Can someone spy on my iPhone without my Apple ID and password?

Developer/Enterprise App Spyware

This is a type of spyware that hackers can use to bypass the App Store and avoid jailbreaking the device. It works by abusing Apple’s Developer or Enterprise programmes.

The Developer programme gives developers the opportunity to make and test apps before they are published on the official App Store. Using this programme means that the test apps can be downloaded onto an iOS device without going through the App Store review process.

In order to take advantage of the programme, the hacker would need to create their own malicious app in advance and then gain physical access to their victim’s phone in order to install the app onto it.

Typically, they will then hide the app in an app folder like ‘Utilities’, so it will go unnoticed for as long as possible. The app can be active for as long as 365 days if it is undetected.

The Enterprise programme was designed by Apple to be used internally by companies and organizations to distribute apps amongst their teams, without making them publicly available during Beta testing. However, hackers have turned this feature into a way for them to trick unsuspecting users into installing malicious apps.

Unlike Developer apps, hackers do not need physical access to the victim’s phone in order to install an Enterprise app; they simply need the victim to download the app. The app could look like a free version of a paid app available on a third-party app store.

The best way to guard against this type of spyware is only to use the official App Store, and be vigilant about what you are downloading.

Tracking Apps

Another way that hackers can spy on your phone without your Apple ID and password is by using a tracking app. These are apps that are available from the official App Store and are usually marketed as family safety apps for parents to keep track of where their children are.

While they have their legitimate uses, they can be abused by stalkers to track a victim’s location. To detect this type of app you can go into your settings and manually check any app that has access to your location data for anything that you do not recognize.

Alternatively, Certo AntiSpy will show you the apps that have access to your location and highlight any that are known tracking apps.

WiFi Sync Attack

Spyware in the form of a WiFi Sync Attack requires the use of a PC app. The hacker would install the app onto a computer using the same network that the victim’s phone connects to, and then get hold of the victim’s phone to set up the WiFi Sync.

Because of the nature of this attack, the hacker would need to be close to the victim’s home network and phone, which is why this type of spyware is predominantly used in domestic situations. The hacker can use their own computer and the iPhone itself remains secure, with no jailbreaking, additional apps or access to iCloud required.

Historically you could check the Settings app on your device to see if WiFi Sync was enabled. However, since iOS 13, this is no longer possible as Apple has removed this information.

To overcome this, at Certo, we’ve created a free tool called WiFi Sync Checker that can quickly check the status of WiFi Sync on your device and turn it off if required. You can download the tool here.

Final Thoughts

In conclusion, it is possible for someone to spy on your iPhone without your Apple ID and password, using one of several methods available to them. In fact, the recent improvements to iCloud security mean that hackers are now more likely to use these alternative methods.

It’s therefore important for iPhone users to focus on all aspects of their device security, including using 2-factor authentication, keeping their iOS version up-to-date, and regularly scanning their device for threats with an anti-spyware tool.