Angel Or Devil? a Privacy Study of Mobile Parental Control Apps
Total Page:16
File Type:pdf, Size:1020Kb
Proceedings on Privacy Enhancing Technologies ..; .. (..):1–22 Álvaro Feal*, Paolo Calciati, Narseo Vallina-Rodriguez, Carmela Troncoso, and Alessandra Gorla Angel or Devil? A Privacy Study of Mobile Parental Control Apps Abstract: Android parental control applications are 1 Introduction used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps usage, web brows- The dependency of society on mobile services to per- ing, calling, and texting). In order to offer this service, form daily activities has drastically increased in the last parental control apps require privileged access to sys- decade [81]. Children are no exception to this trend. Just tem resources and access to sensitive data. This may in the UK, 47% of children between 8 and 11 years of age significantly reduce the dangers associated with kids’ have their own tablet, and 35% own a smartphone [65]. online activities, but it raises important privacy con- Unfortunately, the Internet is home for a vast amount cerns. These concerns have so far been overlooked by of content potentially harmful for children, such as un- organizations providing recommendations regarding the censored sexual imagery [20], violent content [91], and use of parental control applications to the public. strong language [51], which is easily accessible to minors. We conduct the first in-depth study of the Android Furthermore, children may (unawarely) expose sensitive parental control app’s ecosystem from a privacy and data online that could eventually fall in the hands of regulatory point of view. We exhaustively study 46 apps predators [2], or that could trigger conflicts with their from 43 developers which have a combined 20M installs peers [30]. in the Google Play Store. Using a combination of static Aiming at safeguarding children’s digital life, some and dynamic analysis we find that: these apps are on av- parents turn to parental control applications to monitor erage more permissions-hungry than the top 150 apps children’s activities and to control what they can do on in the Google Play Store, and tend to request more dan- their smartphones [63, 78]. The typical parental control gerous permissions with new releases; 11% of the apps app allows parents to filter, monitor, or restrict com- transmit personal data in the clear; 34% of the apps munications, content, system features, and app’s execu- gather and send personal information without appro- tion [89]. Other apps provide parents with fine-grained priate consent; and 72% of the apps share data with reports about children’s usage of the phone, their social third parties (including online advertising and analyt- interactions, and their physical location. An example of ics services) without mentioning their presence in their the former is the content discovery platform Safe Mode privacy policies. In summary, parental control applica- with Free Games for Kids by KIDOZ, and of the latter tions lack transparency and lack compliance with reg- is the Norton Family app. ulatory requirements. This holds even for those appli- To provide these features, parental control apps rely cations recommended by European and other national on the collection and handling of children’s behavioral security centers. (e.g., location, browsing activities, and phone calls) and Keywords: Parental control, Android, mobile apps, personal data (e.g., unique identifiers and contacts), in static analysis, dynamic analysis many cases, using techniques and methods similar to those of spyware [27]. Yet, as with many regular An- PACS: droid applications, parental control software may also DOI Editor to enter DOI integrate data-hungry third-party advertising SDKs— Received ..; revised ..; accepted ... to monetize their software— and analytics SDKs—to monitor the behavior of their users, create bug reports, and build user profiles. As a consequence of Android’s *Corresponding Author: Álvaro Feal: IMDEA Net- works Institute / Universidad Carlos III de Madrid, E-mail: [email protected] Carmela Troncoso: Spring Lab EPFL, E-mail: Paolo Calciati: IMDEA Software Institute / Universidad carmela.troncoso@epfl.ch Politécnica de Madrid, E-mail: [email protected] Alessandra Gorla: IMDEA Software Institute, E-mail: Narseo Vallina-Rodriguez: IMDEA Networks Institute / [email protected] ICSI, E-mail: [email protected] A Privacy Study of Mobile Parental Control Apps 2 permission model, these SDKs enjoy the same set of seven ad-related libraries found are COPPA compli- permissions granted by the user to the host app. Apps ant according to Google’s 2019 list of self-certified also might inadvertently expose data to in-path network libraries suitable for children apps [43]. observers if they use insecure protocols to transmit sen- C. The outgoing flows of 35% these apps are directed sitive data. These practices involve great privacy risks to third parties, but 79% of the apps do not name for minors, e.g., if data is used to profile children’s be- these organizations in their privacy policies (§ 6). havior or development, or if the data becomes compro- We find 67% apps collecting sensitive data without mised [64]. user consent, and 6 apps that do not implement ba- To help parents choose among parental control so- sic security mechanisms such as the use of encryp- lutions, security centers at the European level [1, 33] tion for Internet traffic. have analyzed a number of parental control solutions. D. Despite being required by regulations [29, 35], only Their analysis considers four dimensions: functionality, half of the apps clearly inform users about their effectiveness, usability, and security—defined as their data collection and processing practices (§ 7). While effectiveness at deterring children from bypassing the 59% of the apps admit third party usage of sensitive system. However, these reports do not provide any pri- data, only 24% disclose the full list of third parties vacy risk analysis, nor consider the lack of transparency embedded in the software. Furthermore, 18% do not or other potential violations of relevant privacy laws report any data sharing activity even though we find with specific provisions to safeguard minors’ privacy, evidence of third-party data collection through em- e.g., the European General Data Protection Regulation bedded SDKs. (GDPR) [29] and the U.S. Children Online Privacy and Protection Act (COPPA) [35]. In this paper, we present the first comprehensive 2 Parental Control Apps privacy-oriented analysis of parental control apps for Android from a technical and regulatory point of view. Android parental control apps offer diverse features to We study 46 apps using both static and dynamic analy- control children’s digital activities. In line with previous sis methods to characterize their runtime behavior and work [56, 89], we classify apps that enable parents to their data collection and data sharing practices. We also monitor children’s behavior, including location [47], as study the accuracy and completeness of their privacy monitoring tools; and we classify apps that enable par- policies, identifying potential violations of existing reg- ents to filter content and to define usage rules to limit ulations to protect minors. We note that during our the children’s actions as restriction apps. Some apps of- analysis we do not collect any data from children or any fer multiple functionalities simultaneously, and we label other user. (§ 3.1.4 describes the ethical considerations). them as monitoring since it is the most invasive of the Our main findings are the following: two categories. A. Static taint analysis reveals that both apps and em- The way in which parental control apps enforce bedded third-party libraries disseminate sensitive these functionalities is varied. Common alternatives are information, e.g., the IMEI, location, or MAC ad- replacing Android’s Launcher with a custom overlay in dress (§ 4). Apps also use custom permissions to which only whitelisted apps are available; installing a obtain functionalities exposed by other apps’ de- web browser where developers have full control to moni- velopers or handset vendors, revealing (commercial) tor and restrict web traffic; or leveraging Android’s VPN partnerships between them. permission [13] to gain full visibility and control over B. We find that almost 75% of apps contain data- network traffic. The most common criteria to customize driven third-party libraries for advertisement, so- app’s behavior are age and blacklisting/whitelisting. cial networks, and analytic services (§ 5). Further- The former restricts the type of content or defines the more, 67% apps share private data without user level of monitoring depending on the children’s age. In consent (§ 6.3), even though some of these apps general, older children are granted access to a larger set are recommended by public bodies (e.g., SIP-Bench of webpages and applications than youngsters. In the III [1, 33]). Despite processing children’s data, 4% of latter, parents can either list applications or webpages the apps use libraries which claim to not be directed that they deem inappropriate for their children, or add at children and thus do not take extra measures to appropriate content to whitelists. comply with privacy laws specific to children (e.g., U.S. COPPA rule [35]). Moreover, only two of the A Privacy Study of Mobile Parental Control Apps 3 Most parental control apps have two different com- consent from the parent or legal guardian of a minor un- ponents or modes: i) the parent app or mode, and ii) der the age of 16 before collecting and processing their the children app or mode. The parent app can run either personal data. Both regulations explicitly prohibit the on the children’s or on the parent’s device enabling ac- collection and processing of minor’s data for the purpose cess to the children’s app data, and to the dashboard for of marketing or user profiling, and force developers to setting monitoring or blocking rules.