By Marilia Wyatt, CyberPrivacy
More than half of Android apps targeted explicitly at kids under 13 may be violating U.S. privacy law: the Children’s Online Privacy Protection Act (COPPA), according to mobile app security researchers.
The March 2018 study led by researchers at the International Computer Science Institute at the University of California, Berkeley — revealed that 40% of 5,855 apps analyzed (2,344) do not use TLS (the standard method for securely transmitting data) in at least one transmission containing identifiers or other sensitive information. Meaning there could be the case that almost half the examined apps are not taking ‘reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children,’ the researchers wrote.
Apps with poorly/missing TLS configurations can increase the risk of man-in-the-middle attacks, remote code execution, and unauthorized information disclosure.
The report adds the apps that are potentially improperly collecting and insecurely transmitting children’s data are all included in Google’s Designed for Families program (DFF). An app under the DFF program means that developers have (1) certified to Google the intended audience includes children under 13; (2) received guidance from Google on COPPA compliance; and (3) affirmed their compliance with the law.
As more data is collected about kids on the devices they use, types of data accessed on their apps create significant privacy and security risks. It’s important for parents to clearly understand why apps are asking for certain permission access, how securely the data is transmitted and stored, and for the developer community to integrate privacy and security considerations earlier on and in all phases of the app development life cycle.
To help parents understand their children’s app privacy implications, researchers published their results on AppCensus – a database that aims to provide app users “better transparency into how their mobile apps use and misuse their personally identifying information.”
Research highlights about violations and trends:
- 19% of children’s apps collect identifiers or other personally identifiable information (PII) via SDKs whose terms of service outright prohibit their use in child-directed apps
- 73% of the tested applications transmitted sensitive data over the internet. While accessing a sensitive resource or sharing it over the internet does not necessarily mean that an app is in violation of COPPA, none of these apps attained verifiable parental consent
- Efforts by Google to limit tracking through the use of a resettable advertising ID have had little success: of the 3,454 apps that share the resettable ID with advertisers, 66% transmit other, non-resettable, persistent identifiers as well, negating any intended privacy-preserving properties of the advertising ID
- 40% of the apps studied shared children’s personal info insecurely
- 39% violated Google’s terms regarding persistent identifiers
- 19% shared private info with third-party services that aren’t supposed to be used in children’s apps
- 5% collected children’s physical locations or contact data without obtaining parental consent
- 28% of the apps accessed sensitive data protected by Android permissions