It was only a week ago that an Internet security firm peeked into Pandora‘s mobile app and determined that the company is sharing “mass quantities” of user info with ad agencies. Now Skype is being held under a microscope, particularly the company’s Android mobile app, and it seems that your stored personal data isn’t as safe as you’d probably like it to be.
After discovering that a leaked beta version of the VoIP app was vulnerable to an exploit that offers access to all user data, Android Police tried the same tactic with the widely used Skype for Android, available since October 2010, and saw the same results. The site notes that the Skype Mobile for Verizon app appears to be unaffected, only Skype for Android.
The technical details get a little complicated, but essentially, Skype stores all user data in a folder bearing that user’s name. The database files contained within that folder have incorrect permissions (simply, who/what can access them, and how), and furthermore, they aren’t encrypted. What all of this means is that these files, which contains everything from contacts and profile information to message logs, can be both accessed and read by anyone with minimal trouble.
The issue extends a bit deeper than that as well. If the issue were confined to just what is detailed above, potential intruders would have to have the user’s Skype name. Still not terribly secure, but certainly more manageable. Unfortunately, there is also a way to tease out this information as well. Android Police notes that the big danger here is of a rogue developer releasing a tweaked version of the app — think back to the recent malware debacle on Android Market — that pulls out and transmits private user information.
The post concludes with some suggestions to Skype as to how this could be fixed. A later update reveals that the company “is investigating this issue.”