Antivirus software giant Symantec partnered up with Sprint in order to conduct a little experiment dubbed “The Symantec Smartphone Honey Stick Project” that involved “losing” 50 mobile devices in 5 major cities – New York City, Washington D.C., Los Angeles, San Francisco and Ottawa, Canada – to see what people do when they find a smartphone.
The phones were left unlocked and loaded with a variety of bogus personal and business focused apps whose sole purpose was to report back to Symantec what app was accessed, the time when the app was activated and the device ID.
The simulated apps included (information type in parenthesis):
- Social Networking (Personal)
- Online Banking (Personal)
- Webmail (Personal)
- Private Pix (Personal)
- Passwords (Neutral)
- Calendar (Neutral)
- Contacts (Neutral)
- Cloud-Based Docs (Neutral)
- HR Cases [PDF] (Corporate)
- HR Salaries [Spreadsheet] (Corporate)
- Corporate Email (Corporate)
- Remote Admin (Corporate)
As it turns out, a lot of the times folks are looking to do much more than just play finders’ keepers with lost smartphones – they’re looking to capitalize on their finding as much as possible!
During the 7-day study period, Symantec discovered that:
- Only 50% of the people who found the smartphones attempted to contact the owner (the owner’s phone number & email were clearly marked in the contacts app).
- Nearly all (96%) of the lost smartphones were accessed by whoever found them.
- 89% of devices reported attempts to access personal apps or data.
- 60% of the devices reported an attempt to access the social networking apps.
- 60% of the devices indicated attempts to access personal email.
- 83% of smartphones reported attempts to access corporate related apps or data.
- The HR Cases file was accessed on 40% of the devices.
- The HR Salaries file was accessed on 53% of the devices.
- Only 5% of the devices were not accessed during the study.
- On average, the “lost” devices went untouched for 10 hours before any attempts were made.
Based on Symantec’s findings, it’s safe to say that smartphone owners need to seriously consider what type of information is stored on their smartphones and whether or not someone could do some serious damage if they happen to get their hands on it – especially if their device is used for business purposes.
Sure, it may not be a big deal if someone were to sift through your smartphone’s photo gallery or text message history, but what about your corporate email or work related files and apps stored upon your phone?
At the very least, users should lock their phone with the built-in passcode or pattern-lock features. Apparently not even the FBI can get past the security offered by the pattern-lock feature built into Android without a little help from Google.
If you wish to take it a step further, you should look into installing an app that offers GPS tracking along with remote locking and wiping features.
For businesses that partake in the BYOD (bring your own device) practice, it’s important that the organization develops and enforces a strong policy requiring employees to password-protect their phones and create a guideline on how to handle a situation where a device is lost or stolen.
And, of course, it couldn’t hurt to watch after your smartphone as if it were your child.
Photo Credit: philcampbell
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.