Carnegie Mellon University

A fair skinned hand using a mobile phone. Image is overlaid with blurry command line code in green.

August 09, 2022

iPhone security compromises prove difficult to detect

By Ryan Noone

Mobile phones can be abused to enable stalking through methods like location tracking, account compromise, and remote surveillance. While experts can help victims detect and recover from this type of technology abuse, researchers at Carnegie Mellon's CyLab Security and Privacy Institute say typical users aren't equipped to identify and resolve these issues on their own.

In a recent study, CMU researchers simulated technology-enabled abuse scenarios, the kind often seen in intimate partner violence cases, to better understand how non-experts in victims' social support networks might help non-tech savvy iPhone users navigate these difficult situations.

The four scenarios included:

  • Determining whether a device’s location was being tracked
  • Identifying if a spyware app was installed on a device
  • Assessing whether an iCloud account had been compromised
  • Using online advice to figure out if the device had been jailbroken

“Our study considers a threat model where the attack or abuser doesn’t use technical sophistication, but rather takes advantage of physical access to the device to do things like enable location sharing or download apps that can transmit data back to them,” says Andrea Gallardo, Ph.D. student in the School of Computer Science’s (SCS) Institute for Software Research (ISR).

The group presented the simulated scenarios to participants, then asked them how they would help a friend or co-worker detect and resolve each security compromise.

“Even though our non-expert participants were familiar with the iOS interface, most were unable to detect and resolve the problems in these scenarios,” said Lorrie Cranor, CyLab director, and professor in the Department of Engineering and Public Policy and SCS’s ISR

“Overall, the study uncovers a number of usability challenges both in Google Maps and Apple’s iOS and highlights the importance of considering the stalking threat model in usable security design and research.”

When it comes to location sharing, researchers recommend companies provide persistent indicators that alert users that they are transmitting their location data to another user and generate less predictable periodic notifications to inform users when others have access to track their whereabouts. They also suggest adding an option in location apps to re-authenticate users each time their location is shared with a new user.

To enhance iCloud account security, researchers believe Apple should add indicators within iCloud apps’ settings to let users know when other devices are accessing and can make changes to Photos or iMessage apps, among others.

Apple recently announced its plans to roll out a new tool called “Safety Check,” when the company releases iOS 16 later this year. Once it becomes available, Gallardo says another study should be done to examine the practicality and usability of the new security feature.