Update #1: Skype is investigating the issue, we've been told.
Update #2: Skype's official first response can be found here.
The safety of our personal information is often a concern of mine - who has my email address, my phone number, my date of birth? How can I keep my private information safe while still enjoying the internet? These concerns have prompted me to take a deeper look at Android apps more than once, and often this can yield some frightening information.
On April 11, a leaked version of Skype Video hit the web and, having a Thunderbolt, I had to try it. My first impressions of it were positive, it worked and ran smoothly. My next reaction was, you guessed it: let's take it apart. What I discovered was just how poorly this app stored private user data.
I quickly came up with an exploit, and I was in shock at just how much information I could harvest. Everything was available to the rogue app I created, without the need for root or any special permissions.
Surely, only this leaked beta build was vulnerable, or so I thought. But upon examining the standard version of Skype for Android (which has been available since October 2010) I discovered the same vulnerability - meaning this affects all of the at least 10 million users of the app.
Just a side note, the "Skype Mobile for Verizon" version of the app appears unaffected at this time.
How Does This Work?
Inside the Skype data directory is a folder with the same name as your Skype username, and it's here where Skype stores your contacts, your profile, your instant message logs, and more in a number of sqlite3 databases.
# ls -l /data/data/com.skype.merlin_mecha/files/jcaseap
-rw-rw-rw- app_152 app_152 331776 2011-04-13 00:08 main.db
-rw-rw-rw- app_152 app_152 119528 2011-04-13 00:08 main.db-journal
-rw-rw-rw- app_152 app_152 40960 2011-04-11 14:05 keyval.db
-rw-rw-rw- app_152 app_152 3522 2011-04-12 23:39 config.xml
drwxrwxrwx app_152 app_152 2011-04-11 14:05 voicemail
-rw-rw-rw- app_152 app_152 0 2011-04-11 14:05 config.lck
-rw-rw-rw- app_152 app_152 61440 2011-04-13 00:08 bistats.db
drwxrwxrwx app_152 app_152 2011-04-12 21:49 chatsync
-rw-rw-rw- app_152 app_152 12824 2011-04-11 14:05 keyval.db-journal
-rw-rw-rw- app_152 app_152 33344 2011-04-13 00:08 bistats.db-journal
Skype mistakenly left these files with improper permissions, allowing anyone or any app to read them. Not only are they accessible, but completely unencrypted.
But how do we find this directory from another app if we don't know the username? Well, Skype stored the username in a static location, we can parse this file, get the username and find the path to Skype's stored data.
# ls -l /data/data/com.skype.merlin_mecha/files/shared.xml
-rw-rw-rw- app_152 app_152 56136 2011-04-13 00:07 shared.xml
# grep Default /data/data/com.skype.merlin_mecha/files/shared.xml
The most interesting file one can gain access to is main.db. The accounts table in this database holds information such as account balance, full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, your webpage, your bio, and more.
The Contacts table holds similar information, but on friends, family and anyone else in your contact list (that is, more than Skype exposes on other users publicly). Moving further along, looking into the Chats table, we can see your instant messages - and that's just the tip of it. Scary.
This means that a rogue developer could modify an existing application with code from our Proof of Concept (without much difficulty), distribute that application on the Market, and just watch as all that private user information pours in. While the exploit can't steal your credit card info, the data it's harvesting is still clearly very private (chat logs linked back to your real name, address, and phone number).
Imagine if Google accidentally leaked all of your Google Talk logs along with your e-mail address, name, and phone number - such a breach might a cause a mass user exodus, not to mention a federal inquiry.
How Can Skype fix this
First, they can use proper file permissions, second, they should probably implement some type of encryption scheme, and third, they need to have their applications reviewed for security issues prior to release.
You can see just how wide-open your private data is by downloading this proof of concept application, which will display some (note: not all) of the information that the vulnerability would allow a less than savory individual to gather: