FREN

#FF00AA


16 apr. 2011

“Privacy vulnerability in Skype for Android”

It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.

These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.

Bear in mind that, on a PC or a Mac, any application can access Skype’s chat logs. I have no expectation that they might be encrypted — Adium’s logs aren’t, Mail’s data isn’t, and so on. But the difference is, you actively avoid installing malicious apps on your Mac or PC.

Over the last fifteen years we’ve all learned the absolute rule of “Don’t run that, you’ll get a virus!” Even civilians know it: worms can’t count on users launching executables anymore, they have to exploit browser vulnerabilities. Yet it took only a couple years of iOS sandboxing for everyone to completely forget that basic principle when it comes to their smartphones: they’ll install anything, any time, assuming that the worst that can happen is they’ll just have to delete the app.

Even though that assumption is never entirely right (even with a non-jailbroken iPhone — there’s no risk of an app accessing another app’s data, but we’ve had apps uploading the user’s address book to the cloud without asking), mostly it is. You shouldn’t forget how afraid we used to be of executables, and don’t need to be anymore — you know, the next time you want to bitch about how the iPhone is locked down and the App Store is closed.

Want to know when I post new content to my blog? It's a simple as registering for free to an RSS aggregator (Feedly, NewsBlur, Inoreader, …) and adding www.ff00aa.com to your feeds (or www.garoo.net if you want to subscribe to all my topics). We don't need newsletters, and we don't need Twitter; RSS still exists.

Legal information: This blog is hosted par OVH, 2 rue Kellermann, 59100 Roubaix, France, www.ovhcloud.com.

Personal data about this blog's readers are not used nor transmitted to third-parties. Comment authors can request their deletion by e-mail.

All contents © the author or quoted under fair use.