Parental control apps may do more harm than good, according to researchers who found 18 bugs in eight Android apps with more than 20 million total downloads that could be exploited to, among many nefarious acts, control other devices on the parents’ network.
Fabian Densborn and Bernhard Gründling of the SEC Consult Vulnerability Lab discovered the vulnerabilities and found that the parent web dashboards were susceptible to cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks.
In addition to being “easily bypassed” by the children they aim to protect, the buggy apps also make it fairly easy for miscreants to access both parents’ and kids’ data and devices, the researchers said in a report published on Tuesday.
“The SEC Consult Vulnerability Lab is already in contact with some of the vendors mentioned below through our responsible disclosure process,” they wrote. “The identified security vulnerabilities should be fixed in the near future, according to the vendors.”
After those patches are rolled out, the duo said they’ll release more technical details about the vulnerabilities. But in the meantime, here’s what we know about the bugs. Oh, and “nearly all” of the apps analyzed “use some sort of tracking services,” the researchers noted.
The apps, all of which are available on the Google Play store, include familytime.io (more than 1 million downloads), Boomerang (more than 100,000 downloads), Quostodio (more than 1 million downloads), Wondershare FamiSafe (more than 1 million downloads), Find My Kids (more than 10 million downloads), Parental Control Kroha (more than 1 million downloads), Kids Place Parental Controls (more than 5 million downloads), and Parental Control App (more than 1 million downloads).
Some of the apps could be backed up using Android Debug Bridge (ADB), a command-line tool that allows developers to communicate with an Android device to create backups, debug apps, and change device settings. However, it could also be misused to allow attackers to access a backup, and then steal sensitive configuration files or private data stored on the device, according to the researchers.
Additionally, several of the apps allowed plain text connections, which enables the app to use unencrypted communication. “For example, a simple man-in-the-middle attack could be used to sniff user credentials or other personally identifiable information,” the duo wrote.
Even the apps that did have measures in place such as certificate pinning to protect against man-in-the-middle attacks, “could easily be circumvented by using the Universal SSL Pinning Bypass script for Frida,” they added.
The researchers also highlighted privacy concerns surrounding these apps, which store and transmit sensitive information including the list of installed apps, contacts, photos, GPS location, call metadata, childrens’ usage of the apps, and in some cases full contents of text messages.
Additionally, the app vendors’ locations raise some data security and privacy flags, too. “For example, the web dashboard of Find My Kids sends varying amounts of data – depending on the mouse movement – to a Russian tracking domain (mc.yandex.ru),” the researchers wrote.
So what’s the solution to preventing kids from seeing harmful content online while also protecting data and devices from intruders? Unfortunately there is no magic bullet, and, as with all third-party apps, it’s up to the user to review the vendor’s terms and conditions as well as data, collection, retention and privacy policies — and, ideally, to verify the information that the vendor provides.
As Densborn and Gründling, noted, “parental control applications all seem to have various flaws, so it sadly comes down to your own risk assessment.”
In other words: software, like life, is inherently flawed. Proceed with caution. ®