Checklist 244: Stalkerware and Kids’ Safety
This week on The Checklist:
Running ads for spyware
Earlier this week, two prominent tech news sites ran the following headlines:
“Keep your kid safe online with this parenting app”
and…
“This handy app makes sure parents always know what’s happening on their kids’ phones — and the kids have no idea”
We say “headlines”, but those sure sound like ads, right? Well, they were ads — but you wouldn’t know it unless you did a bit of digging.
It turns out that both The Next Web and, we’re sorry to say, Cult of Mac, were running ads for mSpy, a notorious spyware app.
Now, we don’t have anything against running ads, per se — after all, we do it on this podcast! But we do think it should be clear to readers that what they’re reading is actually an ad. We also think that tech sites have a responsibility to avoid running ads for potentially harmful products. And unfortunately, the ads above fail to meet both of those standards.
mSpy runs undetected in the background on a mobile device, recording text messages, monitoring the call history, logging social media and file activity, and even offering location tracking.
All of that happens without the user’s consent or knowledge — mSpy and its logs are only visible to the person who installed the app.
mSpy markets itself as a parental monitoring tool, which is what convinces some people that it’s acceptable. But there are a couple of problems with this line of thinking.
For one thing, as we’ve seen with Apple’s controversial rollout of CSAM scanning, the things we do “for the children” can often have unintended security and privacy consequences for everyone else.
But beyond that, “parental monitoring” apps can easily be repurposed to spy on spouses and significant others. This is a form of abuse in itself, and can lead to physical forms of domestic violence.
In recent years, the cybersecurity community has been trying to raise awareness about tech-enabled abuse — and fight back against it. To learn more about the issue, and to find out what to do if an abusive partner or stalker has installed a spyware app on your device, see our blog post entitled “What is Stalkerware?”.
Insecure by design
Needless to say, we don’t think that anyone should be making money off of an app like mSpy — or using it to spy on the people in their lives. But in addition to ethical concerns, there are also security problems that come with being an mSpy user.
As we noted just about four years ago on Checklist 48: All About Spyware:
Spyware offerings from mSpy, Spyzie, Highster Mobile, and others all work by using iCloud backups to gain access to data from the target iOS device. Basically, you provide the spyware vendor with the Apple ID and password for the iOS device you want to monitor. Then, the company uses that information to snag copies of the data uploaded automatically when iCloud backup is enabled on the target device. From there, the spyware vendor can provide you with pretty much any data that’s been backed up, including text messages, call history, photos, videos, emails, browser history, and so on.
Now, it’s important to understand how this is working on a technical level. This isn’t just remote screen sharing. Rather, the information is being collected and then sent to the person who installed the spy app. And that means that a lot of very personal information is passing through mSpy’s servers.
As longtime listeners of The Checklist will immediately realize, this opens up the possibility of data loss. And unfortunately, in the case of mSpy, that’s more than just a hypothetical.
Back in 2018, KrebsOnSecurity reported that mSpy had leaked millions of records. According to Krebs, those records included things like “passwords, call logs, text messages, contacts, notes and location data” collected from devices running the app. The records also contained information about the people who purchased the app, including personal information, transaction details, and more.
Bottom line? If you use a spyware app to collect personal information about someone else, you risk exposing that information. If you’re thinking of using such an app to monitor your child, be aware that you’re going to be exposing their data to the spyware company. In addition, consider that the spyware company, through its own weak security practices, may be exposing that data to the world. For a discussion of the issue in more depth, along with our recommendations for alternatives, see Checklist 140: To Track or Not to Track.
Burying the lede
Finally, we wanted to take a look at an App Store story (or non-story) that’s been in the news this week.
An organization called Campaign for Accountability has released a study which has received quite a bit of coverage in the Apple mediasphere. The headlines were pretty shocking. Apparently, Apple’s “app store loopholes” are putting children at risk. This, we’re told, is due to “major weaknesses” in the App Store that allow minors to access adult content.
So what was this “study”? Campaign for Accountability created an Apple ID as a 14-year-old user. They soon found that they were able to download multiple App Store apps including pornography, gambling, dating, and hookup apps. All they had to do was confirm that they were 17+.
However, the study seems a little less shocking when you realize that the researchers didn’t actually activate the parental controls on their hypothetical 14-year-old’s account!
It’s definitely worth asking why an Apple ID linked to a 14-year-old is allowed to claim that the user is 17+. And it’s also reasonable to investigate how Apple could better regulate the App Store. But this study has the feel of someone who complains that seatbelts don’t work when you don’t put them on!
That brings us to the end of this week’s Checklist. For more security and privacy tips, visit our archive of past shows. If you have a question that you’d like us to answer on a future episode of the podcast, write to us!
