Madison Reporter

A research team from the University of Wisconsin-Madison has found that popular automation apps can be misused for digital abuse, making it possible for abusers to monitor or control another person’s device without their knowledge.

The group, which includes computer sciences PhD student Shirley Zhang, associate professor Kassem Fawaz, and assistant professor Rahul Chatterjee, will present their findings at the USENIX Security Symposium in August 2025 in Seattle. The event is recognized as a major conference on security and privacy in computing.

Their work was inspired by reports from the Madison Tech Clinic, an initiative run by UW-Madison students and faculty that helps survivors of domestic violence and technology-facilitated abuse. Volunteers at the clinic noticed abusers using automation apps such as Apple Shortcuts to take over devices with little technical skill required.

“Because of all of the capabilities of these automation apps, you can do a suite of things that previously would have required more technical sophistication, like installing a spyware app or using a GPS tracker,” explains Fawaz. “But now, an abusive partner just needs a little time to set up these capabilities on a device.”

Automation apps are designed to simplify tasks for users—such as adjusting phone settings automatically or managing smart home devices—but can also be exploited if someone gains access to another person’s phone. The researchers point out that automations run silently within these apps and do not generate notifications when triggered, making them difficult for victims to notice.

Chatterjee first brought up this issue in his seminar course CS 782: Advanced Computer Security and Privacy. After investigating how automation apps could be abused, Zhang continued the project as part of her graduate research under Fawaz.

The team surveyed public repositories and found nearly 13,000 automated tasks available for Apple iOS alone. Using an AI-assisted analysis system they developed themselves, they identified over 1,000 shortcuts with potential for misuse. Tests showed these shortcuts could perform actions such as sending emails from another person’s account or locking users out of their phones—all without obvious signs.

Zhang says tech companies were notified about these vulnerabilities but did not always respond with concern. “One company told us that users are responsible for their own devices, and they should create strong passwords and make sure the devices aren’t accessible to other people,” she says. “But that doesn’t reflect reality; that’s not how things work in the abusive relationships we see.”

The researchers noted existing security measures are not effective against malicious automations since permissions apply only to entire apps rather than individual routines.

To address this gap, they are developing an online service based on their AI tool so people can scan their devices for potentially harmful automations. Fawaz cautions that while AI is useful now for detection purposes, it could also make digital abuse easier if used by perpetrators in combination with automation apps.

“This project is a strong example of the Wisconsin Idea and the ‘circle of research’ in action,” says Chatterjee. “It began with a community-outreach initiative, grew through our course curriculum, and was brought to life by the Kassem’s Wisconsin Privacy and Security research team. Ultimately, it will give back to the community by providing a tool designed to prevent the abuse of automation apps and help protect survivors.”

Additional authors include Paul Chung, Jacob Vervelde and Nishant Korapati. The work received support from the National Science Foundation.

If you or someone you know is experiencing abuse, UW-Madison’s University Health Services offers resources for survivors.