Mobile apps that help people monitor their children are also leaking the parents’ data to third parties, and possibly malicious actors, researchers have found.
The Cybernews research team recently took a closer look at the ten most popular child tracking apps. These are essentially surveillance apps, designed for parents who fear for their children’s safety and want to use their mobile devices to make sure they are safe.
Cumulatively, these apps have amassed more than 85 million downloads among them. However, none received the highest grade for privacy and one app with more than 50 million installs was even deemed a “critical risk”.
Tracking the trackers
One of the problems with these apps is that they carry third-party trackers, meaning that both children and parents are having their data harvested, the researchers explained. The data can be used for a wide variety of things, but mostly it’s used for targeted advertising.
While some apps carried two trackers, some were found with as many as nine trackers.
One of the apps, which also made it into the top 50 free apps in the social category in the US, was found to share Broadcast Receivers, an Android component that allows apps to respond to messages that the OS broadcasts.
That means that other apps on the device can access the tracker, including malicious apps, giving potential attackers insight into the movement of children – and the parents too.
Furthermore, these apps have insecurely implemented Secure Sockets Layer (SSL) certificate handling, leaving them vulnerable to man-in-the-middle attacks. In other words, attackers can “eavesdrop” on the data going between two apps.
The problem, some experts believe, lies in the fact that many app developers can’t be bothered to build robust code themselves, but rather take as much as they can from open source libraries, often being oblivious to the risks that brings.
“It’s like making cheap sausage, and you don’t know what kind of ingredients are going into it. The problem for the end-user is that you really don’t know all that is in the app or how many different parties are receiving this information,” Karim Hijazi, CEO of cyber intelligence company Prevailion, told Cybernews.