"One of the biggest threats organizations face is the loss of sensitive data," said OWASP Mobile Security Project MobiSec Leader Tony DeLaGrange. As an organization's defense perimeter spreads further and further, it gets harder and harder to defend. DeLaGrange said that means securing data storage at the endpoints becomes more and more important.
On mobile devices, application developers have both storage and bandwidth limitations to contend with. The overall project leader for the OWASP Mobile Security Project, Jack Mannino said these limitations sometimes lead mobile developers to lose focus on secure data storage. Information that would never be left vulnerable in a traditional Web application -- sometimes such coveted personal information as social security numbers, account information, usernames and passwords -- might not be adequately protected.
What sometimes happens, according to Mannino, is that this information bypasses security measures, but it doesn't do so alone. Mobile application developers, concerned with keeping the application functioning as expected, with limited resources, may not be eager to devote resources to secure data storage procedures such as proper encryption. Another problem that pops up is that mobile developers utilize cloud backup for storage, but may not understand the security concerns associated with transferring data to the cloud or storing data on off-premises servers.
While mobile devices do have some limitations, they "have basically the same capabilities and access as laptop computers, and enough storage capacity to make any data owner cringe if the device isn't properly secured," according to DeLaGrange. He said it is important for the application testers to assess how data is secured on the device to ensure secure data protection at the endpoint. He suggested taking "a forensic perspective when assessing the device to determine where information is stored and how it is protected. Leave no stone unturned."