Great article by SecureState’s Brandon Knight on Mobile App Security.

Securing your data is a common Android security problem.  During my development of Android apps, I’ve noticed lots of information being stored in unprotected areas of the filesystem, such as the /sdcard/Android/data folder.  For example, any file you view or cache offline from Dropbox is stored in /sdcard/Android/data/com.dropbox.android.  Given that Dropbox could be used for both personal and team-based uses, it’s easy to see that corporate data isn’t safe here either.

During the Android 2.2 days, many phones (such as my HTC EVO) had ~200MB available for apps (and storage), supplemented by micro SD.  There was no choice but to save information on the micro SD.  The newer Android phones ship with much more internal storage, meaning app developers can (and should) begin to more to saving data in the app sandbox instead of the public space.  It will take a long time before app developers change over to the new model.  In the meantime, users should be aware of what data is being stored on the micro SD and other public areas of the filesystem.