On April 14, Android Police revealed Skype for Android vulnerability issue, which would theoretically allow malicious third-party application to get access to Skype’s profile information and chat logs. The issue was acknowledged by Skype the next day. The vulnerability was caused by Skype using wrong file permissions of the cached profile information and not encrypting profile data. Today Skype announced that the issue has been fixed, so please go to Android Market and update to the latest version. As a bonus, 3G calling is now available in the US.
There are two lessons from this story. For Android developers, the lesson is to be careful with storing user’s private information. For bloggers, Android Police demonstrated how not to publicize vulnerability issues.
Android Police a one of the better Android blogs out there and it is disappointing how they handled this issue. Justin Case, the author of the story, says that Skype was notified, but they didn’t respond. It is unclear how long Android Police waited before publishing the story. Even if no response from Skype was received, maybe more efforts should have been put into trying to get Skype’s attention behind the scenes. And even if publishing the story was the only way to bring attention to the issue, it was irresponsible for Android Police to include full details on how to exploit the issue.
In the comments to his post, Justin Case stated that he believes in full disclosure and thinks it is the only way to get big companies to act. This is not the first time such full disclosures happened at Android Police either: previously, full details of breaking Android License Verification library were published. It is clear that Android Police doesn’t believe in a responsible fault disclosure, which was nicely outlined by Jeremy Ellsworth in the comments. Let’s hope that as Android Police popularity grows, their sense of responsibility grows as well.