"Smartphone devices which access cloud storage services can potentially contain a proxy view of the data stored in a cloud storage service," the research concludes. Accessing the proxy data can lead to further data being exposed, they add. Files that were not viewed on the smartphone, but were in the user's cloud storage account, could not be recovered, although in some cases a thumbnail of a JPEG that had not been viewed on the phone was able to be seen.
Researchers say a variety of tools can be used to extract data from a smartphone, including products from private company Cellebrite, which makes the Universal Forensics Extraction Device (UFED). Micro Systemation's XRY makes another tool for forensic detection of data.
In response, a spokesperson for Box pointed out that the researchers were using outdated versions of the company's mobile application (Android Version 1.6.7 and iOS Version 2.7.1), which are both almost a year old. Since then, Box has begun encrypting all files that are saved for offline use. The current Android app has automatic encryption and the Apple version has a feature to enable encryption. Previews of files are always encrypted, Box added.
Researchers admit further testing would be needed to determine how widespread of a vulnerability this is on newer devices, operating systems and cloud platforms.
Kothari, from CipherCloud, says there are steps IT managers can take to prevent corporate data used on smartphones from being tracked by hackers. For one, encryption tools like CipherCloud's can be used in addition to or in replacement of whatever security measures cloud service providers offer. Data loss prevention (DLP) and audit monitoring services can also be used to ensure employees are not accessing sensitive information on their smartphones, ensuring that it never gets on the smartphone in the first place and therefore cannot be recovered by a hacker later.
Sign up for Computerworld eNewsletters.