Less than half of mobile phones apps passed a digital firm's security audit. One out of four failed and a third have less serious problems, discovered a test by viaForensics, a digital forensics and security firm.
"There is a serious potential threat for identity or financial theft if a lost smart phone should fall into the wrong hands," the study concluded.
"For instance, if a cybercriminal is able to steal one password, coupled with all of the usernames recovered, would pose a serious threat for someone who uses the same password on many accounts."
Testers easily obtained passwords, PINs, partial credit card numbers, and other sensitive financial data from the smart phones. The tests show that smart phone apps in general often store sensitive data without encryption.
Financial apps, which failed the test 25 percent of the time, are safer than social networking apps, which failed 75 percent of the time.
User names are an important piece of financial information that phone apps should protect. Because many systems need only a user name and password, having the user name means a cyber criminal is half way to hacking your phone. Plus, many people reuse their user name.
But few phone apps protect user names. Testers recovered 76 out of 100 user names for apps tested.
Testers said 10 percent of apps store passwords in plain text, perhaps the most direct threat to user security, according to viaForensics.
Testers retrieved private data from over two-thirds of the apps. A significant amount of sensitive data, such as private communications, personal information or account data was stored as plain text.
Google's Android secures the data on the user partition using permissions, which Google says protects data, but developers have learned how to bypass that protection by accessing phones' "root" permission. Google's new 3.0 version, called Honeycomb, released in February offers encryption on the user partition of the Android device, but it's only available on tablets, viaForensics noted.
Apple has generally done a better job at data security. Its iOS 4.0 released in June 2010 protects data better than earlier versions. Still, viaForensics stated, it is far from completely safe.
As part of the trend toward mobile payments, T-Mobile USA recently said it will allow customers to purchase goods and services through their phones.
Customers will be able to buy digital content like music and games with the browser on the phone. Instead of entering credit card information, a customer would authorize the purchase through the phone number account.
But Consumers Union warned that the mobile payments are not covered by the same protections of credit or debit cards that guard against fraud.
"Mobile payment products promise a new, convenient way to pay but consumers could end up losing money if something goes wrong with their transaction," said Michelle Jun, senior attorney for Consumers Union, in a statement.
© 2012 Moneynews. All rights reserved.