After dismantling a recently leaked version of Skype for Android, Android Police has discovered a vulnerability in the software that could put users' account balances, names, dates of birth, location information, phone numbers, email addresses, bios, and more at risk.
To test the vulnerability, Android Police wrote a rogue app that could collect user information without special permissions or rooting. It turns out that it's not just the leaked beta; according to the blog, the issue exists in the standard version of Skype Mobile for Android—though not Skype Mobile for Verizon—affecting the 10 million users of the app.
In a blog post, Skype acknowledged that users who "install a malicious third-party application" on Android phones could expose locally stored Skype for Android files.
"These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application," Skype said.
"We advise users to take care in selecting which applications to download and install onto their device," the company concluded.
The problem stems from Skype's data directory folder, which stores user contacts, profiles, and instant message logs. Apparently the files include improper permissions, which enable anyone with an app to access them. Because the username is stored in a static location, a hacker could conceivably parse the file, retrieve the user name, and follow the path to Skype's stored data.
And there's a lot of data to be found. The accounts table of one file (main.db) houses sensitive user information, including account balance, phone numbers, and email addresses. The contacts table holds similar information, only for your contacts, not to mention all of your Skype instant messages. A rogue developer could theoretically modify an existing app, distribute the app through the Google Marketplace, and harvest the data as it flows in.
To address the issue, Android Police suggests that Skype do three things: employ proper file permissions; implement some kind of encryption; and have mobile apps reviewed for security issues before releasing them publicly.
Last month a privacy advocacy group criticized Skype for failing to address holes in its VoIP service. The issues included easy impersonations, lack of HTTPS protection, and poor audio encoding.
Copyright © 2010 Ziff Davis Publishing Holdings Inc.