However, on the other side of that coin, the applications developed by Wells Fargo, Chase, State Farm, and the Internal Revenue Service, were completely clean, and secured when judged against the OWASP list.
All things considered, RIIS says that the safest applications don't store any login information or sensitive user data on an Android device.
"It is common practice (and a fundamental security flaw) to store the username and password encrypted in a SQLite database or shared preferences folder with a hardcoded encryption key which can be found by decompiling the APK," the report adds.
The full report is available here, but registration is required.
Sign up for CIO Asia eNewsletters.