One morning a couple of weeks ago, I handed my iPhone to my wife and asked her to help with a privacy experiment. She would use my handset to track my location for the next few days, and with only the software I already had installed. Like a lot of couples, my wife and I know each other's phone PINs. So I left her with the device as I walked into our bathroom to take a shower, simulating an opportunity that I figured would present itself daily to snooping spouses.

I'd barely turned on the water before she handed the phone back to me. A few seconds had passed, and she had already configured it to track my location, with no notification that it was now telling her my every move.

I'd embarked on this strange exercise with the blessing of a group of researchers who focus on the scourge of "stalkerware," a class of spyware distinguished by the fact that it's typically installed on a target device by someone with both physical access to the phone and an intimate relationship with its owner. Often explicitly marketed as a way to catch a cheating husband or wife in the act, these programs have become a tool of domestic abusers and angry exes—a breed of hacker who often possesses practically zero technical skills but does have plenty of opportunity for hands-on tampering with a victim's handset. Perpetrators can install these apps, also sometimes known as spouseware, to monitor where their targets go, who they communicate with, what they say, and virtually every other part of their life the phone touches.

After years of neglect, the antivirus industry has finally begun to recognize stalkerware's danger and flag the apps as malicious, a development that's long overdue given that a quarter of women in the US and one in nine men experience some form of physical abuse or stalking by an intimate partner.

But antivirus alone may not be enough, one group of researchers at Cornell Tech and NYU warned me. Abusive phone-snooping, they point out, doesn't necessarily require software explicitly built for that purpose. Mainstream app stores are well-stocked with what those researchers call dual-use applications. These are apps that advertise features for a legitimate purpose—such as letting families consensually track one another for convenience or safety, or for locating stolen and lost devices—but can easily be abused by stalkers who install them without their target's knowledge, or to secretly change the configuration of those apps to share the victim's location or data.

The researchers documented the prevalence of those tracking apps in a study last year, based in part on their work helping abuse victims in partnership with the New York City Mayor's Office to End Domestic and Gender-Based Violence. "When we’re onsite and looking at these cases, it’s a lot of what we’re seeing," said Cornell researcher Diane Freed.

With a few seconds of physical access to a phone, even apps as common as Google Maps and Apple's Find My Friends can be tweaked to persistently share a user's location with another contact while offering the phone's owner no notification or warning, the researchers told me. "It's not the presence of some app on your device that’s disconcerting, it's that it might be configured in some way that you weren’t aware of and didn’t agree to," said Sam Havron, another Cornell researcher.

An Experiment

It was with that idea in mind that I handed my iPhone to my wife that morning, and again every morning over the following few days. Without showing me what she was doing, she would change some configurations on common apps I already had installed on the phone and hand it back to me. Then I would go about my life and watch my phone for any signs that I was being tracked.

Before writing about this, I consulted with the same NYU and Cornell Tech researchers to ask if they thought it would be ethical to share these results, or if I would be helping abusers more than victims. They discussed it and told me to go ahead, noting that guides for abusers who want to secretly track their partner's phone are already all too easy to find online. "Our conclusion is that the pros outweigh the cons," Havron wrote in an email.