Android Police has discovered a vulnerability in the software that could put users' account balances, names, dates of birth, location information, phone numbers, email addresses, bios, and more at risk after dismantling a recently leaked version of Skype for Android.
Android Police wrote a rogue app that could collect user information without special permissions or rooting to test the vulnerability. It turns out that it's not just the leaked beta; according to the blog, the issue exists in the standard version of Skype Mobile for Android—though not Skype Mobile for Verizon—affecting the 10 million users of the app.
Skype in blog post acknowledged that the users who install a malicious third-party application" on Android phones could expose locally stored Skype for Android files. Skype said "These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application."
After this massacre of reputation the company concluded that "We advise users to take care in selecting which applications to download and install onto their device.”
Skype's data directory folder, which stores user contacts, profiles, and instant message logs was the source of this problem. Apparently the files include improper permissions, which enable anyone with an app to access them. A hacker could conceivably parse the file, retrieve the user name, and follow the path to Skype's stored data as the username is stored in a static location.
And there's a lot of data to be found. The accounts table of one file (main.db) houses sensitive user information, including account balance, phone numbers, and email addresses. The contacts table holds similar information, only for your contacts, not to mention all of your Skype instant messages. A rogue developer could theoretically modify an existing app, distribute the app through the Google Marketplace, and harvest the data as it flows in.
To address the issue, Android Police suggests that Skype do three things: employ proper file permissions; implement some kind of encryption; and have mobile apps reviewed for security issues before releasing them publicly.
Last month a privacy advocacy group criticized Skype for failing to address holes in its VoIP service. The issues included easy impersonations, lack of HTTPS protection, and poor audio encoding.
