The Federal Trade Commission has taken its first action against the developers of three “stalking” apps that it alleges could monitor users without their consent and created security vulnerabilities for victims’ devices. The regulatory crackdown isn’t much more than a nudge to be slightly less shitty, but hey, it’s a start.
The FTC alleges in a complaint that James N. Johns, Jr. and Retina-X Studios developed three apps—MobileSpy, PhoneSheriff, and TeenShield—that were marketed as tools to monitor the GPS locations and onscreen activity of children or employees. The FTC alleges that in order to install these apps on users’ phones, an individual would need physical access to the phone and often needed to jailbreak or root it.
Once the app was installed, it would appear as an app on the device, as you would expect. But the FTC alleges that all of the apps instructed individuals on how to remove the icon and allow the app’s user to monitor the device’s activities without the target’s consent or knowledge.
According to the complaint, after installation, the apps could monitor everything from a device user’s location to real-time screenshots of their activity, including their browser history as well as texts and call history, though a remote dashboard on another device. With access to such information, the FTC alleges, a stalker could potentially also access and take over a victim’s financial accounts, such as in cases of domestic abuse. The complaint alleges that the apps didn’t ensure that purchasers were using them for the intended purpose—employee and child monitoring—thereby allowing just about anyone to use them for stalking purposes.
As the apps often required a jailbreak, the FTC alleges that put the phone or product at increased risk of security vulnerabilities (in addition likely voiding any warranty in place). But worse, the agency says data collected by the apps wasn’t adequately secured, and that Retina-X stored photos taken of users’ phone activity in third-party cloud storage, such as with photos collected through PhoneSheriff or TeenShield. Security standards implementation, security testing, and oversight of third-party service providers were also overlooked, the agency said. Still, the apps claimed in their privacy policies that it was their “company policy that our customer databases remain confidential and private. … Your private information is safe with us.”
As a result, on two separate occasions, a hacker was able to access data stored by the company, according to the complaint. The first time, in 2017, the company was only made aware of the breach two months later when they were contacted by a journalist who had been notified of the issue by the hacker, according to the FTC. (Motherboard reported on Retina-X hacking that same year.) After that first incident, account credentials were “obfuscated,” but the complaint says a hacker was still able to decrypt them and access stored data a year later.
The FTC alleges that the apps violated the FTC Act with unfair and deceptive actions as well as the Children’s Online Privacy Protection Act by failing to adequately secure the data they collected on kids under 13. According to the complaint, the apps have not been available for sale since April 2018.
Retina-X Studios did not yet respond to Gizmodo’s request for comment. However, a notice dated from last year that appears on the PhoneSheriff site claims that the app “has been the victim of sophisticated and repeated illegal hackings” and that it was “indefinitely” halting the sale of its apps.
“Over the past year, Retina-X Studios has begun to implement steps designed to enhance our security measures which had the positive outcome of restricting data obtained by the hackers in the most recent intrusion,” the statement says. “No personal data was accessed, but some photographic material of TeenShield and PhoneSheriff customers has been exposed. As a result, and to protect our valued customers, Retina-X Studios is immediately and indefinitely halting its PhoneSheriff, TeenShield, SniperSpy and Mobile Spy products.”
Under a proposed settlement with the FTC, Retina-X and Johns would need to be clear about the intention of any monitoring app’s use and would require any app purchaser to state that they would not use them to monitor anyone other than children, employees, or adults who have otherwise consented to have the app installed on their devices. They also must require that an app’s icon appear on a child’s device unless it is expressly removed by a guardian. They’re also required to institute robust security protocols and agree to third-party assessments of those systems every two years, granting FTC the power to choose that party.
“This is our first action against a so-called ‘stalking app,’” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said in a statement. “Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses. Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.”