Second, other user data on mobile devices should be encrypted. This is something that users have to do themselves, but Android and iOS both provide mechanisms for doing that reasonably securely, and third-party add-ons like SQLcipher for AES encrypting SQLite databases are even better. If you look for strong mobile encryption mechanisms, you can find them.

Next, we need better default protection settings in our mobile platforms. For example, on iOS devices, sensitive data (including things stored in app keychains) is protected by hardware encryption that is keyed with a combination of a unique 256-bit device key and the user's own device lock code. Since that device key can be obtained by an attacker with physical access to a device, the protection afforded the user by the keychain essentially comes down to how strong his device lock code is. The default setting on iOS is a four-digit PIN, which just isn't up to the task.

Usability advocates will argue that strong device passwords on mobile devices are annoying and won't be accepted by users. That's a fair argument -- strong passwords on a smartphone or tablet really are a hassle to work with. (Trust me.) Still, I'd prefer something stronger than four-digit PINs to unlock a device (and the data it holds). For the longer term, device vendors need to be shooting for stronger keying mechanisms -- perhaps a PIN in combination with a biometric like a fingerprint, facial pattern scan or voice recognition.

For now, though, what I suggest to people who are serious about the security of their mobile devices is to carefully select the apps they use. It's easy enough to do some cursory static analysis of an app and its files using tools like iExplorer (formerly iPhone Explorer). At the very least, make sure your apps don't store login credentials in properties files and the like.

Next, turn on strong passwords and use a reasonably strong one. A PIN just doesn't cut it.