Update: A new version of Skype for Android has been released, fixing the security flaw. The update also adds support for free Skype to Skype calling over 3G.
Earlier this week a new Skype app designed for the HTC Thunderbold Android phone was leaked, adding support for video calls. While examining the inner workings of the app, Justin Case from Android Police noticed vulnerabilities in the way the app stored personal user data — and then he noticed that the same vulnerabilities were present in the official Skype app available from the Android Market.
In other words, pretty much every version of Skype for Android except the Skype Mobile for Verizon app appears to store personal data insecurely.
What this means is that if you download an app with a little spyware hidden away, someone could harvest you Skype username, profile data, contact list, IM log, and other data. Your account information including your account balance and personal information such as your name, data of berth, and more details can also be read. The data is unencrypted and readable.
Now, to be fair, you’re only at risk if you somehow manage to download an app that’s designed to take advantage of this exploit. But it’s still something that could have easily been avoided.
Skype has acknowledged the vulnerability and is promising to work quickly on a software update to address the issue. In the meantime, Skype recommends users “take care in selecting which applications to download and install.” Of course, if you want to be really certain nobody steals your private data before Skype issues a fix, a simpler solution might just be to uninstall the Skype app until a new version is released.
