync
-rw-rw-rw- app_152  app_152     12824 2011-04-11 14:05 keyval.db-journal
-rw-rw-rw- app_152  app_152     33344 2011-04-13 00:08 bistats.db-journal

Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them. Not only are they accessible, but completely unencrypted.

But how do we find this directory from another app if we don't know the username? Well, Skype stored the username in a static location, we can parse this file, get the username and find the path to Skype's stored data.

# ls -l /data/data/com.skype.merlin_mecha/files/shared.xml
-rw-rw-rw- app_152  app_152     56136 2011-04-13 00:07 shared.xml

# grep Default /data/data/com.skype.merlin_mecha/files/shared.xml
      <Default>jcaseap</Default>

The most interesting file one can gain access to is main.db. The accounts table in this database holds information such as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.

The Contacts table holds similar information, but on friends, family and anyone else in your contact list (that is, more than Skype exposes on other users publicly). Moving further along, looking into the Chats table, we can see your instant messages - and that's just the tip of it. Scary.

This means that a rogue developer could modify an existing application with code from our Proof of Concept (without much difficulty), distribute that application on the Market, and just watch as all that private user information pours in. While the exploit can't steal your credit card info, the data it's harvesting is still clearly very private (chat logs linked back to your real name, address, and phone number).

Imagine if Google accidentally leaked all of your Google Talk logs along with your e-mail address, name, and phone number - such a breach might a cause a mass user exodus, not to mention a federal inquiry.

How Can Skype fix this

First, they can use proper file permissions, second, they should probably implement some type of encryption scheme, and third, they need to have their applications reviewed for security issues prior to release.

NOTE: Android Police has published this information regarding a specific security vulnerability in the "Skype" app for Android in good faith, as a matter of general public concern. The "Proof of Concept app" is provided only for demonstrative purposes.

You can see just how wide-open your private data is by downloading this proof of concept application, which will display some (note: not all) of the information that the vulnerability would allow a less than savory individual to gather:

Download Proof of Concept app

Justin Case
Justin Case is a 30yr old father of four. He has an ever changing array of Android devices, and an eye for mobile security.
  • David Ruddock

    If anyone got a "this video is private" error - refresh the page and try again. YouTube isn't being cooperative this morning.

    • leaf911

      I don't get why people are being rude. You have no reason to be rude. Go be an a.hole to Skype customer service or w.e. the author of this story is doing his job.
      PS: big ups to the author and Andriod police.

    • TheGaryHat

      I felt pretty secure when I downloaded the POC demo, tried to install it and my ant-virus software stopped it. Whoo Hoo..all is not lost! Peace

      • jcase

        Which AV is detecting it? Little overboard considering its not malicious

  • David

    So instead of contacting Skype you make it public to show the "bad" developers how to capitalize on it? Smart.

    • David Ruddock

      We've contacted Skype (and did so before publication), and have yet to receive a response.

      • David

        Oh ok, that makes it better to publicize it then. /sarcasm

        • Pit

          Right, because it's really the guy's fault who discovered the vulnerability and is concerned for all the users out there, not those guys', who published their app with it.

          You'd probably prefer the pilot of a crashing plane telling you 'Everything's fine', too.

    • jcase

      Just because I did not mention contacting Skype does not mean it did not happen. They were contacted. Publishing details of vulnerabilities normally results in faster fixes.

      http://en.wikipedia.org/wiki/Full_disclosure

      • David

        I understand, showing terrorist how to build nuclear bombs usually allows for the army to act faster.

        I don't see where publicizing any vulnerability helps anyone. I'm sure Skype is working on a fix just for you to show the masses how to exploit it

        • jcase

          Do you really think no one else found this? It is not that difficult, and I would bet on others having found this as well.

          Many examples exist of companies ignoring such things until they are made public.

          http://www.itwire.com/business-it-news/security/25559-hypervm-boss-hangs-himself-after-exploit-damages-100000-websites

        • denis

          David you are moron

        • Colin

          ...

          /facepalm

        • Mark

          Sooooooooooo....you'd rather have everyone be TOTALLY ignorant and unaware of this exploit and keep using the app like nothing is wrong than for people to be aware and quickly uninstall and block it while Skype works on a fix?

          The Bible says not to call someone a fool so I'll call you an IDIOT!!

      • David

        I'm just saying two wrongs don't make a right.

        • http://www.AndroidPolice.com Artem Russakovskii

          So... if Skype doesn't respond and nobody publishes the vulnerability, then... it should just stay up and we all go on with our days and forget the whole thing? Until a malicious hacker actually finds it and releases an app that steals your email, your contact list, and your chat logs?

    • paul jacobs

      Ohh you mean how everyone does the same for windows,apple, linux,unix and other OS out there. What is the point of your post? Just too start an OS war? If so save it.

  • Jonny

    hehehe

    • Kane

      Maybe you should read the whole post before posting idiotic comments.

      The full Market version is vulnerable just as well.

      • http://www.AndroidPolice.com Artem Russakovskii

        Just to clarify: Jonny's comment stated that it only affected the leaked Skype version, which isn't true.

    • jcase

      "It is a leaked version u moron.
      It is not a complete version"

      Was Jonny's original comment.

      So Jonny,I pointed out it works on both. I think you owe me an apology.

  • CoZ

    Looks like I'm not starting that APP any time soon on my Thunderbolt then.... *groan*

    • jcase

      I'm sure it will be patched shortly.

  • weincube

    I just uninstalled and I'm looking forward to more info. Good looking out. thank you.

    • jcase

      I personally kept Skype installed, expecting an update soon.

  • Concerned

    So, if we uninstall Skype, will it delete the problem files, or will this data remain exposed on the phone?

    • jcase

      It will delete them, but I am not recommending that you uninstall Skype, that is your decision.

      I am being careful of what else I install (as always) and awaiting a fix.

  • the truth

    always said skype sucks. and i'm sure this "vulnerability" appears in more than just skype. I think you would be a rich man if you went through the android market finding "vlunerabilites" in applications

    • jcase

      It does appear, and I have been contacting companies, and publishing such things for a year now.

  • irtechneo

    Great find! I know you mean well but I have to agree with most of the posters. I think it was good to make the information public however actually publishing the code a rogue developer would need and then creating an app to do it is going to far. I personally would have left that information out of the article and just sent it to Skype. I know you do awesome stuff for the community Justin so keep at it and again thank you.

    • jcase

      We actually did not publish the code, and I took steps to obfuscate the POC.

      I appreciate your very sensible response, even with it being different than my opinion.

      Thank you for taking time to read my post.

      • irtechneo

        My apologies. I guess that proves I am not a developer and don't know much if anything about coding (my only programming experience was with VB 6.0 a LONG time ago). Hopefully this will force the hand of Skype now. Thanks for replying!

        • jcase

          No worries, before last year my main experience was VB 3.0 :D

        • Coldman

          Yeah, proof of concept app is only used to demonstrate the issue is reproducable without root - no code seems to be public in the article. It's what you see in the video but can try out for yourself on your own device.

  • http://twitter.com/benmarvin Ben Marvin

    I don't use Skype, but I wouldn't be surprised if many other apps leave personal data vulnerable.

    Didn't the first version of the Paypal app keep some data on your phone in plain text format?

  • Mark

    Thanks for the heads up. I've removed Skype from my handset until this is resolved.

  • Richard Yarrell

    Great information your great and I appreciate it.

  • David

    Could we please try and cut the inflammatory headlines.

    • thegreattaurus

      agreed. This is poor coding that. I doubt skype is the only one vulnerable to poor coding.

      • jcase

        No they are not, and we have exposed poor coding before, and will again. However these were very serious mistakes, that even a rookie developer would avoid.

    • http://www.AndroidPolice.com Artem Russakovskii

      Wow, yet another David with a negative comment, what is this, the Davids Against Android Police day? (IP/email different from the first David)

  • motormz

    Is there an android police news app in the market or amazon market?

    • http://www.AndroidPolice.com Artem Russakovskii

      Not yet, but there will be one soon. You'll hear about it if you follow us :)

      • Ali

        Will the android polic app notify you if any of the vulnerabilities apply to software installed on your handset?

        • http://www.AndroidPolice.com Artem Russakovskii

          No, it won't - we're not a security blog but we do post security bulletins when we find things.

  • Ben

    Thanks for the heads up!
    Looking forward to a Skype update :)

  • chris

    Shouldn't due to android security features /sandboxing no other applications be able to access another applications data directory by default?

    This article is misleading then.

    If this is not handled properly by Android, it's not Skype to be blamed.

    • __sporkbomb

      You said it. "by default", not "if an application sets it to a+r" - which is what Skype did.

  • __sporkbomb

    I just tested a very short "hotfix" (find files/ -perm -a+w -type f -exec chmod a-w {} \; find files/ -perm -a+r -type f -exec chmod a-r {} \;) that makes those files inaccessible for other apps, but apparently there is a reason for them to have it world readable.

    The reason being that they use a native library (it's Skype, they have so far successfully obfuscated _nearly_ all of their internal protocol) to work with these files, and apparently it's run with the permissions of some other user (as in, not with the permissions of the Skype app). You can't login anymore if you executed the commands above, so better not copy-paste and try them ;)

  • __sporkbomb

    Since I can't edit my comment anymore:
    I'm an idiot who confuses a+r with o+r... ;_;

    It actually works if you write it the right way.

    If you do a
    find files/ -perm -o+w -exec chmod o-w {} \;
    find files/ -perm -o+r -exec chmod o-r {} \;
    in the Skype folder, it makes these files inaccessible for the PoC.

    Skype resets the permissions on files/skypekit and files/trackball_lights, apparently, but the rest of the files is unreadable.

  • http://www.google.com the Dude

    ...ooorrrrr to get around this issue entirely..

    buy an iPhone. Job done.

    No Viruses. No Spam. And Skype WORKS.

    /obvioustroll.

    • jeremy

      lol, what a douche

  • Maave

    Thanks for the fix _sporkbomb, I'll be using that fix on a few phones.

  • Joseph

    Thanks for the update and hopefully Skype addresses ASAP!

  • Touch

    I have the perfect answer to this problem.

    Here goes...

    Buy an iPhone!!!!

    There... Said it... Whew!!! Things do indeed get better when you get out!!!

  • John Caruso
    • jcase

      Wow tmcnet's write up is a load of crap.

      • http://www.AndroidPolice.com Artem Russakovskii

        +1. This has nothing to do with sqlite internal encryption - data can be encrypted outside of the database and stored encrypted.

  • Nargg

    It's not a Skype issue, it's an Android issue. iOS and WP7 both protect data so other programs can't access it. Android does not. So if you don't value your personal data, use Android. Plain and simple.

    • jcase

      Actually, you are utterly wrong. Android does protect data so other programs can't access it, unless you set it so (either on purpose, or mistake).

      If an IOS/WP7 app stored data in a way publicly accessible, would you blame ISO/WP7 or the app developer?

      • Bob

        If IOS and WP7 prevent apps from reading data of other apps data and Android doesn't, then NARGG's point should not be dismissed or taken lightly. If someone knows for sure, prove it

  • Johnny

    Thanks for the heads up! Good to see someone who is vigilant and not afraid to get some bad comments for the greater good.

  • http://edanto.com Eoin Ryan

    Excellent work, thank you for publicising this. Skype emailed me (and all other customers I presume), and I'm demanding an update soon.

    Of all the applications, Skype should certainly have had their app tested properly - they make a lot of profit from it and have no reason to be this careless in development.

    My opinion would be that they should hire the author to redesign the app and organise 3rd party security testing.

  • Mike

    I've been a long time skype user on the desktop and continue to pay for a phone subscription. But I have to say, this just burns me up to no end. I'm sure like many of you got an email from the chief information security officer talking about how they take privacy very seriously. It's obviously that THEY DON'T and what the hell is he doing all day long that he can release an app that is this vulnerable.

  • Andrew Daviel

    This is a storm in a teacup. It's not like someone can easily hack millions of Skype users' personal ID, it's just that the app does not protect the user's profile against other programs run by the same user..

    There is, I admit, a mistake in that the profile can be read by other users on the same computer, but how many people have multiple user accounts on their phone ? I'm not sure it's even possible unless you jailbreak it.

    I don't know of a single program that actually saves PII securely , with the exception of Firefox password store when using a master password.

    The fix would require a user to enter a passphrase (different for every app, of course) to run any application that stores personal information. That would include Office, phototagging software, browsers, IM clients - probably half of all modern software.

    I'm not even sure that would be foolproof - I'm not sure our operating systems or CPUs can protect one process's active memory against other processes running as the same userid. It's basically trying to design a malware-resistant computer, that is still safe when it's infected.

    As a workaround, you can install multiple encrypted containers, and configure each app so that the profile is stored in the container. Painful, but I've done it for Firefox on a desktop.

    • Doucher

      So because the vulnerability doesn't effect millions of people simultaneously, they should be excused for hanging our private data out in the wind? I would just like to point out in that wall of text, "I'm not sure and I don't know" comes up quite a bit. Seems to be a theme.

  • dc!

    So how exactly this vulnerability is exclusive to Android?

    The same goes on with Windows version (4.2 at least) and, likely, Linux and MacOSX versions as well. Anyone with current user privileges can access unencrypted SQLite3 data stored in AppData\Roaming\Skype directory.

    • http://www.AndroidPolice.com Artem Russakovskii

      It's normal for Windows programs to be able to access data on disk but it's abnormal for Android apps to be able to do access data from other programs in situations when it should be specifically prohibited. The security model on Android protects against this kind of stuff and Skype breaks it in the most ignorant of ways.

      • dc!

        So. For Windows versions where there are many more users and many more possible attack vectors, storing plaintext of sensitive data is still considered normal?

        This doesn't compute...

  • Travis Munden

    Justin Case, it's highly unlikely that a 27yo father of four capable of reverse engineer an Android application has never heard of "RESPONSIBLE DISCLOSURE."
    Since you are writing under a fake name, you are most likely attempting to create a market, which you will then exploit by offering a software product or security service under your real name.
    10 MILLION PEOPLE have every reason to be angry with you, and to hold you partially or indirectly responsible for any loss of personal data resulting from your lack of "RESPONSIBLE DISCLOSURE"
    Allow me to now remove any doubt that you and your group are fully aware of the requirements of "RESPONSIBLE DISCLOSURE" from this point forward, here is a short passage from wikipedia, and I invite you to read the entire passage under the title of
    "RESPONSIBLE DISCLOSURE"
    Also, we would ask that you reveal your REAL NAME so that we can verify that "you" are not just publishing these stories to create a market for yourself at the expense of 10 million people.
    >>>
    Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched ***before*** publishing the details. Developers of hardware and software often require time and resources to repair their mistakes.
    <<<

    • Doucher

      You have no idea what you're talking about. Yeah, he is offering a security service AND informing skype of the vulnerability so they can patch it. Thus, eliminating the need for him to "create a market" Some people are so stupid they shouldn't be allowed to speak.

      • jcase

        Your right, Travis Munden (real name or fake?) has no clue at all.

        Actually, I offer no such services related to android at all, beyond a few simple apps that are free (or have free versions available). Anything I do related to android, is out of my own pure curiosity and if it is worth sharing I do.

        I am no making enough to cover my costs off android.

    • jcase

      uhh I mentioned full disclosure, not responsible, but speaking of responsible disclosure, I attempted to contact skype without a response. Just because something is not mentioned in the article, doesn't mean it didn't happen or doesn't exist.

      Asshat.

      I make no profit from anything remotely related to mobile security. In fact, if you dig around, you will see me telling people to send "my" donations to the homeless or the boys and girls club.

      Who is we, and who are you. Give me a reason to give you my real name

    • jcase

      Also, lets see if you name is real, because no one named Travis Munden is showing up in public records for any town near your IP address.

      Hiding behind a proxy or fake name? Why am I suspicious for protecting my privacy, but you are not?

  • http://validandroid.com validAndroid

    oh..too bad, iam looking forward for a fix asap, let us know when u got more infos.
    thks alot

  • DistortedLoop

    @jcase - I'm familiar with your Thunderbolt contributions (THANKS SO MUCH FOR THEM, especially the root!) on xda-developers, and fully support your publishing this vulnerability to make us aware of it.

    After hearing this story on a podcast, it occurred to me that a user with a rooted phone could change permissions on the Skype folders/files to add a layer of security until an official fix comes out, so I sought your original post here to see if you had mentioned that. While you allude to it in the article, you don't give specifics.

    Sadly, I had to read through all the immature troll comments to find a comment that actually gives the solution. Fortunately, @__sporkbomb gives the answer on 4/15 5:515 AM, and my thanks to him for sharing.

    I suggest that the original blog post be edited to include those instructions to make it easier for others to find them.

  • Jon Dough

    Assuming there is some user of the Droid platform that also uses skype who is from MA, then the app and the developers have violated 201 CMR 17, the MA privacy legislation.

  • Jeremy Ellsworth

    While Travis Munden's method of phrasing his thoughts is less than ideal, he is basically correct to direct you to that very widely accepted model of fault disclosure. In summary:
    1) Discover vulnerability
    2) Notify vendor
    3) Wait a reasonable period of time for the vendor to respond (depending on severity -- in this case, I would have waited five days or so)
    4) If the vendor responds, and is responding cooperatively, come to an agreement on a date of general full disclosure, taking into account when the vendor can reasonably expect to release a full patch to all of its customers.
    5) On the agreed-upon date, disclose the details of the vulnerability, along with a full history of your communications with the vendor (note that this history can still be added to your post above, if you'd like to slow down the complaints on that front). If the vendor hasn't yet released a patch, it might be nice to check with them to see if they need more time before the vulnerability is disclosed.

    There's no doubt that there's value in full disclosure, but the good guys need to help the other good guys first, rather than putting a large portion of their very own readership at risk until the vendor is able to respond. I'm glad someone found the issue, for sure, but there are accepted methods of handling these situations.

    On an unrelated note, it could perhaps be considered irresponsible to look up the IP address of someone leaving a comment, solely to use it to generate tenuous counterarguments. And it could also be considered immature to call someone an "asshat" in the comments of your own otherwise well-written blog post; at least, it's not how I would go about generating respect for my own writing.

    • Jeremy Ellsworth

      Oh, and as for when the vendor doesn't respond in a reasonable amount of time -- well, I'd say all bets are off then.

    • doucher

      That was a very well thought out argument. A little "holier than thou" for my taste. However, you can skip your entire summary because anybody with half a brain has already uninstalled skype's app thus negating your entire argument. If it makes you feel any better, I find authors of smug comments such as yours to be "asshats" as well.

      • jcase

        I've never hidden the fact that I am an asshat as well. Being one allows me to know others when I see them.

    • jcase

      I don't agree with that model of disclosure, but I am trying it now with another "large" company exposing full unencrypted login credentials, and have gotten no response, not even automated, in the last week.

      Advanced notification rarely works in my experience. In fact, only one company has ever replied and actually done anything after being notified by me.

      I did not post his ip or expose anything about him other than the fact he was posting under a made up name, demanding my "real name". aka he was trolling.

  • Andy

    If your surname was Case, would you call your son Justin? Your parents must hate you!

    • jcase

      Justin Case is not my real name, and I never claimed it to be. It's just a joke, that some people take to seriously.

  • http://www.lowerpriceusa.com Meg

    Wow, good to know! Thanks for bringing this to our attention.

  • Moroni

    How did you get them to fix this so quickly? Skype on my phone hangs on "signing in" since forever and no one there seems to care.

  • Rod Davis

    Isn't this exactly how Skype for Windows stores everything? So technically the same thing could happen with a malicious Windows app as well.

  • http://@_eliasalberto Elias

    So, has this exploit already been fixed? Or you guys just discovered the exploit, showed it to the world and forgot about demanding a fix from Skype?