one of our corporate applications have recently issued a windows/android app for smartphones, to give the users an alternative to using their web app. the suppliers are a relatively small company. Some of the end user smartphone devices are currently not encrypted, but the suppliers say this is not a show stopper as security is 'contained' within the app itself. The login to the app is single factor authentication, username/password. how practical is it that security for an app would be 'contained' within itself, so if someone lost the smartphone with the app itself there would be no data specific to the app accessible on the devices storage. And perhaps more relevant what type of testing would you suggest to see what data specific to the app is stored and retrievable on the phone itself? or what types of security sensitive data do/could apps leave on the phones themselves and what could be retrieved if the device was lost/stolen?