[thomas_c]

The software under test is designed to allow employees to use their personal phones for corporate use. Being a personal phone, corporate policies are irrelevant because we cannot apply or enforce them. The software is in use by some very large companies and being evaluated by others therefore it is far from implausible that some of those personal phones haven't got a device lock code set.

I agree it is not an Android issue though, it is the poor design of the app.

[wmf]

A more common policy in my experience is that any phone that has any company data on it must be company-managed. In other words, you pay for it but the company really owns it.

[kurtsiegfried]

@Thomas, thanks for the clarification, I guess I'm just used to companies with more authoritarian policies. Something along the lines of: "If it connects to our infrastructure, it gets policies enforced" (similar to what WMF said).

Nice work on taking apart the app though.

[thomas_c]

Yes that is my experience as well and is the case where I work. This seems to be changing as more tech-savvy staff with highly capable devices push their companies to "get with the times". So I guess that is why we're there to point out the risks in doing so. Doing this was partly fun, and partly so we could backup any statements we made about the risks of doing it.

Anyway, glad people enjoyed it. It's good to get some discussion going too. Thanks =D