September 24, 2016

Skype for Android Updated – Fixes Privacy Vulnerability

A few days ago Justin Case of the Android Police web site discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs, but that the permissions of the database where badly set exposing this private information to any other app on the device which cared to take a look.

Now Skype have updated the app to version 1.0.0.983 and in doing so have corrected the permissions on the database files. According to a post on the Skype Security blog Skype “have had no reported examples of any 3rd party malicious application misusing information from the Skype directory on Android devices” but they “will continue to monitor closely.”

Skype is recommending that users update to this new version as soon as possible in order to help protect your information from the Get Skype section on skype.com, or from the Android Market links on skype.com.

According to the Android Police web site Justin Case, who originally found the issue, has taken a look at the updated version and confirmed that the proof-of-concept app he developed to demonstrate the vulnerability no longer functions.

As well as fixing the database permissions Skype have also added 3G calling in the U.S. Previously, calling in the States was only available via Wi-Fi (except for Verizon users who needed to download a special version of the app).

Skype for Android Stores Private Data in Unencrypted DB Accessible by Other Apps

Justin Case of the Android Police web site has discovered that the Android version of Skype uses a simple sqlite3 database to store contacts, profile information and instant message logs. This isn’t bad in itself, but due to a lack of encryption and badly set permissions, this private information is accessible to any other app on the device which cares to take a look.

The databases are stored in the Skype data directory (which has the same name as the configured Skype username). The main database (imaginatively called main.db) has tables for data like account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, webpage, bio and so on. There are also other tables with similar information on the contacts and another table recording the instant messages.

Justin has created a proof-of-concept app that once installed on the device can read the Skype databases. It would be relatively easy for a malicious hacker to create a harmless looking app which in the background snoops around the Skype databases and sends the information to a collection server on the Internet.

Skype has responded to this vulnerability by saying that they “take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.”

They also say that “to protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.”