The year 2018 taught us a lot about the security of our personal data -- namely, that social networks may harvest it and sell it to political groups who can use it to manipulate your decisions at the voting booth -- and perhaps 2019 will teach us more about the security of the devices where that data is located.
Today, The Register reports on a Skype for Android security flaw discovered by Kosovar bug researcher Florian Kunushevci, who determined that an incoming Skype call doesn't trigger the operating system's lock screen security mechanisms. At the ripe age of 19, Kunushevci is single-handedly finding loopholes that evade entire teams of highly paid experts who may be twice his age.
And he didn't even have to mess with programming code. He simply noticed that an incoming Skype call gives you access to the entire Skype app no matter what method you use to lock your Android device's screen, and full access to the internet if the call contains a link that you can open in a web browser.
Although this bug only affects Skype and whatever web browser you open from within it, the implications are pretty serious, as it reveals a lack of checks and balances within Android itself. While The Register reports that Microsoft was notified of the issue in October and created a patch December 23, one might wonder how the operating system doesn't appear to notice that a basic security mechanism is not being activated.
With this bug present, someone can access your Skype account and its photos, texts and call logs just by being in possession of your phone at the time of an incoming Skype call. If they know your Skype number as well, they can use this info to trigger the bypass themselves. So certain conditions have to be met to exploit the flaw -- but they also require much technical knowledge.
FOLLOW Download.com on Twitter for all the latest app news.
Either way, it can take a few weeks for a patch to roll out, so you might not have the update yet. If you open the Google Play product page for Skype on your Android device, and the "What's New" section says "Last updated Dec 11, 2018," then you do not have the fix. You need the update that came out December 23.
If you don't have the update, and you're concerned about your security or privacy, you may want to consider uninstalling Skype until the December 23 patch appears on the product page as viewed on your phone. In the meantime, alternatives include WhatsApp, Facebook Messenger and Instagram. And if you don't need group video chat support, then there's always the free Google Duo.
- A Kosovar bug researcher recently discovered that the Android version of Skype lets incoming calls bypass the lock screen and grant full access to the app.
- If a call contains a link to a website, that link can also be tapped on to open and gain control of the device's web browser.
- Microsoft patched the flaw on December 23, but the update may not have rolled out to your device yet.
- Microsoft adds live captions and subtitles to PowerPoint and Skype
- Skype now lets you record and save your audio and video calls
- Microsoft's Office Web Apps to offer voice dictation to help people with dyslexia
- How to make Skype calls using Alexa (CNET)
- Microsoft Teams is killing it in the business chat market (ZDNet)
- Microsoft 2018 year in review: The 10 biggest headlines (TechRepublic)