API access authorization revisited
On October 19, I blogged about a change in the way Skype for Windows handles the attempts from new programs trying to access the public API. The change was implemented in Skype for Windows 3.6.0.159 (beta), released on October 24.
Since then, we’ve received a lot of developer feedback, and continued our internal discussions as well. Based on this additional input, we’ve reached a different solution which I’ll describe in detail below. Having a better solution at hand also means that this interim change will be rolled back and the upcoming gold release of Skype for Windows 3.6 will handle the API access requests exactly as the earlier versions did.
The new solution, for which we don’t have a fixed release date yet, is based on adding central blacklist and whitelist to the already-present local API access control list (ACL). What will happen when an application tries to connect to the Skype client API, depends on which list — if any — the application is on, and whether the user has already allowed or denied it to use the API.
]]>
How will this work?
- First (for all API connection attempts), the central blacklist is checked. If the application is centrally blacklisted, it will not be allowed to access the Skype client API, and the user will be notified.
- Then (for applications that are not blacklisted centrally), the local ACL is checked to see whether the application is already known to the user. If so, it will be allowed or denied access to the API according to the user’s choice, and no warnings will be displayed. This is identical to how it works with the earlier versions of Skype.
- Third (for applications that are new to the user and not centrally blacklisted), the central whitelist is checked. If the application is whitelisted, it will be given access to the API and marked as “allowed” in the local ACL. No warnings will be displayed to the user, but the user may later deny the application API access via Tools – Options if he so wishes.
- Finally (for applications that are new to the user but neither blacklisted nor whitelisted centrally), an event notification will be generated, and the user can then open the “old-style” API access authorization dialog by clicking on the missed event flag.
What’s in it for users?
- Increased security — malicious software will no longer be able to easily fire coordinated mouseclicks into the API access authorization dialog.
- Increased ease of use — Skype Certified software and drivers for Skype Certified hardware will “just work” without the API access dialog ever popping up.
Please consider adding an option for the user to disable step three, where the whitelist is checked, thus forcing step four to occur. This way, the user will always be manually prompted to allow or dis-allow an application.
The whitelist idea is good, and will help for your “average” user. But for power users, it may lead to problems. For example, take a Skype Certified application that is whitelisted and thus automatically given access to Skype. It starts up, and changes settings that break the current user’s setup. (E.g., in my case, I have to blacklist Logitech’s “Communication_Helper” because it keeps trying to switch Skype to the QuickCam microphone, while I have other headsets on my machine that I prefer to use.) While you still give people the option to blacklist a whitelisted application, the whitelisted application still has the opportunity to run at least once and break a user’s environment when it first launches, _before_ the user has the ability to go in and blacklist said application.
Again, for “average” users, whitelists will be helpful. But for more advanced users, please give us the option to always explicitly decide if we want to allow a whitelisted application.
Also, as a related side note: will the API authorization dialogs be updated to indicate if an application is on the whitelist or not?
Another option to consider is making the API authorization more granular. Right now, it is an all-or-nothing deal.
Will it cost developers to have their application be on the whitelist, or is it only open to Skype partners?
Will the white/blacklist only apply to the “NAME [[ProgramName]]” that’s sent over the API, or will it be in a similar way to how program’s are checked at the moment, eg by .exe name? Will that mean that applications that are updated need to be updated on the whitelist/blacklist?
If an evil program only needs to modify itself a little to look like a seperate program to Skype every time it runs, won’t it defeat the purpose of a blacklist?
The whole concept of asking the user to authorise local programs stinks of Windows “security”. http://www.youtube.com/watch?v=VuqZ8AqmLPY If a malicious program wants to get around it, all it has to do is pretend to be a program that’s on the whitelist. On unix systems, a program is assumed to be trusted if it is running as the current user on the local system. Please add an “allow all”, or “allow by wildcard” option in future versions, so we can disable this feature.
All developers will be able to apply for getting their apps whitelisted. We may decide to whitelist only Skype Certified apps, or request a separate testing fee from the developers who want their applications to be whitelisted.
The white/blacklist will work based on the SHA256 hashes of the executables attempting to connect to the Skype Client API. If the executable is modified in any way, then its hash would no longer be found in the central lists, and the application’s access attempt would end up in missed events list.
Not really. First of all, “good” developers can also request old versions of their applications to be blacklisted, e.g. in case they have identified a vulnerability in their application, and want to force their users to upgrade to an improved version. Second, a lot of malicious software is not polymorphic. Third, if the users are required to go through a series of actions more complex than just hitting “ok” in a dialog that pops up, then they are more likely to think before acting, so the spreading of such bad applications will be a lot harder than before.
This would only be possible if the malicious program manages to modify the whitelisted program at run time. Modification of the whitelisted program’s executable before it is launched results in the hash no longer matching that in our centrally managed whitelist.
Please also see a related case in our public issue tracker, Jira: SDS-250.
As I understand from the posts above, Skype may decide to whitelist only Skype Certified apps, or request a separate testing fee from the developers who want their applications to be whitelisted. I would like to know the process of getting the application whitelisted by paying a seperate testing fee (if this process is already defined).
Thanks,
Prashant
@prasshantg: Don’t worry, as soon as we have more information to share, we will share it via this blog here.
Hi, You said that “Skype Certified software and drivers for Skype Certified hardware will “just work” without the API access dialog ever popping up.”, I want to know when this feature be available?Thanks.
It’s available in Skype 3.6.0.248 that was released on Feb 5. Read the release notes and an article in our January newsletter.
I am running the new Skype, version 4.0.0.206. A Vetech “Skype” USB7100 phone turned up at the office and I want to connect it to my computer. The installation goes well until I try to add Vtech to the Tools>Advanced>Advanced Settings>Manage Other Programs’ Access to Skype” panel. This “Manage API Access Control” panel is dead except for the OK button that closes it.
Is this a bug?
How do I give Vtech access to Skype?
Same here, I had to reinstall the previous version t make it work. I’m from Canada, if someone knows a good phone for Skype working with the new version,please let us know…
Regarsds,
I am running the new Skype, version 4.0.0.206. A Vetech “Skype” USB7100 phone turned up at the office and I want to connect it to my computer. The installation goes well until I try to add Vtech to the Tools>Advanced>Advanced Settings>Manage Other Programs’ Access to Skype” panel. This “Manage API Access Control” panel is dead except for the OK button that closes it.
How do I give Vtech access to Skype?
I just bought a new computer which is running vista, my vtech 7100 phone does establish a session with skype however when I try to make a call from the 7100 there is a very brief aknowledgement from skpe and then the connection is broken