Abstract
Spyware products sold to general consumer audiences are a greater threat to those who own Android devices than those who own iPhones. This is a consequence of the Android operating system being more permissive of software functionality, allowing third-party developers greater latitude to build programs of less-restrained capability. Such risks, however, are disproportionately carried by victims of family violence who are significantly threatened by the rise of spyware. This article reflects on the connections between coding choices and personal security risks, and the implications for responding to the use of spyware in the context of family violence.
Introduction
There is a growing recognition of the threat posed by spyware for victims of family violence. This can be seen with the increasing discussion of this problem in scholarly works (see for example Chatterjee et al., 2018; Citron, 2015; Douglas & Burdon, 2018; Eterovic-Soric et al., 2017; Freed et al., 2017, 2018; Harkin et al., 2019; Parsons et al., 2019; Woodlock, 2017), and within media reports (see for example Armageddon, 2017; Franceschi-Bicchierai and Cox, 2017; Greenberg, 2019; Koebler, 2017). Similarly, it is an issue of notable concern among the family violence advocacy sector with many services such as the Women’s Services Network (WESNET, 2019a) in Australia and the National Network to End Domestic Violence (NNEDV, 2019) in the United States now providing online support and guidance on how to diagnose, respond to, and protect yourself from abusive spyware.
What has been missing from the discussion on the threat of smart phone–based spyware thus far, however, is a recognition of the implications of design features for either mitigating or amplifying threat levels between Android users compared with iOS (iPhone) users. While it has been amply demonstrated that victims of family violence are vulnerable to being targeted with spyware, an under-explored dimension is that the hardware and software design features of Android devices differs significantly from that of iOS devices when it comes to enhancing or undermining the security of end-users. This article, however, wishes to highlight and address this distinction and provides further theoretical and empirical insight into the underexplored connections between the differing design philosophies that underpin the coding of the Android and iOS operating systems, and their “downstream” implications for victims of family violence. As will be shown, according to Android developers, the operating system is deliberately designed to be “open” (see Open Handset Alliance [OHA], 2011a), creating greater capacity for malicious spyware to be used abusively, while iOS is comparatively “closed,” and limits the possibilities of third-party software spying or leaking confidential information.
Unpacking and highlighting the differing design features of Android versus iOS devices, and recognizing that this risk gap is connected to how the operating system is designed and coded, has implications for how the threat of consumer spyware can be mitigated in a mobile device ecosystem. More specifically, recognizing and understanding how different operating systems yield different technical possibilities is important for interpreting and diagnosing the threat level of spyware as it used against victims of family violence. In sum, our findings indicate that victims of family violence who are Android users operate within a relatively distinct “digital world” that is more vulnerable to stealthy spyware attacks than those who use iPhones. In other words, the technical infrastructure used by individuals has acute and practical ramifications for their personal safety and security. To unpack this argument, this article will proceed over five sections. First, some background will be provided on consumer spyware and its impacts on the issue of family violence. It will be shown that spyware is an issue of significant concern for victims/survivors and practitioners working within the family violence advocacy sector. Second, details will be provided of the investigation and technical analysis into consumer spyware products that reveal the distinct risk-profile of Android versus iPhone devices. It will be outlined that we conducted research into consumer spyware products that involved elements of technical analysis and user analysis, in addition to legal and market analysis. Third, it will be detailed and demonstrated how Android is more vulnerable to pernicious spyware than iOS. There are several specific elements to Android’s design that heightens vulnerability when compared against iPhone’s. Fourth, the difference between the operating systems will be shown to be a result of coding choices and the respective “design philosophies” of Android and Apple developers. The operating systems have distinct approaches in how “open” and “closed” they are to third-party software, and this has ramifications for the likely success of spyware being deployed in either operating-system environment. Fifth, the implications of this finding for responding to the threat of spyware in the context of family violence will be considered. There are a number of ramifications for victims/survivors, as well as software developers, for the strategies that are needed to address the abusive use of spyware.
Before proceeding, it should be understood by the reader that the claims regarding iOS and Android in this article pertain to the results of a study conducted in 2018. The development of operating-system design features is a moving, dynamic process where updates are constantly changing and adjusting the technical environment of smart phones. Likewise, previously unknown vulnerabilities can unexpectedly appear and then be subsequently ameliorated in a matter of days. Similarly, the content of App stores can change. For instance, between the fieldwork phase of this article (2018) and the final publication process (late 2019—early 2020), one of the apps under study, Cerberus, was removed by Google from its app store. As such, many of the specific findings of this research may be challenged over time as iOS and Android undergo changes. We would also like to emphasize that the information documented as part of this study should not be taken as practical hands-on information security advice. Instead, we wish to highlight the enduring consequential relationship of operating-system design choices and their practical implications for family violence. For readers who are seeking further definition of technical terms found in the article, please consult the glossary of terms (Appendix 1).
Consumer Spyware and Its Impacts on Family Violence
There is a burgeoning industry of spyware developers who sell powerful tools of surveillance to general consumers (Franceschi-Bicchierai & Cox, 2017). These products are commonly marketed to parents, businesses, and those who wish to “spy” on their intimate partner (see Harkin et al., 2019). Once a mobile phone or personal computer is compromised by spyware, a third-party “operator” can spy on the activity on that device, typically being capable of tracking the GPS location of the user, having access to confidential SMS message or phone call information, accessing any photos or video taken by the device, monitoring internet browsing activity, and in certain cases, having live access to the camera or speaker of the phone for eavesdropping, among other capabilities (Harkin et al., 2019).
While the availability of such powerful instruments of surveillance is a general threat to privacy, it is a pronounced level of threat for social groups such as children and victims of family violence. Unfortunately, it is clear that spyware is often applied and exploited within the context of intimate partner abuse. The National Stalking Helpline in the United Kingdom, for instance, received 130 reported cases of spyware in 2017 (Lyons, 2018), and estimates suggest that 29% of abuse victims experienced the “use of spyware or GPS locators” (Women’s Aid, 2018). Family violence practitioners are also witnessing digital tracking and stalking among their clients, with 74% of Australian family violence workers reporting they have seen “tracking via smartphone apps” (Woodlock et al., 2020), and 72% of family violence workers in the United States have clients who were “stalked through the use of a stalking app or GPS or location tracking device” (Southworth, 2014, p. 3). Likewise, Citron (2015, p. 1257) has detailed a number of legal cases in the United States, whereby perpetrators have used spyware to abuse partners, and Freed et al. (2018) identified three confirmed cases of spyware and 47 reported instances of tracking software when consulting with a sample of 39 survivors and 50 sector professionals.
Information provided from the consumer spyware industry also provides some sense of the scale of the issue. Hacked and leaked information from various spyware companies has revealed that “Retina-X” and “Flexispy” have at least 130,000 general-use customers (Franceschi-Bicchierai & Cox, 2017), TeenSafe has at least 10,000 subscribers (Whittaker, 2018), and MSpy has around 27,000 Americans subscribing to their service (Valentino-De Vries, 2018). Developing a comprehensive understanding of the scale and scope of spyware use is inherently difficult due to its clandestine nature, but it is apparent that it is a present danger to the privacy of phones and personal devices. While spyware may be used in several different contexts, it is clear that it is often deployed by perpetrators of intimate partner abuse, with many spyware vendors explicitly suggesting it be used against “spouses” (see Harkin et al., 2019).
The abusive consequences of spyware are also significant. Spyware, like many other forms of technology-facilitated abuse, can be used to harass, intimidate, manipulate, gaslight, stalk, and coerce victims (see Douglas et al., 2019; Dragiewicz et al., 2018; Harris & Woodlock, 2019). As outlined by Citron (2015), there are also examples of spyware used in the United States as an aide for perpetrators in the homicide of women and children. While spyware can result in physical and psychological injuries for those targeted by it, representatives from WESNET also suggest that even the perceived threat of spyware is having a demonstrably negative impact on clients of family violence services. This perception is causing some individuals to question the privacy of their phones and stoking anxiety that perpetrators are spying on their devices (whether that is the actual case or not). The need to understand the mechanics and actual risks of spyware, in addition to the means of positively diagnosing the presence (or otherwise) of spyware becomes a critical task. Part of the aims of this research was to add to the bank of knowledge created by the family violence sector on the issue, and sharpen our understanding of the problem. To that end, this article outlines the distinction in weaknesses between Android and iPhone devices in the context of consumer spyware and makes an appeal toward deeper consideration concerning prevention of technology-facilitated abuse through design practices.
Before outlining the methods that were deployed by this investigation, a conceptual issue about “spyware” needs to be addressed. The term “spyware” is often used differently by different parties, and it is not clear, for example, whether the statistics cited above from various family violence services, media, and research sources, use a consistent understanding of the term “spyware.” The ability to track and “spy” on individuals can also be harnessed from social media applications, or legitimate phone features such as “Find my iPhone,” and there is a tendency to label differing objects and processes as “spyware.” This research, however, has a specific understanding of “spyware” that is limited to the following definition. A program is considered “spyware” if the following criteria are satisfied:
(a) Data are gathered remotely from a target device that would not otherwise be shared unless foreign code or software was introduced or permitted access by an operator.
(b) Data are gathered from the target device with the credible possibility that the user of the target device would not be aware of the exfiltrated information, the ongoing presence of the foreign code or software, or any permissions to disclose information.
(c) The code or software is deployed in the context of targeting a specific individual or group of individuals for the purposes of monitoring, tracking, and surveillance. It therefore does not include firmware updates, native operating-system functions, or applications that collect large amounts of data from multiple users in the user-approved course of its “normal” functioning (e.g., Facebook or other social networking services and platforms, as well as internet-of-things devices).
(d) The data being disclosed to operators about the target can be reasonably understood to include private, confidential, and otherwise intimate personal information (such as location data, private correspondence, personal photos, and passwords) (see also, Harkin et al., 2019, pp. 4–5).
Readers should note that this article adopts the above-restricted understanding of the term “spyware.” Other parties, such as domestic violence advocacy groups, may have a broader understanding of spyware that includes functions such as “Find my iPhone.” According to our definition, “Find my iPhone” is not an example of spyware because it is native to iOS and it is not “foreign” software that has been introduced to an Apple device (in this example). Likewise, while features of Apple iCloud may permit someone to gain confidential information on an intimate partner if they had their login credentials, it does not satisfy the above definition of spyware. This is not to say that “Find my iPhone” (or equivalents) do not have dangerous implications. Readers should be aware that there is a wide range of methods for tracking and monitoring an intimate partner beyond the use of spyware (as strictly defined here); therefore, claims that follow regarding the comparative vulnerability of Android and iOS to third-party spyware is only a partial component of the overall, wider problem of countering malicious surveillance in general. This article is deliberately only focused on “spyware,” which is only one particular mechanism for facilitating technology-related stalking (see Eterovic-Soric et al., 2017 for a fuller exploration of the wider problem).
Additionally, this report is primarily addressing “consumer spyware”—that is, spyware that is sold to general consumers. This is in distinction to other forms of spyware, such as that used in contexts of law enforcement, or state and corporate espionage. There is a market for elite spyware that is offered by companies, such as NSO Group (Marczak & Scott-Railton 2016). This form of spyware is not available to general consumers, and while a concerning phenomenon in its own right, it is highly unlikely to impact family violence victims at a signifcant scale. The spyware discussed in this article is limited to the products available to large numbers of consumers at relatively low cost, and accessible on open markets.
Methods
The findings presented in this article come from a larger research project examining the consumer spyware industry. Between January 2018 and June 2019, the authors were funded by the Australian Communications Consumer Action Network (ACCAN) to undertake an investigation into the consumer spyware industry that comprised multiple research elements. Focusing exclusively on spyware sold for mobile phones, the authors conducted a market analysis of the scope of the spyware industry, along with a content analysis of the websites and marketing materials of nine chosen spyware products (see Harkin et al., 2019). Furthermore, the authors also conducted analysis of the privacy policies of the spyware vendors included in the sample, and a legal analysis examining which laws were relevant to the misuse of spyware in Australia’s various legal jurisdictions (Molnar & Harkin, 2019).
This research project also featured two different forms of technical analysis. First, a sample of nine spyware products was subjected to digital forensics analysis by the Sydney-based security consultancy firm, HackLabs. The HackLabs component of the research focused on examining how the spyware works at a programmatic level on the device, in addition to how it operates at a network level. Second, and of more relevance to the findings discussed in this article, the authors conducted user analysis on a sample of spyware products. The user analysis involved the authors purchasing eight different spyware products and placing them on Android and iOS devices (depending on the operating system for which they were available). Whenever they were available on both operating systems, an attempt was made to test and observe the spyware in both operating-system environments, to systematically note empirical differences in functionality.
The purpose of the user analysis was to observe how spyware functions from the perspective of the consumer (which we subsequently term “the operator”), and also the “target” of the spyware. We wanted to explore how potential perpetrators of abuse would buy and install the software, and likewise, we wanted to observe how the target would experience spyware being on their phone. To do this, we purchased spyware licenses for eight different products (including both the unique iOS and Android versions of MSpy and Trackview) and installed the software on smartphone handsets. The research team had access to two different Android handsets (one Samsung Galaxy S7 with Android, version 7.0, and one Samsung S9+ with version 8.0) and two different iOS handsets (one iPhone 5 with iOS 10.3.3 and one iPhone X with iOS 11.2).
Once the spyware was successfully installed onto a particular device, we would generate a range of “spoof” data such as making phone calls, sending SMS messages, taking pictures, recording videos, partaking in Voice over Internet Protocol (VOIP) calls, generating internet browsing data, and also utilizing dummy social media accounts for Facebook, Twitter, and Instagram activity. Likewise, the research team also simulated “tracking” scenarios, by having one team member journey to particular locations and observe whether the spyware successfully tracked the location in real time or not. In these situations, we also tested the program’s abilities to remotely access the cameras and microphones of the handset. This stage of the user analysis continued until we exhausted the functionality of the spyware and observed whether all of its advertised functions worked or not. Most of the spyware was also observed over several days to note whether its functionality was resilient or deteriorated in any way. Once the team was satisfied that we had tested and explored the full functionality of the particular spyware product, we reset the device and prepare it for the next spyware installation. Table 1 provides an overview of the spyware we observed and evaluated via this user analysis:
Overview of Spyware Tested in Specific Operating Systems.
This type of user analysis gave us a strong sense of the ease of installing spyware on particular devices, the level of skill required, the extent of “stealth” the spyware could obtain, a sense of robustness of particular spyware threats, and, ultimately, an understanding of how cooperative and accommodating the respective operating systems were to the spyware’s ability to operate without consent and attain confidential information. This research, therefore, incorporated forms of technical research methods that are generally uncommon in social scientific research. As has been noted elsewhere, humanities research will need to experiment with new methodological approaches in order to understand lived experiences and phenomena that are increasingly “digitized” (see for example Hallett & Barber, 2013; Murthy, 2008). Our spyware user analysis, therefore, reflects a necessary adaptation to account for such new threats and practical avenues for the prevention of abusive and violent harms brought about through technological affordances.
Results: Androids Are Currently More Vulnerable to Spyware Than iOS
It was clear from the user analysis that the Android operating system was more vulnerable to malicious consumer spyware threats when compared with iOS. As will be shown, the respective operating systems of Android and iOS differed significantly in how permissive and accommodating they were of consumer spyware extracting private information from the device. Our experiment revealed that it was relatively easier to potentially “spy” on an Android user without their knowledge than an iPhone user. As outlined earlier, this has significant ramifications for victims of family violence. The specific ways in which the Android environment is more “vulnerable” than the iOS environment is detailed here. It is more “vulnerable” in several different senses:
(a) Apps available on the Google Play Store are more “stealthy” than apps available on the Apple App Store.
Both operating systems are linked with official stores that can be used to source third-party applications. In the Android environment, this is the Google Play Store, and in the iOS environment, this is the Apple App Store. While both official app stores have policies that prohibit malware and deceptive software from being sold (see Khoo et al., 2019), previous research has identified apps that violate policies around deceptive conduct present in the Google Play Store (see Chatterjee et al., 2018). The current research also confirmed the presence of deceptive applications within the Google Play Store.
As a prime example of this issue, this research downloaded “Cerberus” from the Google Play Store (in September 2018). Cerberus offers a range of spyware capabilities including live GPS tracking, remote access to the camera, SMS messages capture, and other features such as scooping up call-log information. Crucially, however, it is easy to hide the presence of Cerberus once it is on the device, and thus, for Cerberus to stealthily operate in the background without the target’s knowledge. Cerberus can be easily hidden because the third-party software can remotely send a command to the Android operating system to remove the app icon from the device’s home screen, and then a number of steps can be taken to hide other notifications relating to the app’s functionality and presence. As mentioned earlier, Cerberus has since been removed from the Google Play Store, but the point remains that apps on Android devices can be hidden from the home screen, thus offering significant stealth potential.
Conversely, apps on the Apple App Store do not have the same latitude of stealth. First, the iOS is designed to ensure that all apps have a visible icon on the home screen. There are no legitimate mechanisms for hiding app icons within an iPhone (although there is an option to put an APP icon in a “drawer”), and therefore suspicious applications ought to be discoverable through a visual audit. Androids, on the contrary, have multiple pathways and options for “hiding” apps. Second, iOS is also designed to be reluctant to provide third-party applications with access to the handset functionalities such as GPS without providing the user with conspicuous reminders that this is the case. For example, this research installed Trackview on an iPhone X from the Apple App Store. While Trackview can be granted permission initially to access the GPS data on the handset (see Figure 1, picture on the left), the iOS will send periodic reminders to the user that Trackview is using this GPS data, thus undermining its ability to operate stealthily (see Figure 1, picture on the right).

Figure 1 showing Trackview being granted permission to use (and distribute) the GPS location information of the device (picture on the left), but also, the iOS sending push notifications to the user to ensure they are reminded that Trackview has been tracking the phone.
Trackview for Android, however, can be installed and hidden relatively easily, allowing for stealthier tracking of a target device. In this regard, apps from the Apple App Store have significantly less capacity to act in a stealthy or hidden manner compared with apps available from the Google Play Store. The Android operating system provides for several ways to hide third-party applications, while iOS makes it much harder to have third-party applications present that can be hidden by a malicious actor/abuser.
(b) Consumer spyware that can be sourced from the Google Play Store has a broader range of concerning functionalities.
Furthermore, applications sourced from the Google Play Store can perform a much wider range of functions than apps sourced from the Apple App Store. While Cerberus was still available from the Google Play Store, the Android operating system would grant the app permission to access a range of significant functions. For example, Cerberus allowed the operator to remotely send a spoof SMS from the compromised handset to a third party. It also provided the operator the ability to send messages directly to the device, which causes the screen to white-out and then display a message from an unknown source, and notably, Cerberus also had the ability to cause the compromised device to entirely reboot and wipe its memory. It is obvious to see how these various functions could be used in an abusive context to harass, gaslight, and intimidate a target. The crucial point to note here is that the Android operating system easily grants these permissions to third-party software, which cedes significant control over the device and leaks confidential information to unknown sources. Figure 2 shows the broad range of permissions that Android is willing to provide to third-party software sourced from the Google Play Store. While Cerberus has been removed from the official Google Play Store, it is still available to Android users as a direct download (see point [d] below), and the point remains that the Android operating system allows third-party software significantly more permissions to access key functionalities. It should be noted that an abuser can “allow” these permissions during the installation process and that the existence of these permissions would be subsequently unapparent to the device’s legitimate user.
(c) An iPhone requires a jail-break to match the stealth and power of consumer spyware available on the Google Play Store

Figure 2 showing third-party software (Cerberus) being granted permission to access sensitive data and granted control over core handset functionality. This includes the ability to take pictures or video remotely, to make phone calls, access confidential files, send and view SMS messages, and to modify system settings.
It is technically possible to also compromise iPhones to the extent that Android’s can be compromised. However, apps downloaded from the Apple App Store do not have the level of strength, ability, or stealth of Cerberus in the Android environment. To match the “stealth” and range of capabilities to spy on an iPhone, a jail-break is required. Jail-breaks, however, require a number of steps to be put into place. The perpetrator would need to have the sufficient skills and know-how of jail-breaking, the handset would need to have a sufficiently old version of iOS, and the perpetrator would also need to know certain confidential passwords, in addition to having a reasonable amount of time with the device to install the software. While it is conceivable that these factors would be present in the context of an abusive intimate partner relationship, the various barriers—most notably the requirement for a dated version of iOS—at least diminishes the prospects of this type of attack being deployed successfully. At the very least, it makes it more difficult to spy with the strength and stealth that is more easily available on Android devices. Furthermore, unlike apps downloaded from the Google Play Store, the reliability of jail-breaks can often be inconsistent and may break upon restarting the handset, thus demonstrating a lower level of durability than comparative Android threats.
(d) Android allows users to download consumer spyware from “unknown sources” directly from the web
While Chatterjee et al (2018) have identified a large number of apps available on the Google Play Store that could be used in an abusive intimate partner violence context, it should also be noted that the Android operating system also permits users to download applications (APK files) directly from the web from “unknown sources” (see Figure 3). This allows spyware developers to work around the official Google Play Store and sell directly to users. This heightens the vulnerability of Android users. iOS does not allow third-party software to be installed onto an iPhone (a jail-break is required).

Figure 3 showing Android permitting a download of an APK file directly from a spyware-vendor’s website.
(e) iOS has been designed to highlight suspicious behaviour
Finally, while iOS systems are also conceivably vulnerable to “iCloud capture” attacks, whereby iCloud backup data are shared with an unknown server for the purposes of spying (see for example, TeenSafe), iOS is sufficiently suspicious of the device sharing information with an unknown server and may send a push notification to demand password changes, which disrupts this attack (see Figure 4 showing iOS push notifications requesting password changes). In this regard, because the iOS detects instances where confidential data are shared with unknown servers, it take steps to force the user to change passwords, which undermines the capability of the spyware.

Figure 4 showing the iOS sending push notifications about suspicious account activity when a “iCloud Capture” attack is underway. The iOS forces an Apple ID password change which breaks this type of spyware threat.
In summary, the various forms of vulnerability in the Android operating-system environment, and the comparative level of difficulty of placing stealthy consumer spyware on an iOS device, lead to a situation where Android users are, in general, at a higher risk level of spyware being maliciously deployed on their device without consent when compared with iPhone users. It therefore can be considered that Android users inhabit a different “digital world” than iOS users, with a higher threat profile. This has significant ramifications for family and domestic violence. As will be explored in the rest of this article, it is how these operating systems are designed and the rationales that were applied in their creation that result in these significant risk disparities for victims of family and domestic violence.
“Design Philosophies” of Operating Systems
The differing risk levels of being successfully targeted with consumer spyware between Android and iOS users is a consequence of the Android operating system being regarded as “open,” while iOS is often regarded as “closed.” The terminology of “open” and “closed” is found in general tech-reporting and user commentary (see for example Hoffman, 2017), but is also reflected in how the developers talk about their own operating system. Android developers, for instance, have been explicit in the past about regarding their operating system as “open” (OHA, 2011a). This is most clearly observed and articulated within materials produced by the “Open Handset Alliance” which is a group of 84 technology and mobile companies who developed Android (OHA, 2011a). According to the OHA, “each member of the OHA is strongly committed to greater openness in the mobile ecosystem” which they see as “(enabling) everyone in our industry to innovate more rapidly and respond better to consumers’ demands” (OHA, 2011b).
There are several specific reasons that Android is considered “open” relative to iOS (and that iOS is considered “closed” relative to Android). For instance, the Android operating system is an open-source program with developers capable of accessing the operating system for free with the ability to modify and customize the operating system (see Android Open Source Project, 2019). iOS, on the contrary, is a closed proprietary system and the source code is hidden from the public. The iOS environment is also “closed” in the sense that, as outlined above, it only accepts software funneled through the Apple App Store, while Android allows installations from open-web “unknown sources.” The Android environment also allows users greater capacity to customize various aspects of their phone’s presentation, such as the home screen, fonts, and icon sizes, while Apple specifically curates many of the design and user-interface elements of its products, “closing” off a certain degree of customizable options from users. Moreover, and more importantly, as demonstrated above in Figure 2, Android affords third-party applications a lot more freedom to access various functionalities on the handset. Such openness and freedom afforded to third-party developers is a deliberate design choice, articulated here by the OHA: Android was built from the ground-up to enable developers to create compelling mobile applications that take full advantage of all a handset has to offer. It was built to be truly open. For example, an application can call upon any of the phone’s core functionality such as making calls, sending text messages, or using the camera, allowing developers to create richer and more cohesive experiences for users. (OHA, 2011c)
An unintended consequence of this level of openness, however, is that consumer spyware developers can create potent tools of abuse that take advantage of that “open” operating system design. The “open” posture of the operating system allows spyware to be easily loaded onto the device, gain access to core functions, access sensitive and confidential information about the user, and extract data with a concerning degree of permitted stealth. It should be noted that the operating system of Android was designed to be this way, and it was an intentional coding choice that permits third-party software such a high level of freedom. Revealingly, the OHA even suggested that third-party developers could easily repurpose Androids as a mechanism for tracking other individuals: With Android, a developer can build an application that enables users to view the location of their friends and be alerted when they are in the vicinity giving them a chance to connect. (OHA, 2011c)
This quote, for instance, reflects the Android developer’s emphasis on allowing developers (in this context, spyware developers) the technical capability to access critical functions and confidential data on the phone, which is prioritized over and above associated privacy implications (which are critical personal security matters for victims of family violence). In this respect, Android developers choose to “open” the Android platform to technological-possibilities such as sharing location information permissively, as opposed to “closing” the platform to protect user privacy from third-party software. The crucial point here, however, is that Android was purposefully designed this way, and its developers deliberately adhere to a design philosophy that emphasizes “openness” in their environment, which is beneficial to consumer spyware developers, but unfortunately, has ancillary security consequences for victims of family violence.
While Android is self-defined as an “open” platform, Apple, in contrast, is comparatively “closed.” As demonstrated in the previous section, iOS is much more restrictive of third-party software entering the environment (only permitting access through the curated Apple App Store), and much less permissive of third-party software gaining access to functions on the device or any sensitive data (while also raising more alerts to users that their critical data are being shared). For consumer spyware to be deployed surreptitiously in the iOS environment, a jail-break is required. This is largely a result of Apple’s “design philosophy” and their deliberate approach to designing an operating system that is coordinated in a centralized way. As expressed by current CEO of Apple, Tim Cook, “we believe that we need to own and control the primary technologies behind the products we make” (Cook, 2009 cited in Business Insider, 2011), emphasizing Apple’s desire to closely “control” the environment they create and restrain the capabilities of third-party developers. While Apple has been less explicit than Android developers around the facets of their “design philosophy,” many commentators agree that their approach amounts to a more “closed” stance when compared with Android. Apple grants fewer technical possibilities to developers, and places greater restraint on what is permissible from an end-user perspective (see for example, Hoffman, 2017; Ingraham, 2016; Vaughan-Nichols, 2018).
The crucial point here is that operating systems are designed to be the way they are. The software infrastructure is built in a way that reflects the “design philosophies” of their creators, and those creators have views on how “open” or “closed” they want their operating system to be for third-party developers. The decision from Android to be more “open,” in the circumstance discussed here, affords consumer spyware developers and abusive partners greater latitude to exploit the device for spying purposes. By contrast, the decision from Apple to be more “closed,” inadvertently restrains and restricts the ability of abusers to maliciously target iOS users through the use of consumer spyware. The competing design philosophies that underpin these operating systems have “downstream” impacts on the personal safety and security of victims of family violence, which were perhaps unconsidered when they were being developed.
Discussion: Implications for Strategies of Protection for Victims of Family Violence
Illustrating the connection between the “design philosophies” of smart phone operating systems and the potential risks of consumer spyware being deployed successfully against a target has a series of important implications for victims of family violence and the subsequent strategies required to counter the threat of spyware in this context. The rest of this article will discuss these implications in turn:
(a) Owners of android devices are at greater risk of consumer spyware than iPhone users.
As outlined earlier, Android users operate within a “digital world” that has more vulnerabilities to consumer spyware than iPhone users, and thus carry a higher degree of risk of being successfully targeted by a malicious actor who wishes to place them under surveillance via this method. While it should be made clear that iOS users are not immune to abusive forms of surveillance, tracking, or monitoring, the threat of consumer spyware as defined by this article, is relatively diminished within this environment. The Apple App Store is curated with a greater degree of rigor to eliminate stealthy apps, and the operating system itself does not allow third-party software to hide its own presence, while also limiting any inconspicuous sharing of data or accessing phone features such as the GPS with stealth. High-strength consumer spyware is largely only possible if the iPhone is “jail-broken,” but jail breaks are only available for dated versions of iOS. Users with an up-to-date version of iOS should therefore be generally protected from the possibility of their iPhone being jail broken. It should be noted, however, that those who own older iPhone devices (at this moment in time, those who own iPhone 5s and below), will be stuck with dated versions of iOS and thus susceptible to jail-breaking vulnerability forever more.
Nonetheless, it is useful for those dealing with potential targets of spyware to be cognisant of the differing threat levels facing Android users compared with iOS users. Whether it is law enforcement or practitioners within the family violence advocacy sector, it is important for those groups who respond to the needs of victims of family violence to have a better understanding of the technological threats they face. As outlined in established research, existing strategies and information on combatting digital forms of abuse aimed at victims of family violence can be “fragmented” (Harris & Woodlock, 2019, p. 532), and the responses from law enforcement to victims can be unhelpful, counter-productive, and often involve “victim-blaming” (Harris & Woodlock, 2019, pp. 539–541). The principal, primary responders to the needs of victims of family violence—police and family violence services—are generally struggling to maintain the necessary level of technical skill required to effectively diagnose, identify, and advise on how to respond to the threat of spyware. It is helpful, therefore, for them to develop more sophisticated understanding of existing consumer spyware threats, and how those threats differ among users of Android compared with users of iPhones. One of the first steps for responding to the threat of spyware on smart phones is to recognize the need for tailored responses for Android users and iOS users. To that end, for example, this research produced materials for supporting family violence advocacy workers to make triage decisions based on whether the client has an iPhone or an Android device (see WESNET, 2019b).
Furthermore, the asymmetry in end-user security on Android versus Apple devices also entails specific class-related dimensions. Available data and surveys comparing Android users to iPhone users in various contexts suggest that iPhone users are more affluent (Burns, 2018; Comscore, 2014; Hixon, 2014). This ought not be surprising as iPhones are generally sold with a higher “floor” on the price of the device, while the Android operating system can be found in up to 24,000 devices with a large span in quality and low-cost options available (Android, 2019). The “wealth gap” between iPhone users and Android users is also evident in international analysis of operating system usage, with Androids having a pronounced market-share dominance in developing nations (see DeviceAtlas, 2019; Peltonen et al., 2018, p. 10). Therefore, an additional important dimension to note is that those from poorer backgrounds are more likely to own Android devices and are more likely to face the vulnerabilities to spyware outlined in this article. In sum, the risks of abuse from spyware are not distributed equally among social groups, with those of lower income carrying a higher risk burden as a result of the differing demographic characteristics of Android users versus iPhone users.
(b) The need to engage with tech developers at the design stage.
The connection between how programmers design operating systems and the risks carried by family violence victims thus requires victim advocates to engage more with technology companies. The choices made by software engineers while designing operating systems for smart phones have clear and apparent ramifications for the personal safety and security of victims of family violence. A relatively small group of developers who have helped build the Android operating system or build iOS has created the digital infrastructure that is used by 95% of the reported 3.1 billion smartphone devices in the world (see van der Wielen, 2018). Their design and overall approach to how “open” or “closed” the operating system should be has created safety risks for users, and as outlined above, these risks are disproportionately carried by victims of family violence who come from poorer backgrounds.
The decisions of this relatively small community of developers thus carries significant ramifications for the personal safety of vulnerable groups and, therefore, they become a major influencer in strategies to combat family violence. In this regard, improving responses to spyware-based family violence will require closer engagement with, and tactical pressure applied on, large technology companies such as Google and Apple. Technology companies are now firmly a part of the necessary set of actors who are required to respond to the needs of victims of family violence. Social media companies have already been identified as a necessary recruit for combatting gender-based abuse (see Dragiewicz et al., 2018; Suzor et al., 2019), but operating system developers also have a privileged position in mediating social relationships, and so should also be added to this list of responsible agents. There is an established literature and momentum for “privacy by design” or “human rights by design” approaches that underline the connections between IT infrastructure and security outcomes for individuals or groups (see, for example, Langheinrich, 2001; Suzor et al., 2019; Zalnieriute & Milan, 2019); it is necessary that operating-system design in smartphones is similarly regarded as critical to the safety of victims of family violence.
Unfortunately, exerting influence over operating-system developers to change their approaches to operating-system design is neither easy nor without other social costs. There are pronounced difficulties associated with pressuring a private company to change its product, particularly when there may be significant economic costs and resistance to do so. There are also technical difficulties; for example, Android deploys their operating system across a staggering range of handsets (up to 24,000), making the implementation of uniform updates or market-wide changes a fraught technical feat. Moreover, it should be noted that we are not attempting to make a normative claim that an operating system should be either “open” or “closed.” While it may create disadvantages for victims of family violence for an operating system to be “open,” it can also benefit the security of other groups or individuals if the device has more capabilities. As an example, activists in China can leverage the “openness” of Android to use virtual private networks (VPNs) and communicate with greater safety and privacy (Banjo & Yilun Chen, 2019; Denyer, 2016), while Apple users within China are often denied VPNs because of the tight controls created by the iOS “closed” posture (Gallagher, 2019). Any suggested changes to operating-system design would thus have to consider other social and safety ramifications that may be impacted through any potential re-design.
Therefore, while it is important and necessary for advocates for victims of family violence to engage with operating-system developers to promote safer outcomes for victims, it should also be recognized that such approaches will have inherent challenges that limit the suitability and viability of this tactic. Operating-systems developers are now inescapably implicated in the creation of risks for victims of family violence and ought to be made aware of this responsibility; however, advocates would be wise to recognize the limitations and sensitivities of pressuring operating-system designers to address their particular, single-issue concerns.
A positive example of how operating-system designers could engage more on this issue could be the provision of better on-device scanning for spyware. For instance, Android phones with the Google Play Protect feature allow for some degree of protections. Google Play Protect is an antivirus-like service that scans the phone for applications that have been installed on the device from outside the Google Play Store platform. Many of the spyware apps evaluated in our study provided explicit instructions on how to disable Google Play Protect to allow for surreptitious installation of spyware. However, if Play Protect is re-activated at any point, spyware apps in our sample are likely to be detected (see Parsons et al., 2019, pp. 44–46). While Google Play Protect is likely to detect and alert users of the presence of noted consumer spyware programs on nonrooted phones, spyware companies are routinely modifying their products to evade detection with limited degrees of success, which lasts only as long as engineers at Google Play Protect subsequently update their detection abilities based on these changes. Improving this capacity over time could make some progress in redressing the vulnerability of Android to this problem. A separate problem persists, however, if spyware apps are hosted in the Google Play Store, such as Cerberus was; they are able to remain entirely undetected by Google Play Protect. This presents a serious challenge for the so-called “dual-use” nature of spyware apps on Android devices as some are often deemed legitimate by virtue of their permission to be on the Google Play Store, thus evading the protective capability of Google Play Protect.
There are many other ways operating systems could be adjusted to promote safe-use, privacy, and increased control over what data are shared and with whom. In general, engineers could build in further mechanisms for ensuring there is ongoing consent for data being shared. This could take the form of regular reminders in the form of push notifications that particular apps or native features are sharing sensitive information such as GPS location with other parties. This can be notifications such as that seen in Figure 1. Further steps could also be taken to provide users with accessible logs and visible reminders of permissions that the device has provided to third-party software. For instance, as seen in Figure 2, Cerberus can be granted sweeping permissions upon installment, but stronger steps should be taken to present users with ongoing indicators or accessible logs that detail what permissions have been “granted” by the device, as well as what data have been shared with others.
It should always be noted that the above steps can be subverted by forms of “jail-breaking” and “rooting” of devices, which are beyond the reasonable control of operating-system engineers. But further steps to safeguard privacy and implement stronger regimes of consensual sharing of data will help alleviate specific instances and mechanisms for intimate partner stalking and abuse via smartphones. Certain threats can be addressed with operating-system changes, but not all.
Furthermore, while there are changes software engineers can make to operating systems, it is also worth exploring how there could be changes made to the culture, norms, and attitudes of software engineers themselves. This could involve the domestic violence advocacy sector engaging with software engineers to raise the level of awareness for how end-users manipulate their products for the purposes of intimate partner stalking. Promoting “privacy-by-design” principles and a stronger awareness among software engineers is another strategy for encouraging design practices that actively anticipate, foresee, and pre-emptively undermine abusive use of software in the context of intimate partner abuse.
Conclusion
An investigation and analysis of consumer spyware products for smartphones reveals that Android devices are considerably more vulnerable to “stealthy,” nonconsensual, and powerful spyware when compared with iPhones. This is due to how the respective development teams have decided to program the operating system, with Android developers prioritizing “openness” for third-party applications (such as spyware), while Apple developers take a much more “closed” approach that limits the capabilities of third-party applications when within its environment. These coding decisions and design philosophies applied by these small communities of software developers have ramifications for the 3.1 billion users of their devices (van der Wielen, 2018). In particular, it creates significantly different levels of vulnerability for victims of family violence to spyware-based abuse, with Android users carrying a more generalizable risk of being subjects of nonconsensual spyware surveillance than iPhone users. Being aware of the links between how operating systems are designed and the “downstream” implications for victims of family violence is important for advocates to be aware of to tailor their responses and help counter the threat of spyware. It also raises a need for family violence advocates to engage more with operating-system developers and negotiate greater awareness of how coding choices affect victims of abuse, and what steps can be taken to prevent software infrastructure from being used abusively.
Footnotes
Appendix 1—Glossary of Terms
Android—an open-source operating system that is used for smartphones and tablet devices.
Applications—a software program that is designed for an end-user. Examples of an application are word processors, web browsers, or mobile device apps, which can include consumer spyware.
End-user—a person who uses a particular mobile device or other electronic product.
Exfiltrated or exfiltration—the malicious and unauthorized copying, transfer, or retrieval of data from a computer system or device.
Find my iPhone—an application provided on Apple devices (iPhone, iPad, iPod touch, Mac, Apple Watch, or AirPods) that allows the user to locate their device or family members’ devices on a map.
Firmware updates—the update of a type of computer software that is permanently programmed onto a hardware device by the manufacturer. Firmware is designed to provide a basic operating environment for the device to run more complex software applications.
GPS location—a unique identifier that indicates a precise geographic location. The location is derived from the Global Positioning System, a satellite navigation system that can locate devices in time and space.
Google Play Protect—software that provides malware detection and protection service that is built into Android devices which rely upon Google Mobile Services.
iOS—an operating system used for mobile devices manufactured by Apple, Inc.
Jail-break—an action that involves the removal of restrictions on a smartphone or mobile device that is imposed by the device’s manufacturer. The removal of these restrictions allows the installation of unauthorized software. See also “rooting.”
Native operating system—the operating system that a hardware device comes with from the manufacturer. For example, iOS is a native operating system on Apple devices, while MS Windows is a native operating system on Microsoft products.
Operating System—a low-level software that supports the use of basic functions on an electronic device. It also provides an operational framework for an end-user to install and run other software applications.
Push notification—an automated message that is sent by an application to an end-user when the application is not open.
Rooting or “rooted device”—a device with restrictions removed to allow greater privileges to control software and functions on the device that the manufacturer does not normally allow.
Third-party developer—a name given to companies that produce hardware or software for another company’s product.
VPN (virtual private network)—an acronym which refers to the use of a “private network” that “tunnels” communications between different end-point devices within an already existing public internet network.
Vulnerability/vulnerabilities—in computer security, a vulnerability refers to a weakness in computing systems that can be exploited by an attacker to gain unauthorized access to a device or system.
Acknowledgements
The authors would like to acknowledge the research assistance support of Ms. Erica Vowles. They would also like to acknowledge the support and backing of the Australian Communications Consumer Action Network (ACCAN).
Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This research was supported by a grant from the Australian Communications Consumer Action Network (ACCAN).
