Dubbed the Honey Stick Project by Symantec, the security software company published rather disturbing details about what happens to a lost smartphone after the device is found. Symantec researchers took fifty smartphones and programmed the devices with a variety of generic applications within three different categories; personal, neutral and corporate. For instance, the contacts application in the neutral category contained an entry for the owner that included a phone number and email address. The research team visited Los Angeles, New York City, San Francisco, Washington D.C. and Ottawa, Canada in order to “lose” the smartphones in public areas such as public transit stops, malls, food courts and elevators.
While the Symantec-created apps didn’t actually contain any private information, all the apps had the ability to transmit the device ID, app name and time of activation each time that each app was accessed on the phone. In addition, a GPS tracking application occasionally transmitted the location of the phone back to Symantec during regular intervals. This would allow the researchers to become aware when the phone was turned into a local police station or perhaps sold to a pawn shop. In regards to any security, none of the phones were outfitted with a password to lock out anyone that happened to come across one of the devices.
While only 25 of the 50 smartphone finders made any attempt to contact the owner and return the device, the more shocking details of the study dive into how privacy is violated after the phone is lost. Nearly 90 percent of the devices showed at least one attempt to access the apps within the personal category. For instance, an app called “Private Pix” was accessed on 72 percent of the devices. The social networking and email applications were accessed on 60 percent of the devices and the online banking application was accessed on more than 40 percent of the smartphones. In addition, the passwords file was accessed on nearly 60 percent of the devices.
When it comes to corporate information, the people that find lost smartphones are only slightly more respectful as 83 percent of devices were used to access business-related information. A file named “HR Salaries” was accessed on over half of the phones and another file called “HR Cases” was accessed on 40 percent of the sample group. A “Remote Admin” application was accessed on nearly half of the smartphones and a corporate email application was opened up on 45 percent of the devices.
One bright spot of the study is that Canadians that lose their smartphone are more likely to be contacted by the finder. Seventy percent of the smartphones lost in Ottawa were returned to Symantec. Assuming Symantec used a sample size of ten smartphones per city, this leaves 18 people that returned smartphones within U.S. cities or approximately 45 percent of the remaining 40 phones.
In order to better safeguard personal information on mobile devices, Symantec recommends a strong password for the home screen or using a “draw to unlock” pattern for even stronger security. In addition, the company also recommends the use of security software to remotely lock the device or wipe the data from the phone. For businesses, Symantec recommends that a formal policy should be created when an employee loses a company-issued phone as well as increase employee education on the importance of protecting the data on the smartphone.