Symantec has warned smartphone users to be wary of good samaritans who access lost handsets in a bid to identify who to return the device to.
The security software maker said [pdf] that while the return of a device is "potentially reassuring", the fact the finder accessed the phone to work out who the owner was "could be considered a major security breach".
The firm purposely "lost" 50 smartphones in the United States and Canada late last year under a project codenamed Smartphone Honey Stick, a variation of earlier research using "lost" USB sticks.
It installed a series of simulated apps and files on the handsets, some with false log-ins and pre filled username and password fields.
Also on the device was a 'Contacts' app, which included an entry tagged as 'Me' with an email address and phone number "for the apparent owner of the smartphone".
Of the 50 devices that were lost, almost all logged attempts by the finder to access data or apps.
Half - about 25 devices - were returned to the "owner" using the details stored in 'Contacts'.
The study criticised the number of returns, "despite the fact that the owner's phone number and email address were clearly marked in the contacts app".
However, it also criticised any finder of a device that attempted to access any app on the device, no matter what purpose.
"Regardless of the motivation of the person accessing the phone, the fact that they may be accessing sensitive data should be a major concern to the device's owner, and possibly their employer," the study stated.
Finders of all but one device made an attempt to access data or apps. On average, it took 10.2 hours for an "access attempt" to be made; the median time was 59 minutes.