Apps designed to be used to spy on mobile device users already exist in murky-ethical territory. Even if the people you’re spying on are your children, your partner, or others, if you trust a spyware developer to be careful about your privacy, you may be unpleasantly surprised.
In early September, people who use mSpy’s iOS apps to spy on other users have found their spying data, passwords, and their mSpy transaction history exposed in a publicly accessible web database which doesn’t require any sort of authentication. This is the second known mSpy data breach since 2015. The database from the 2018 breach was taken offline in early September.
mSpy is legally sold software, and an app must be deliberately installed on the devices that you want to spy on, in a way which requires physical access. If a malicious cyber attacker wanted to use mSpy, they’d absolutely need to be able to have their hands on your phone for a few minutes.
Using mSpy requires a subscription fee. This fee ranges from $29.99 for one month to $203.88 for twelve months, with three different service tiers. The basic tier includes GPS location data access, locally stored photos and videos, email, call history, and SMS access, web browsing history, and knowledge of installed applications.
The premium tier, which requires jailbreaking the iOS device you want to spy on, includes all of the basic features plus a keylogger, WhatsApp, Facebook Messenger, Skype, and Snapchat access, WiFi usage information, geofencing, call blocking, alerts of uninstalls, and unlimited changing of spied devices.
Security researcher Nitish Shah brought news of mSpy’s latest data breach to Brian Krebs’ attention. The information that was leaked in the publicly accessible web database included usernames, passwords, encryption keys, and Apple iCloud authentication data. The leaked encryption keys enabled access to the spyware-acquired data that only paying mSpy users were supposed to have access to on the devices they set up to monitor.
The breached data is from iOS users who have used mSpy at least once in the last six months. The specific number of affected users isn’t available, but Krebs says they number in the millions. Shah said that mSpy’s developer ignored his warning about the latest breach.
Shah said, “I was chatting with their live support, until they blocked me when I asked them to get me in contact with their CTO or head of security.”
An individual who simply gave their name as “Andrew,” claiming to be mSpy’s Chief Security Officer, said to Krebs, “We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure. All our customers’ accounts are securely encrypted, and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data.”
But this 2018 incident is mSpy’s second known data breach in merely three years. That doesn’t give me a lot of faith in their attitude toward the security of their paying users.
The first known data breach was in May 2015. The database with the data from that breach was on the Dark Web and only accessible through Tor. The leaked data included emails, AppleIDs, text messages, payment, and location data. At least 400,000 paying mSpy users were impacted, with about 145,000 financial transactions exposed. mSpy representatives flat-out denied the breach for about a week.
You can security harden against having mSpy used on you by setting up a lock screen on your phone which requires authentication in order to be accessed. iPhone X recently debuted Apple’s FaceID biometrics, which if deployed properly would make it even more difficult for someone to put an app like mSpy on your phone.
Depending on where you live and some other factors about how you use spyware, software like mSpy can be legally murky. StealthGenie is very similar spyware, and the company’s CEO Hammad Akbar was arrested in September 2014. Regarding the matter, U.S. Attorney Dana Boente said, “advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners.”
So, my advice can be summed up like this. Watch your phone’s physical security (know where it is at all times) and set up a lock screen with a good authentication vector. Also, don’t trust spyware app developers. Any developer that wants to enable you to do something that could be legally or ethically controversial may be similarly unethical or reckless toward their own customers.