iSkoot Transmits Your Data In The Clear

Reading time ~1 minute

Various people are thinking that Skype Mobile is basically an unbranded iSkoot, which does the same thing in much the same way. Generally speaking, they seem to do the same thing, but they do it very differently. Packet traces don't lie.

I loaded up iSkoot on my Nokia N95 and accessed the iSkoot service via WiFi. I did this so I could capture what the iSkoot client was sending out so I could see the difference. And oh, boy was it different--different enough that I would think twice about using iSkoot.

First of all, Skype appeared to use a TCP connection on a non-standard port. Fine with me. I looked at the raw packets generated by Skype Mobile and saw an opaque blob--exactly what I expected to see.

iSkoot uses TCP port 80--the same port used by HTTP, the lingua franca of downloading web pages. It sends various things as a series of HTTP GET calls. The scary part of this that your text chat messages--and lots of other interesting information, including your Skype credentials--is being transmitted in the clear. That's right, iSkoot takes all that perfectly good encryption that Skype employs and throws it out the window. For no good reason.

Until iSkoot fixes this problem--and it would be very easy for them to do so (ever hear of SSL?)--I cannot in good conscious recommend using iSkoot.

UpdateIssue is resolved in their latest Symbian/S60 client.

An Updated Word About Competition in the Information Security Industry

A year ago, I had written a post about competition in the informationsecurity space, of which I work as a part of for a vendor that has b...… Continue reading