Companies significantly increase their risk of data leakage when smartphone- and tablet-toting employees use cloud storage services DrobBox, Box and SugarSync, a university study shows.
Word documents and PDF files retrieved from these services from an iOS or Android device were stored in cache, where they remained until the storage limit was reached, at which point they would be overwritten by new data, researchers from the University of Glasgow, Scotland, found.
In the case of iOS devices, the data was stored in memory, while Android stored the information in an SD memory card. Meta-data related to the application could also be retrieved.
The study has its flaws. Most notably, the researchers used older versions of the operating systems. They tested iOS 3 on an iPhone 3S and Android 2.1 on an HTC Desire.
While not all the information kept in the older phones would be recoverable in the latest iOS and Android devices, experts agreed that some data would still be accessible, either by someone who stole the phone or to malware that gained root access to the device.
[In depth: Cloud security rebuttle -- Don't rebuke the many for the sins of the few
"From a forensics perspective there is little you can do on a device today without leaving some kind of remnants," said Paul Henry, a forensic analyst for Lumension. "With DropBox, I can typically decrypt the database and get details of your activities and yes you may find actual cached copies of files in memory as well."
The risk of data leakage has intensified with the bring-your-own-device (BYOD) trend. Most organizations let employees use their personal devices for work, but vary widely on the strictness of policies to ensure security.
The biggest danger with BYOD is employees using applications such as storage services for tucking away business documents, so they can be worked on from home. This mixing of corporate and personal data increases the chance of a security breach.
George Grispos, a lead researcher in the university study, said the separation of corporate and personal data is critical on any mobile device. "The cloud applications must be part of the bigger picture of how you segregate the device," he said.
Options include sandboxing or virtualization, but they all need to be tested to determine how they effective they are at preventing data leakage, said William Bradley Glisson, director of computer forensics at Glasgow.
Storage services are just one of many mobile apps that pose a data security risk. Ws released its findings Tuesday in testing the popular Any.DO, a business and personal calendar tool. The company found that the app stored passwords and sensitive user data in plain text and was susceptible to man-in-the-middle attacks. ny.DO is available through Apple's App Store and Google Play.
Read more about cloud security in CSOonline's Cloud Security section.