Here's a fact about mobile apps that is as true for Fortune 100 companies as mom-and-pops: Rare is the company that understands what data its mobile app retains.
I used to prove this theory routinely. All it requires is a security consultant who is willing to do some penetration testing on the app. In some cases, 20 minutes was all the time needed. We found passwords in the clear in Starbucks' app and similar data-retention problems with Delta, Facebook, eHarmony, Match.com and Walmart, among others. The frightening part: We never found a company's mobile app that did not retain info the company was unaware of.
The reasons are many, but it comes down to that most companies only test for what they care about. They tested extensively for functionality. The app needs to right work, after all. But it wasn't in their interest to see what was being retained. Sometimes, it was a third-party app that officially collected the data. With Starbucks, it turned out to be a crash-monitoring app that would grab everything to analyze later in case of a crash. That retained data was sitting there waiting for a thief—or a pen-tester—to find it.
A story that just ran in The Verge offers the comforting observation that data-retention in mobile apps is still going strong. "WhatsApp retains and stores chat logs even after those chats have been deleted, according to a post today by iOS researcher Jonathan Zdziarski. Examining disk images taken from the most recent version of the app, Zdziarski found that the software retains and stores a forensic trace of the chat logs even after the chats have been deleted, creating a potential treasure trove of information for anyone with physical access to the device."
The problem here is that apps have tons of fun places to hide data. That crash analytics third-party app was a good example. On iOS, iTunes backup is another good example. Unless the programmer and designer are careful, that backup will grab a lot of things you never intended to catch.
Sometimes, developers leave their notes in the app, assuming no one will ever find it. In Walmart's app, it included login and password credentials for a testing server. Oops!
Let's remember what developers are up against. There's the app coding and then there's the mobile OS. Over here are any other mobile apps that need to get access. Remember the Apple mobile app that shared data from all healthcare apps on the phone? Then there is the interface with the Internet and typically with servers at the mothership.
What happens any time any of those elements upgrade? Suddenly, they can do more things than they could before. Did anyone test how those changes would impact your app's functionality or data retention? More precisely, is it potentially going to be able to capture some of your data? As WhatsApp was just reminded, deleting is a really bad word in the world of mobile app development.
Unlike many technology problems, this one has a delightfully simple and low-cost answer. For each and every mobile app your team is about to deploy, hire one or two pen-testers to see what they can find. Trust me. If you don't do it, a cyberthief—or even an obnoxious security journalist like me—will gladly do it for you.