Austrian security testing lab AV-Comparatives today released an extensive report on the growing class of mobile security products, and it found that the remote data wipe feature could erase your Gmail from the server as well as from the phone.
AV-Comparatives specifically selected Android-based products that include antivirus protection along with the ability to remotely locate a lost or stolen phone and wipe its data.
Beyond those basics, the features of the tested apps varied widely, as shown in an extensive features chart included in the report. Only Android apps were actually tested, but additional charts listed the features for each app that supports BlackBerry, iPhone, Symbian, and Windows Mobile.
The report found something good to say about all of the products. For example, it praised Webroot for letting users choose between SMS-based and Web-based geolocation. It cited Kaspersky’s very good filter for blocking unwanted texts and calls. ESET’s product was “one of the best-engineered products, and best incorporated into company network administration.”
Big Problems with Remote Wipe
All of the products tested included the ability to remotely wipe personal data from a lost or stolen phone. The report states that “None of the products deleted all of the data irretrievably in the remote wipe test. In all cases it was possible to recover photos, music, documents and so on from the external storage card, even using a free program.”
Another potential problem occured when the security software accomplished its remote data wipe by resetting the phone’s state to factory defaults. Admittedly, doing so wiped out personal data, but it also wiped out all apps, including the security app itself. After this step you could no longer track the phone’s location.
Bigger Problems with Remote Wipe
Researchers set up a Google Mail account and examined just how the products handled wiping that account’s data. Most of the products deleted stored email but didn’t delete the account or its password. Kaspersky Mobile Security 9 was “a praiseworthy exception.”
In specific circumstances, there’s an even bigger problem. If the email account is synchronized between the phone and the server, and if the user failed to change the password after wiping the phone’s data, it’s completely possible that data would be deleted globally from the account, not just from the phone. The report strongly recommended that mobile security products remind users to change the password for any email accounts accessed using the phone whose data is to be wiped.
The full report, available on the AV-Comparatives Web site, includes a detailed review and evaluation of each product, with screenshots.
For the top stories in tech, follow us on Twitter at @PCMag.