F-Secure attacks smartphone spying software

Antivirus company F-Secure has criticised the security of a mobile spying application.

The Finnish security company said that Retina-X Studios' Mobile Spy is "not built to be secure", although Retina-X Studios has rejected the claims. 

Mobile Spy is an application aimed at businesses wishing to monitor their employees' Windows Mobile smartphone traffic. The full text of SMS messages can be recorded and logged to a private account accessible by the business, as well as incoming and outgoing call numbers, and the URLs of websites visited.

F-Secure claims to have found a way that anyone can access those private accounts. The antivirus company said that, if a user logs in to the Mobile Spy demonstration account, and goes to view SMS logs, there are demonstration samples from a database of messages.

The vulnerability lies in the way the URLs of the demonstration accounts are configured, F-Secure claimed. Each demonstration account has an identifying number within the URL. However, the identifying numbers for demonstration accounts and private accounts are similar, and private account numbers are sequential, potentially allowing any user to view the account of any other, said F-Secure.

Jarno Niemela, a senior antivirus researcher at F-Secure, said: "You can put in different account numbers through the URL, and ID numbers are sequential. You could pull every message on the service."

However, Retina-X Studios chief executive James Johns argued that Mobile Spy's systems did not contain the vulnerability. "The data leakage described is not possible with our servers," Johns said. "Anyone trying this method would receive a message denying access. Retina-X Studios takes customer privacy very seriously. We have tested all services to verify that this is not an issue."

One employment law specialist has advised businesses considering monitoring employee communications that, under UK data protection laws, employees should be aware that calls are being monitored.

"In order to monitor employees lawfully, employers should be telling [employees] monitoring is going on," said Kirsty Ayre, an associate at Pinsent Masons solicitors and the head of the employment law team in Scotland. "Employers can only monitor covertly if they suspect criminal [activity]."

Ayre advised businesses against monitoring emails marked "private", and said that employers should endeavour to keep logs of monitored communications secure.

"One of the basic principles of data protection legislation is that, if businesses are processing personal data, they have to keep it secure. [If data were compromised], the question would be: had the business taken appropriate steps to ensure the data had been kept confidential? If the employer knew that data had been leaked and continued to send data to the organisation [that leaked it], there could potentially be a problem," added Ayre.