Skype security flaw allows users to bypass Android lock screen

No thanks to a flaw in videoconferencing app Skype, users of mobile devices running Google’s Android operating system risk having their lock screens bypassed.

 

XDA-Developers Forum developer administrator “Pulser” said the bug appears to affect Skype version 3.2.0.6673, which was released July 1.

 

“The Skype for Android application appears to have a bug which permits the Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily, if the device is logged into Skype, and the ‘attacker’ is able to call the ‘victim’ on Skype,” Pulser said.

 

Among the devices Pulser listed as possibly affected are the Sony Xperia Z, Samsung Galaxy Note 2, and Huawei Premia 4G.

 

Pulser said an attacker can make a Skype call to the target device, which will cause it to wake, ring, and display a prompt on the screen to answer or reject the call.

 

When the owner of the target device answers the call, the attacker can end the call. When the target device ends the call and displays the lockscreen, the screen of the target device can be turned off using the power key – once it is turned on again, the lockscreen will now be bypassed.

 

“It will remain bypassed until the device is rebooted,” Pulser said.

 

A separate report on TechHive.com said the flaw shows anew the need for additional security to protect corporate data against such flaws.

 

TechHive.com also noted Microsoft had said Skype is installed on more than 100 million Android devices worldwide.

 

“I’m actually surprised that we keep finding lock-screen vulnerabilities that are exploited by third-party applications,” it quoted Lee Cocking, vice president of strategy for mobile security firm Fixmo, as saying.

 

“To me this speaks of overall security architecture issues with the platform, or at least with how background processes such as VoIP (Voice over IP) applications interact with the platform,” he added.

 

He said the best approach is to “segregate business apps and data from consumer apps with some form of virtualization or containers that isolate the corporate side of things.” — TJD, GMA News