Symantec’s Honey Stick Smartphone Project (pdf) confirms what many of us already knew: almost no one can resist the temptation of poking around on someone else’s smartphone.

The study placed 50 smartphones in various public areas throughout several major American and Canadian cities. The phones were fully charged and allowed random passersby unfettered access to the device with no passwords or security measures, an all too common practice for most smartphone owners. All human interactions with the handsets were monitored and logged remotely. The goal was to assess the “human threat” of unsuspecting people discovering someone’s phone based on how they interacted with the device.

96%

accessed phone

57%

opened password app

50%

returned the phone

48%

checked emails

43%

opened banking app

96 percent of “lost” smartphones were accessed by discoverers while about half of those people also peeked into email and other potentially sensitive areas. 89 percent of the devices had the owner’s personal apps and/or data accessed. “Access” was defined as an app or file being opened on the phone.

A file named “Saved Passwords” was accessed 57 percent of the time by finders of the lost phone.

Obviously though, even the most honest finders may have been looking for contact information via the address book and email apps in an attempt to identify the owner. However, with that in mind, finders also accessed a file named “Saved Passwords” 57 percent of the time.

Additionally, 53 percent of phone finders inexplicably opened a document titled “HR Salaries” while a disappointing 49 percent of people attempted to use an app named “Remote Admin”. 60 percent of the devices showed that people had attempted to log on to social network services under the owner’s user name. Meanwhile, 43 percent actually had the nerve to do the same for banking apps. When confronted with password prompts, the individuals would try to guess passwords.

The bottom line: A Symantec study shows that although half of lost phones are returned, many finders can’t resist poring over sensitive data.

Leave a Reply