Justin Case of the Android Police web site has discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs. This isn’t bad in itself, but due to a lack of encryption and badly set permissions, this private information is accessible to any other app on the device which cares to take a look.
The databases are stored in the Skype data directory (which has the same name as the configured Skype username). The main database (imaginatively called main.db) has tables for data like account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, webpage, bio and so on. There are also other tables with similar information on the contacts and another table recording the instant messages.
Justin has created a proof-of-concept app that once installed on the device can read the Skype databases. It would be relatively easy for a malicious hacker to create a harmless looking app which in the background snoops around the Skype databases and sends the information to a collection server on the Internet.
Skype has responded to this vulnerability by saying that they “take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.”
They also say that “to protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.”