Antivirus company F-Secure has severely criticised the security of a mobile spying application.
The Finnish security company said that Retina-X Studios' Mobile Spy is "not built to be secure".
Mobile Spy is an application aimed at businesses wishing to monitor their employees' Windows Mobile smartphone traffic. The full text of SMS messages can be recorded and logged to a "private account" accessible by the business, as well as incoming and outgoing call numbers, and the URLs of websites visited.
F-Secure claims to have found a way that anyone can access those private accounts. The antivirus company said that, if a user logs in to the Mobile Spy demonstration account, and goes to view SMS logs, there are demonstration samples from a database of messages.
The vulnerability lies in the way the URLs of the demonstration accounts are configured, F-Secure claimed. Each demonstration account has an identifying number within the URL. However, the identifying numbers for demonstration accounts and private accounts are similar, and private account numbers are sequential, potentially allowing any user to view the account of any other, said F-Secure.
Jarno Niemela, a senior antivirus researcher at F-Secure, said: "You can put in different account numbers through the URL, and ID numbers are sequential. You could pull every message on the service."
One employment law specialist has advised businesses considering monitoring employee communications that, under UK data protection laws, employees should be aware that calls are being monitored.
"In order to monitor employees lawfully, employers should be telling [employees] monitoring is going on," said Kirsty Ayre, an associate at Pinsent Masons solicitors and the head of the employment law team in Scotland. "Employers can only monitor covertly if they suspect criminal [activity]."
Ayre advised businesses against monitoring e-mails marked "private", and said that employers should endeavour to keep logs of monitored communications secure.
"One of the basic principles of data protection legislation is that, if businesses are processing personal data, they have to keep it secure. [If data were compromised], the question would be: had the business taken appropriate steps to ensure the data had been kept confidential? If the employer knew that data had been leaked and continued to send data to the organisation [that leaked it], there could potentially be a problem," added Ayre.
Retina-X Studios had not responded to a request for comment at the time of writing.
