The Simple Way Apple and Google Let Domestic Abusers Stalk Victims
Credit to Author: Andy Greenberg| Date: Tue, 02 Jul 2019 14:50:40 +0000
One morning a couple of weeks ago, I handed my iPhone to my wife and asked her to help with a privacy experiment. She would use my handset to track my location for the next few days, and with only the software I already had installed. Like a lot of couples, my wife and I know each other's phone PINs. So I left her with the device as I walked into our bathroom to take a shower, simulating an opportunity that I figured would present itself daily to snooping spouses.
I'd barely turned on the water before she handed the phone back to me. A few seconds had passed, and she had already configured it to track my location, with no notification that it was now telling her my every move.
I'd embarked on this strange exercise with the blessing of a group of researchers who focus on the scourge of "stalkerware," a class of spyware distinguished by the fact that it's typically installed on a target device by someone with both physical access to the phone and an intimate relationship with its owner. Often explicitly marketed as a way to catch a cheating husband or wife in the act, these programs have become a tool of domestic abusers and angry exes—a breed of hacker who often possesses practically zero technical skills but does have plenty of opportunity for hands-on tampering with a victim's handset. Perpetrators can install these apps, also sometimes known as spouseware, to monitor where their targets go, who they communicate with, what they say, and virtually every other part of their life the phone touches.
After years of neglect, the antivirus industry has finally begun to recognize stalkerware's danger and flag the apps as malicious, a development that's long overdue given that a quarter of women in the US and one in nine men experience some form of physical abuse or stalking by an intimate partner.
But antivirus alone may not be enough, one group of researchers at Cornell Tech and NYU warned me. Abusive phone-snooping, they point out, doesn't necessarily require software explicitly built for that purpose. Mainstream app stores are well-stocked with what those researchers call dual-use applications. These are apps that advertise features for a legitimate purpose—such as letting families consensually track one another for convenience or safety, or for locating stolen and lost devices—but can easily be abused by stalkers who install them without their target's knowledge, or to secretly change the configuration of those apps to share the victim's location or data.
The researchers documented the prevalence of those tracking apps in a study last year, based in part on their work helping abuse victims in partnership with the New York City Mayor's Office to End Domestic and Gender-Based Violence. "When we’re onsite and looking at these cases, it’s a lot of what we’re seeing," said Cornell researcher Diane Freed.
With a few seconds of physical access to a phone, even apps as common as Google Maps and Apple's Find My Friends can be tweaked to persistently share a user's location with another contact while offering the phone's owner no notification or warning, the researchers told me. "It's not the presence of some app on your device that’s disconcerting, it's that it might be configured in some way that you weren’t aware of and didn’t agree to," said Sam Havron, another Cornell researcher.
It was with that idea in mind that I handed my iPhone to my wife that morning, and again every morning over the following few days. Without showing me what she was doing, she would change some configurations on common apps I already had installed on the phone and hand it back to me. Then I would go about my life and watch my phone for any signs that I was being tracked.
Before writing about this, I consulted with the same NYU and Cornell Tech researchers to ask if they thought it would be ethical to share these results, or if I would be helping abusers more than victims. They discussed it and told me to go ahead, noting that guides for abusers who want to secretly track their partner's phone are already all too easy to find online. "Our conclusion is that the pros outweigh the cons," Havron wrote in an email.
So I went forward with my experiment. Here's what I found.
Day One, Glympse: After my wife handed my phone back to me and I left for work that first day, I pulled out my phone on the subway to send her some pictures of our toddler. I immediately saw that she had sent herself a text message from my phone that read "Here is a Glympse of my location," with a link to Glympse.com. That link-texting is the default method of sharing your location with the app Glympse, a popular location-sharing app that I keep on my phone (although I've rarely used it since Google Maps began offering the same feature). My wife could have easily deleted this text message, but I figured she was still warming up. I left the app running nonetheless, but it was so power-hungry that by that afternoon it sent me a notification that it was disabling itself to preserve the remaining 20 percent of my battery.
Meanwhile, my wife found that Glympse's location tracking was so low-resolution, it revealed only that I was at home and then at the office, before devouring my battery and turning itself off. Even if battery life was no issue, she would have had to access my phone again and reactivate location sharing after 12 hours, the maximum amount of time Glympse allows.
Day Two, Google Maps: After the same morning routine of handing my phone over to my wife, I got on a bike and headed to a hacker conference a few neighborhoods away in Brooklyn. As I rode, my wife sent me periodic text messages guessing at my destination, until she figured out it was the conference—despite my not having mentioned it. It was only that evening, while I was taking our kid to a playground and my phone was losing power, that I went hunting through various app settings to preserve my remaining battery and found that she'd turned on Google Maps location sharing. That entire day, I had seen no other sign that location sharing had been turned on in any app.
Days Three and Four, Apple Find My Friends: My wife's tracking continued, but now without any noticeable drain on my battery or any other hints of my phone's betrayal. I did not leave my apartment for the entire third day, perhaps an indictment of my life's excitement level. But on the morning of the fourth day, my wife watched me head into Manhattan on the subway for a two-hour meeting at NYU's journalism school—"or maybe having an affair!" as she described it later, a little too gleefully. I correctly guessed by process of elimination and then confirmed by looking at my phone's settings that she had turned on location sharing via Apple's Find My Friends app, a tool included by default in iOS for sharing your location with friends and family. Find My Friends seemed to offer me no warning whatsoever that its settings had been changed to beacon my location to her in real-time.
Of course, it's simple to detect that someone is tracking you via one of these apps if you're suspicious enough to check in the first place. But if I hadn't knowingly been part of an experiment, I could easily have gone weeks or months without ever thinking to look at the location-sharing settings in Google Maps or Find My Friends. (See the bottom of this story for tips on how to check these settings yourself.)
After my experiment was over, I reached out to Glympse, Apple, and Google. Glympse didn't respond to multiple requests for comment. As for Apple and Google, each company told me about measures it had taken to warn unwitting location sharers. Google wrote in a statement that it had consulted with the domestic violence group Community Overcoming Relationship Abuse about how to handle location sharing. As a result, it does start sending users email notifications that can't be unsubscribed from, sent at unpredictable intervals to foil abusers who might have the phone in hand. Those notifications, Google says, start 24 hours of their location sharing being turned on, and continue "frequently thereafter"—though clearly not frequent enough for me to have seen those notifications during the day my wife had used Google Maps to track me.1
"The traditional threat model is stranger danger. This kind of attack just hasn’t been on their radar."
Damon McCoy, NYU
Apple, meanwhile, explained that when a new contact is added in Find My Friends, the location sharer sees a notification in their Messages history with that contact that can't be deleted. But in my wife's case, I had already added her as a contact in Find My Friends at some point in the past, but later turned off location sharing altogether in the app, since that seemed like the most straightforward on-off switch. When my wife flipped that switch back on during the experiment, it didn't generate a notification, allowing her to start snooping again with no warning.
Even worse, when my colleague Lily Hay Newman and I began testing Apple's notifications by adding and deleting each other from Find My Friends, we found a method that seemed to allow anyone to add themselves as a contact in Find My Friends without any notification to the phone's owner, circumventing Apple's safeguard. I won't reveal details here to avoid enabling stealthier stalking. Apple confirmed to me that it was aware of the issue but didn't acknowledge that it represented a problem and didn't respond to my question as to whether or how it intends to fix it.
Apple did tell me that in the new version of Find My Friends in iOS 13, which will now be known as Find My, the app will offer one more safety feature: When a user sets up a "geofence"—an option that sends an alert when a person they're tracking enters or leaves a certain place—the location sharer will now get the same undeletable notification in Messages. Otherwise, the company says, the new location-sharing app's safeguards will function much like the old one.
When I told the Cornell Tech and NYU researchers about the results of my tests and the companies' responses, they argued that none of them have sufficiently considered this dead-simple way to abuse their apps. "Yes, companies are starting to think about this, but it’s tricky and there are edge cases," said NYU researcher Damon McCoy, arguing that the companies' current "bandaid" solutions aren't enough. "They’ve built products that aren't resilient to this kind of attacker."
The researchers point out that Glympse, Google, and Apple could all do more to notify or remind users that they're sharing their locations. An immediate push notification or email that warns the user that their location is being shared might be useless, since the abuser who still had access to the device would be able to quickly delete it. But if that warning came several hours later—still sooner than Google sends one—and then was periodically repeated with a certain frequency, it could be far more effective. "You want the prompt to come at some time after the abuser’s window of opportunity," Cornell's Havron said.
But the researchers were adamant that the issue of someone with physical access to a device abusing legitimate software goes well beyond any single company, or even just location sharing. Tech firms, they argue, need to take into account that the user's biggest privacy threat may have access to the phone at times, may know its PIN, may even be sleeping on the other side of the bed—and companies should design their systems accordingly.
"The traditional threat model is stranger danger. This kind of attack just hasn’t been on their radar," McCoy says. "This is not just a Google problem or an Apple problem. This is endemic to computer security in general."
Need help? You can call the National Domestic Violence Hotline at 1-800-799-7233, or visit their website at thehotline.org.
1Updated 7/2/2019 4:30pm EST to clarify elements of how Google notifies users whose location is being shared in Google Maps.