When it comes to the digital world, you can say that there are no guarantees in terms of security, although certain measures and best practices can be applied to minimize the risk of a security breach. Users who love to Skype over their Android-powered devices might want to take note that there is the very real danger of someone bypassing your Android device’s lockscreen through a security loophole found in Skype for Android.
Apparently, the Skype for Android application does seem to carry with it a bug that will allow the pre-loaded Android lockscreen (via pattern, PIN or password) to be bypassed without too much of a hassle, but if and only if the device happens to remain logged into Skype, while the "attacker" calls the "victim" on Skype.
How Is This Security Loophole Reproduced?
You will need a couple of Skype accounts as well as 2 separate devices that will run Skype. The target phone will obviously be presumed to have an Android lockscreen that has been configured and is in use, where it will remain locked at the start of the test.
1. Initiate a Skype call to the target device, which will cause it to wake, ring, and display a prompt on the screen to answer or reject the call
2. Accept the call from the target device using the green answer button on the screen
3. End the call from the initiating device (ie. the device used to call the target phone)
4. The target device will end the call, and should display the lockscreen.
5. Turn off the screen of the target device using the power key, and turn it on again
6. The lockscreen will now be bypassed. It will remain bypassed until the device is rebooted
The test was performed with Skype version 18.104.22.16873 (which was released on July 1, 2013) on different Android-powered devices such as the Sony Xperia Z, Samsung Galaxy Note 2, and Huawei Premia 4G.
Granted, it will be a whole lot more difficult in real life for something like this to happen on purpose by someone with malicious intent to gain access to your phone, but the possibility still remains. We do hope that the folks over at Skype and/or Google would be able to issue a fix for this security compromise sooner rather than later. Of course, I guess you can say that this is pretty minor compared to word of an Android Master Key that compromises 99% of all Android-powered devices out there.
Source: Full Disclosure