Even the strongest safe deposit box can be opened with the right key. Your valuables might be safe in the strongest, most fortified bank in the world, but if the key is sitting on the bar with your car keys, it only takes a simple and quick attack to defeat every layer of the bank’s multimillion dollar security. Swiping your key, watching you sign your bill, and forging a fake identification is much easier than defeating a bank’s security system, drilling through six-inch steel walls, and breaking into the right safe deposit box.
Not all data you wish to protect is on the device, but usernames, passwords, and URLs to remote resources can be. All too often developers make the painstaking effort to encrypt all of the user’s confidential data on the device, but then compile in the strings to URLs, global usernames/passwords, or other back doors, such as those of credit card processing systems or other global system. Another common mistake is to write a thin client that stores no user data on the device, but makes the exception of storing the user’s password and/or session cookies there, or common bugs that make such an application susceptible to a man-in-the-middle attack. This makes the nightmare worse because once credentials are stolen (possibly unbeknownst to the device’s owner), the remote resources tied to these credentials can be easily accessed from anywhere.