A flaw in Skype for Android could let criminals harvest private information from smartphones, including the user's name and email address, contacts and chat logs, the Internet calling software maker confirmed Friday. One security researcher called it "sloppy coding" and a "disrespect for your privacy".
Last week, Justin Case, a regular contributor to the Android Police blog, disclosed that Skype on Android does not block access to a number of sensitive data files stored on the handset.
The files contain a wealth of information about the Skype account and the smartphone's owner, ranging from full name and date of birth to alternate phone numbers and account balance. Also accessible, said Case, are instant chat logs and all Skype contacts.
Case said, "Skype mistankenly left these files with improper premissions, allowing anyone or any app to read them. Not only are they accessible, but [they are] completely unencrypted".
Case created an Android application that demonstrated retrieving the unsecured data, and warned that hackers could do the same.
On Friday, Skype acknowledged what it called a "privacy vulnerability" in its Android client. Although it promised to address the problem, it did not spell out a timetable.
As of late Sunday, the Skype app for Android had not been updated. Asher also urged users "to take care in selecting which applications to download and install" on their smartphones.
Chet Wisniewski, a security researcher at Sophos, did not think much of that advice. Instead, Wisniewski said the safest move by Android users would be to delete Skype from their smartphones.
The separate Skype Mobile on Verizon app is not affected by the privacy snafu, said Case.
The files contain a wealth of information about the Skype account and the smartphone's owner, ranging from full name and date of birth to alternate phone numbers and account balance. Also accessible, said Case, are instant chat logs and all Skype contacts.
Case said, "Skype mistankenly left these files with improper premissions, allowing anyone or any app to read them. Not only are they accessible, but [they are] completely unencrypted".
Case created an Android application that demonstrated retrieving the unsecured data, and warned that hackers could do the same.
On Friday, Skype acknowledged what it called a "privacy vulnerability" in its Android client. Although it promised to address the problem, it did not spell out a timetable.
As of late Sunday, the Skype app for Android had not been updated. Asher also urged users "to take care in selecting which applications to download and install" on their smartphones.
Chet Wisniewski, a security researcher at Sophos, did not think much of that advice. Instead, Wisniewski said the safest move by Android users would be to delete Skype from their smartphones.
The separate Skype Mobile on Verizon app is not affected by the privacy snafu, said Case.
