A fundamental and most typical task for a tester in mobile security testing is to verify the security of data at rest. This involves ensuring that sensitive information, such as usernames, passwords, session tokens, and personal user data, is not stored in an unencrypted or otherwise unprotected format within the application's local storage on the device (e.g., in plist files, SQLite databases, or shared preferences). This check is crucial because a compromised device could otherwise lead to a complete compromise of the user's account and data. This task directly addresses one of the most common mobile application vulnerabilities.

A. Giving guidance to developers is a collaborative activity, often performed by a test lead or security champion, not the most typical primary task of a tester executing security tests.

C. This is incorrect. Security is a critical quality attribute for mobile applications, and security testing is an essential part of the overall testing effort.

D. While penetration testing ("acting like a hacker") is a form of security testing, it is a specialized discipline often performed by dedicated security professionals, not necessarily a typical task for every mobile tester.

1. ASTQB Certified Mobile Tester Syllabus (2019): Section 4.3, "Security testing," outlines common security vulnerabilities for mobile applications. Learning Objective MO-4.3.2 specifically requires candidates to "give examples of security vulnerabilities for mobile applications," which prominently includes insecure data storage. The syllabus details checking for sensitive data stored in insecure locations as a key testing activity.

2. OWASP Mobile Application Security Verification Standard (MASVS): The MASVS is a community-led standard for mobile app security, widely referenced in academic and professional contexts. In section "V2: Data Storage and Privacy Requirements," it explicitly states as a requirement (MASVS-STORAGE-1): "System credential storage facilities are used to store sensitive data, such as PII, user credentials or cryptographic keys." Testers are tasked with verifying this.

3. Kanaker, O., & Al-Hawari, F. (2021). A Comprehensive Review on Mobile Application Security. International Journal of Interactive Mobile Technologies (iJIM), 15(07), pp. 18–38. This academic review emphasizes that "Insecure data storage is one of the most common vulnerabilities in mobile applications" (p. 24). The role of testing is to identify such vulnerabilities where sensitive data is stored improperly on the device's local storage. DOI: https://doi.org/10.3991/ijim.v15i07.20911