Microsoft buys Skype. What does that mean for security?

Editor’s note: Since this article was first published, it has been confirmed that Microsoft has agreed to buy Skype.

If you were paying attention to the rumour-mill last week, you may have heard the story that one of Facebook or Google might well be about to buy Skype.

Scrub that story.

Today’s rumour is that Skype may be about to be acquired by Microsoft. The Wall Street Journal headlined the deal as “near”, and quoted a price between seven and eight billion dollars.

The WSJ cautions, though, that the deal may end up with a value of $8.5 billion when Skype’s long-term debt is taken into account. (When I was in primary school, I thought it was pretty nifty that a negative multiplied by a negative became positive. But nowhere near as nifty as an economist’s trick of adding in a great raft of debt and describing it as increasing value.)

For those not familiar with Skype, it’s an interesting sort of beast – loosely speaking, it’s an internet telephone company without much of a telephone company. Much of its operation is peer-to-peer, so that much of its bandwidth and infrastructure – not unreasonably, you must agree, for its free services – is provided directly by the users of the service.

One uncertainty – indeed, to some, it’s a controversy – about Skype’s proprietary software is whether it includes any sort of “lawful interception” system.

Most countries require landline and mobile phone operators to provide a vehicle by which duly-authorised law enforcement agents can intercept calls on their networks. Indeed, phone carriers spend a lot of money maintaining lawful interception systems, something which is as useful to law enforcement as it is worrying to privacy.

But since most Skype calls are peer-to-peer, and encrypted end-to-end, Skype isn’t a traditional phone carrier. Either it doesn’t have a lawful interception capability – which could be considered unfair to mainstream phone companies, who have to provide one – or, one can argue, it must contain some sort of network-independent backdoor – which could be considered a serious security risk.

So, if the Microsoft deal goes ahead, what’s likely to happen from a software and a security point of view? Here are my guesses:

* The Linux version of the Skype software will wither and die.

* The OS X version of the Skype software may wither and might die.

* Microsoft will add some sort of lawful interception system into the Skype software, assuming there isn’t one already. But they’ll be honest about doing so.

* You’ll need to get a Windows LiveID to create a Skype account.

* Skype will come under greater scrutiny from cybercrooks keen to find saleable vulnerabilities.

* Skype for Windows will come under the Microsoft Active Protections Program, which will balance out or defeat problems caused by the previous issue.

Of course, so far this is just rumour and speculation. And Microsoft’s official comment on rumour and speculation is that it doesn’t comment on rumour and speculation.

Skype for Android leaks sensitive data

Skype in Android MarketWhat is being called a vulnerability in the Android version of Skype could simply be written up as sloppy coding at best, or disrespect for your privacy at worst.

Justin Case at Android Police did some poking around when he found a leaked version of the beta version of Skype that will allow video conferencing on Android devices.

He discovered that just about all the information in your Skype profile, except for your credit card number and password, was stored insecurely by the application.

This allows any application on your phone to simply read, or copy that information wherever they like without any special “root” access or other trickery.

Case thought that this must only be the case for this pre-release copy, but to his dismay it is configured the same way in the current production releases of the Skype for Android product (except the Verizon version).

Case created a proof-of-concept application to demonstrate the weakness in Skype’s security. His application can show you your name, address, account name, phone numbers and contacts (and their details) all without any special permissions.

Worst yet, information like your instant messaging chat logs are fully available as well. His application doesn’t show those, but none of the Skype data stored on Android handsets appears to be encrypted.

Skype responded on Friday stating that they intend to fix the vulnerabilities as soon as possible, and that in the meantime Android users should be careful what applications they load on their phones.

How you would implement that advice is difficult to know, as an application wishing to steal your Skype information doesn’t require special permissions.

I think the safest advice is simply to remove Skype from your Android until we can be satisfied that the problems have been resolved.

Controlling mobile devices is going to be a significant challenge for the next few years, and it isn’t just about malware. This type of situation makes one wonder about the Skype for iOS application.

It also makes you wonder whether it is safer in Apple’s App Store. Has Apple done a thorough enough check on their 100,000+ applications, including Skype, to know that data isn’t leaking here, there and everywhere?