The majority of mobile apps leave their users' sensitive account data unencrypted on their phones, according to a new study.
The security firm ViaForensics examined 100 apps for Apple iPhones and Google Android phones and found that three-quarters of them, including LinkedIn, Netflix and Groupon, store app customers' user names in plain text on their phones.
"Looking specifically at storage of user names, we were able to recover 76 out of 100 user names for apps tested," ViaForensics wrote. "At present, providers do not appear to consider the security implications of plain text storage of user names.
"While most people may not consider their user name sensitive information, it is in fact a very important piece of data," ViaForensics continued. "Many systems require only user name and password, so having the user name means that 50 percent of the puzzle is solved."
An unofficial Starbucks app developed by "Evanthedev" was found storing its customer's full 16-digit credit card number. And Wired reported that Mint.com's iPhone and Android apps, used to manage users' financial data, store customers' transaction history and balance information on the phone. The Mint.com Android app also stores a user's PIN on the phone, unencrypted.
Passwords were not stored as frequently as user names; however, 10 of the examined apps stored the user's password in plain text, an oversight ViaForensics called "perhaps the most direct threat to user security in this study."
Adding to the potential peril of identity theft that smartphone users face, a survey conducted by the security firm Sophos found that 70 percent of smartphone users don't password-protect their phones.
With more and more people relying on mobile devices to manage their lives, it's important that people take steps to secure their phones the same way they do their home computers.