(Credit: Billion Photos/Shutterstock)

If you want to spy on the activity of someone's mobile device, there's a whole underbelly of apps ready to help, under the guise of "monitoring children" or "keeping tabs on your employees." As a rule, however, these apps are designed to be used without the subject's knowledge or consent, and they are frequently used to just plain stalk people, which can lead to harassment, physical assault, and worse.

SEE: Beware of fake bank apps on Android stealing customer account data

The level of abuse is no surprise, given how the sales pitches customarily talk about cheating spouses and other personal matters that have nothing to do with workplace security or child safety. Because of what these apps can do, and the secretive manner in which they operate, they are strictly banned from the App Store and Google Play Store.

Not only that, but the security of the data they collect is routinely weak, exposing texts, call logs, photo galleries, and other highly private data to the general public, if you have an aptitude for HTML code. This is largely because the private data is rarely encrypted or password-protected.

And if it's unencrypted, the other implication is that the app seller can see every customer's captured spyware data at any time -- to sell, trade, or just pack away for a rainy day. Or they simply don't care about the customer's privacy any more than the customer cares about the privacy of the people they're spying on. No honor among thieves, and all that.

As Motherboard reports, yet another spyware app is checking all the boxes: Leading with promises of monitoring the office and your kids while following up with talk about infidelity, asserting that the app can operate without the subject's knowledge, and not taking steps to ensure that the captured private data actually remains relatively private.

FOLLOW Download.com on Twitter for all the latest app news.

The latest one is called Xnore, and in addition to call logs, SMS texts, and photos, it can also spy on the subject's activity in WhatsApp and Facebook, and keep a log of their locations via GPS.

Although it was taken down as a result of Motherboard's recent reporting, there was also a map available on the Xnore website that plugged into the subject's GPS data (which is a set of coordinates that would otherwise be gibberish to the average person). To look up your subject/victim, you had to enter a string of letters and numbers that were assigned to your account upon creation.

According to Motherboard, the HTML code of this map page contained the strings of about 28,000 customers. So if you simply viewed the code and used one of those other strings instead of the one assigned to you, you now had access to that other customer's captured data. Not just the GPS info. Once that string was in your hands, you could enter it into the app, and you were now that other customer, as far as the app was concerned.

Any website's HTML code can be viewed simply by pressing Ctrl+U in a web browser, so you don't exactly need to be an elite hacker.


  • According to a report by Motherboard, a spyware app called Xnore used poor website security that let a person looking at the HTML code of one of its pages access other customers' captured data.
  • This data can include text messages, call logs, and even GPS coordinates.

Also see

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.