By Marilia Wyatt, CyberPrivacy
More than half of Android apps targeted explicitly at kids under 13 are not taking proper care to protect the confidentiality, security, and integrity of personal information collected from children, mobile app security researchers say.
The March 2018 study led by researchers at the International Computer Science Institute at the University of California, Berkeley—revealed 40% of 5,855 apps analyzed do not use TLS (the standard method for securely transmitting data) in at least one transmission containing identifiers or other sensitive information. This means that almost half the examined apps may be in violation of the U.S. privacy law, Children’s Online Privacy Protection Act (COPPA), researchers wrote.
Apps with poorly/missing TLS configurations can increase the risk of man-in-the-middle attacks, remote code execution, and unauthorized information disclosure.
All the tested apps that allegedly improperly collected and insecurely transmitted children’s data are part of Google’s Designed for Families program (DFF).
To be part of DFF program means that developers have certified to Google the intended audience includes children under 13, received guidance from Google on COPPA compliance, and affirmed their compliance with the children’s privacy law.
What can parents do?
Parents should consider understanding why apps are asking for certain permission access before they download games and other apps. For instance, evaluate whether an app needs access to the camera or photos if the functionality is not needed for use. It’s also useful researching what data the app shares with third-parties and how the app data is secured during transmission and storage, as inadequate protections can significant increase privacy and cybersecurity risks.
To help parents understand their children’s app privacy implications, researchers published their results on AppCensus—a database that aims to provide app users “better transparency into how their mobile apps use and misuse their personally identifying information.”
Among the research highlights:
73% transmitted sensitive data over the internet.
40% shared children’s personal info insecurely.
39% violated Google’s terms regarding persistent identifiers.
28% accessed sensitive data protected by Android permissions.