back to article Skype for Android is vulnerable

According to a post at Android Police, confirmed by Skype, the Android version of the popular VoIP app exposes extensive user data. The Android Police report says user IDs, phone numbers, chat logs, and other data is exposed by the vulnerability. User data is stored unencrypted in sqlite3 databases, and Skype for Android uses …


This topic is closed for new posts.
  1. Anonymous Coward


    Justin Case, really?

    Posting anonymously, but you can call me Mike Hunt.

  2. Anonymous Coward
    Anonymous Coward


    "Justin Case, who published the vulnerability, has also published a proof-of-concept exploit."

    It's a shame Justin Time didn't discover the vulnerability. Awesome name.

    I would like more info on this "user ID" though. Is it the application's user ID - as in the Unix user account the application is given? Or is it a UID created and maintained internally by Skype and used internally to authenticate for example access to it's content provider or so on?

  3. Steve Evans

    Unencrypted, badly set permissions, predictable location...

    Not good... At least they managed to send an email out...

    Thank you for downloading and using the Skype for Android software. Unfortunately, it has come to our attention that if you were to install a malicious third-party application onto your Android device, it could access the locally stored Skype for Android files. These files include cached profile information and your instant message chat history.

    We take our users’ privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application. This update will be available shortly and as always we urge you to install updates to benefit from our continuous fixes and improvements.

    Until the update is released, to protect your personal information, we advise that you as always take care when selecting which applications to download and install onto your device from the Android Marketplace.

    For more information see our Security Blog at or our security section at

  4. mark l 2 Silver badge

    Three Version?

    Does this include the version shipped on Three Android phones as that version was written specifically for Three?

  5. Anomalous Cowturd

    Better late than never...

    Following this article, I removed Skype from my phone pending an update.

    Today, (Saturday), I got an email from Skype warning me of the problem. Fair play to them for at least making the effort.

    And a beer for the Android Police for spotting the problem in the first place.

    1. Anonymous Coward
      Anonymous Coward

      The Android police wouldn't have been needed if Google weren't so stupid

      Google didn't like all that nasty security stuff in Java getting in the way of them making money, They also didn't like the prospect of paying Sun a few 10's of cents for each phone in royalties. So they rolled their own and threw out all that inconvenient security stuff. Now every week we hear of some new app spewing users information to servers all over the planet.

      No one should be surprised by this, security was designed out of Android from the very beginning. But no matter, the money keeps rolling in.

      1. Anonymous Coward
        Anonymous Coward


        Actually file permissions in android are very simple. They use standard *nix permissions but obviously you don't create files directly but through the android APIs. By default file files are only accessible by the owning application. You have to explicitly use MODE_WORLD_[READ|WRITE]ABLE when creating a file (or in this case, a database) to make it visible to other apps.

        I am a bit curious as to how Skype managed to get this wrong.

  6. Tigra 07 Silver badge
    Thumb Up

    This is a title, it contains letters and or numb3rs...

    Justin Case meet Mary Christmas, Ben Dover Mike Hunt and Mike Roch.

    Lucky Justin Case was justin time spotting this.

  7. damncrow


    Just checked on a Windows PC, version 4.2. All the same stuff is in AppData\Roaming\Skype. Even information from other accounts can be easily seen with Notepad and some SQLite GUI.

  8. A J Stiles

    *All* Closed Source applications are vulnerable

    Some Open Source applications are vulnerable too, but this is usually just a passing phase.

    When are people going to start getting it?

  9. Little Poppet


    Has this problem been resolved yet?

  10. joe.user

    Wow this is great, especially not smart to have crapware locked in apps!

    Why should my droid come preloaded with crap? Case in point, this breach makes Verizon liable.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020