Skype has released a new version of Skype for Android that resolves the configuration issues that left sensitive data exposed on Android smartphones. You should update Skype for Android to the current version as soon as possible to make sure your data is protected.
Last week researchers at the Android Police revealed that the Skype for Android app left sensitive data on the smartphone exposed for easy access. A proof of concept app called Skypwned demonstrates how simple it is to extract private data from the hole left by Skype without requiring any additional username, password, or permissions.
Gunter Ollmann, vice president of research for Damballa, explains that the Skype for Android app fails to implement any encryption or file security to protect the data stored on the smartphone. It is not a vulnerability per se, but rather a configuration error that doesn't adhere to established security best practices. Skype dropped the ball.
Ollmann went on to clarify, though, that this problem is not necessarily unique to Skype. "Many applications on Android (and Android is not unique) fail to adequately store personal data at rest. Ideally file permissions should be used to protect data stored on the device from being accessed by other "unauthorized" applications."
Armando Orozco, Webroot threat analyst, agrees, "I'm sure there are a lot of developers reviewing their code after this news. This likely isn't unique to Skype; it's just the first big name to be found with the vulnerability."
Encryption of stored data is also highly recommended. However, Ollman says that the heavy mathematics processing involved in encrypting and decrypting data taxes the smartphone and can seriously impact battery life and performance. App developers have to strike a balance that secures sensitive information without adversely affecting the smartphone experience to the point that users simply won't use the app.
In a blog post announcing the availability of the updated app, Skype stresses that it takes privacy seriously and apologizes once again for allowing data to be exposed. The good news, according to Skype, is that there are no reports of third-party malicious apps exploiting the hole left by Skype. Of course, it is entirely possible that it has happened, or is happening right now, and it just hasn't been discovered yet.
Skype cautions users to only download the Skype for Android app directly from skype.com or the official Google Android Market to avoid any attempts to capitalize on the attention to trick users into downloading a rogue malicious Trojan version to "fix" the problem.