Reddit user Ponkers posted an interesting find to /r/Android today, pointing out a significant privacy hole in Skype that essentially allows users to force an Android device to answer a call, making eavesdropping nearly effortless.
Ponkers drew a diagram below, which I feel compelled to include based on its artistic merits, but here’s the gist of how the process works.
Assume you have three devices, device 1, device 2, and device 3. There are also two Skype accounts involved: account A and account B. Device 1 and device 3 are attached to account A. Device 2 is attached to account B.
If a user uses device 1 to call device 2, then shuts off any network connection to device 1, device 2 will then automatically call and connect to device 3, giving the holder of account A a connection to device 2 without the owner of the device necessarily knowing.
Skype thinks that the users want to be connected and that the lost network connection is a mistake, so it tries to fix the situation by reconnecting the two. Under normal circumstances, if both parties have willfully connected to a call, this kind of behavior would be welcome, as it would ensure that any interruptions in the conversation are minimal. The issue is that this can happen before the party receiving a call has accepted it. From what users have deduced so far, the bug seems to be specifically related to how Skype’s Android app connects calls.