Abstract

Stalkerware is malicious software that monitors and tracks a victim’s online and offline activity. This harmful technology has become a growing concern, jeopardizing the security and privacy of millions of victims and fostering stalkerware and Intimate Partner Violence (IPV). In response, various solutions have emerged, including anti-stalkerware apps that aim to prevent and detect the use of monitoring apps on a user’s device. Organizations dedicated to assisting IPV victims have also enhanced their online presence, offering improved support and easy access to resources and materials. Considering how these tools and support websites handle sensitive personal information of users, it is crucial to assess the privacy risks associated with them. In this thesis, we conduct a privacy analysis on 25 anti-stalkerware apps, 323 websites, 52 hidden device detection apps to identify issues such as PII leaks, authentication problems and 3rd-party tracking. Our tests reveal that 14/25 apps, 210/323 websites, 41/52 hidden device detection apps share user information with 3rd-party services through trackers, cookies or session replay. Based on our analysis of anti-stalkerware websites, we identified 44 domains to which sensitive data is sent, along with 3 services collecting information submitted in forms through session replay. During the dynamic analysis of hidden device detection apps, 25 third-party hosts were observed gathering device or apps information. Furthermore, we conducted a readability assessment of privacy policies obtained from anti-stalkerware apps/websites and hidden device detection apps. Our findings indicate that these privacy policies are highly complex and challenging to comprehend.