A few days ago Justin Case of the Android Police web site discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs, but that the permissions of the database where badly set exposing this private information to any other app on the device which cared to take a look.
Now Skype have updated the app to version 126.96.36.1993 and in doing so have corrected the permissions on the database files. According to a post on the Skype Security blog Skype “have had no reported examples of any 3rd party malicious application misusing information from the Skype directory on Android devices” but they “will continue to monitor closely.”
Skype is recommending that users update to this new version as soon as possible in order to help protect your information from the Get Skype section on skype.com, or from the Android Market links on skype.com.
According to the Android Police web site Justin Case, who originally found the issue, has taken a look at the updated version and confirmed that the proof-of-concept app he developed to demonstrate the vulnerability no longer functions.
As well as fixing the database permissions Skype have also added 3G calling in the U.S. Previously, calling in the States was only available via Wi-Fi (except for Verizon users who needed to download a special version of the app).