Angel or Devil? A Privacy Study of Mobile Parental Control Apps

Álvaro Feal 1 , Paolo Calciati 2 , Narseo Vallina-Rodriguez 3 , Carmela Troncoso 4  and Alessandra Gorla 5
  • 1 IMDEA Networks Institute, Universidad Carlos III de Madrid
  • 2 IMDEA Software Institute, Universidad Politécnica de Madrid
  • 3 IMDEA Networks Institute,
  • 4 Spring Lab EPFL,
  • 5 IMDEA Software Institute,

Abstract

Android parental control applications are used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps usage, web browsing, calling, and texting). In order to offer this service, parental control apps require privileged access to system resources and access to sensitive data. This may significantly reduce the dangers associated with kids’ online activities, but it raises important privacy concerns. These concerns have so far been overlooked by organizations providing recommendations regarding the use of parental control applications to the public.

We conduct the first in-depth study of the Android parental control app’s ecosystem from a privacy and regulatory point of view. We exhaustively study 46 apps from 43 developers which have a combined 20M installs in the Google Play Store. Using a combination of static and dynamic analysis we find that: these apps are on average more permissions-hungry than the top 150 apps in the Google Play Store, and tend to request more dangerous permissions with new releases; 11% of the apps transmit personal data in the clear; 34% of the apps gather and send personal information without appropriate consent; and 72% of the apps share data with third parties (including online advertising and analytics services) without mentioning their presence in their privacy policies. In summary, parental control applications lack transparency and lack compliance with regulatory requirements. This holds even for those applications recommended by European and other national security centers.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] https://www.is4k.es/.

  • [2] Rodney Alexander. How to protect children from internet predators: a phenomenological study. ANNUAL REVIEW OF CYBERTHERAPY AND TELEMEDICINE 2015, page 82, 2016.

  • [3] Alphabet. Alphabet - Home Page. https://abc.xyz/.

  • [4] Android. Usage of Android Advertising ID. https://play.google.com/intl/en-GB/about/monetizationads/ads/ad-id/index.html.

  • [5] Android. Best practices for unique identifiers. https://developer.android.com/training/articles/user-data-ids.

  • [6] Android. Permissions overview. https://developer.android.com/guide/topics/permissions/overview.

  • [7] Android. Play Protect. https://www.android.com/play-protect/.

  • [8] Android. UI/Application Exerciser Monkey. https://developer.android.com/studio/test/monkey.

  • [9] Android. VpnService. https://developer.android.com/reference/android/net/VpnService.

  • [10] Android. Android developer manual: permission model, 2018. https://developer.android.com/guide/topics/permissions/overview.

  • [11] Android Developers. App Manifest Overview. https://developer.android.com/guide/topics/manifest/manifest-intro.

  • [12] Android Developers. Privacy changes in Android 10. https://developer.android.com/about/versions/10/privacy/changes.

  • [13] Android Developers. VPN Service. https://developer.android.com/reference/android/net/VpnService.

  • [14] APKPure. Homepage. https://apkpure.com/.

  • [15] Arity. Arity. https://www.arity.com.

  • [16] Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI 2014, 2014.

  • [17] Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. Pscout: Analyzing the android permission specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12. ACM, 2012.

  • [18] Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden. Mining apps for abnormal usage of sensitive data. In ICSE ’15, pages 426–436, 2015.

  • [19] Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber. On demystifying the android application framework: Re-visiting android permission specification analysis. In USENIX Security 2016, pages 1101–1118, 2016.

  • [20] BBC News. Web porn: Just how much is there?, 2013. https://www.bbc.com/news/technology-23030090.

  • [21] Boomerang. Spin Browser. https://useboomerang.com/spin/.

  • [22] Branch.io. Homepage. https://branch.io.

  • [23] Branch.io. Terms of Service. https://branch.io/policies/#terms-and-conditionss.

  • [24] Braze (formerly AppBoy). Privacy. https://www.braze.com/privacy/.

  • [25] Paolo Calciati and Alessandra Gorla. How do apps evolve in their permission requests?: A preliminary study. In MSR ’17. IEEE Press, 2017.

  • [26] Paolo Calciati, Konstantin Kuznetsov, Xue Bai, and Alessandra Gorla. What did really change with the new release of the app? In MSR 2018, 2018.

  • [27] R. Chatterjee, P. Doerfler, H. Orgad, S. Havron, J. Palmer, D. Freed, K. Levy, N. Dell, D. McCoy, and T. Ristenpart. The spyware used in intimate partner violence. In 2018 IEEE Symposium on Security and Privacy (SP), 2018.

  • [28] Shauvik Roy Choudhary, Alessandra Gorla, and Alessandro Orso. Automated test input generation for android: Are we there yet? arXiv preprint arXiv:1503.07217, 2015.

  • [29] Council of European Union. General Data Protection Regulation 679/2016, 2016. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.

  • [30] Cyberbullying Research Center. Summary of Our Cyberbullying Research (2004-2016). https://cyberbullying.org/summary-of-our-cyberbullying-research.

  • [31] Matthew S Eastin, Bradley S Greenberg, and Linda Hofschire. Parenting the internet. Journal of communication, 56(3):486–504, 2006.

  • [32] William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. TOCS, 32(2):5, 2014.

  • [33] Europen Comission. Benchmarking of parental control tools for the online protection of children, 2017. https://www.sipbench.eu/index.cfm/secid.1/secid2.3.

  • [34] Federal Trade Comission. Get Parents’ Verifiable Consent Before Collecting Personal Information rom Their Kids. https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance#step4.

  • [35] Federal Trade Comission. Children’s Online Privacy Protection Act, (15 U.S.C. 6501, et seq.,), 1998. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule.

  • [36] Federal Trade Comission. Mobile Advertising Network In-Mobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission, 2016. https://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked.

  • [37] Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627–638. ACM, 2011.

  • [38] Yu Feng, Saswat Anand, Isil Dillig, and Alex Aiken. Apposcopy: Semantics-based detection of android malware through static analysis. In FSE 2014, pages 576–587, New York, NY, USA, 2014. ACM.

  • [39] Yanick Fratantonio, Chenxiong Qian, Simon Chung, and Wenke Lee. Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop. In S&P, 2017.

  • [40] J. Gamba, M. Rashed, A. Razaghpanah, J. Tapiador, and N. Vallina-Rodriguez. An analysis of pre-installed android software. In S&P, 2020.

  • [41] Sébastien Gambs, Marc-Olivier Killijian, and Miguel Núñez del Prado Cortez. Show me how you move and i will tell you who you are. In Proceedings of the 3rd ACM SIGSPATIAL International Workshop on Security and Privacy in GIS and LBS, SPRINGL ’10. ACM, 2010.

  • [42] Google. Families. https://play.google.com/about/families/.

  • [43] Google. Google Play certified ad networks program. https://support.google.com/googleplay/android-developer/answer/9283445.

  • [44] Google. Providing a safe and secure experience for our users. https://android-developers.googleblog.com/2018/10/providing-safe-and-secure-experience.html.

  • [45] Google Play. Kid Control Dev profile. https://play.google.com/store/apps/dev?id=6687539553449035845.

  • [46] Google Play. Yoguesh Dama profile. https://play.google.com/store/apps/dev?id=5586168019301814022.

  • [47] Google Play Store — FamilySafety Production. GPS Phone Tracker, 2018. https://play.google.com/store/apps/details?id=com.fsp. android.c.

  • [48] Herald Sun. Police warn photos of kids with geo-tagging being used by paedophiles, 2012. https://www.heraldsun.com.au/technology/news/photograph-uploads-put-kids-at-risk/news-story/9ef00e4105cb1d38d8f5acb77d6c7433.

  • [49] IAPP. GDPR Article 8. https://iapp.org/resources/article/the-eu-general-data-protection-regulation/#A8.

  • [50] IAPP. GDPR Recital 38. https://iapp.org/resources/article/the-eu-general-data-protection-regulation/#R38.

  • [51] Internet Safety 101. Internnet Safety. https://internetsafety101.org/.

  • [52] Sakshi Jain, Mobin Javed, and Vern Paxson. Towards mining latent client identifiers from network traffic. Proceedings on Privacy Enhancing Technologies, 2016(2):100–114, 2016.

  • [53] Carlos Jensen and Colin Potts. Privacy policies as decision-making tools: an evaluation of online privacy notices. In SIGCHI. ACM, 2004.

  • [54] Kiddoware. Kiddoware homepage. https://kiddoware.com/.

  • [55] Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. Iccta: Detecting inter-component privacy leaks in android apps. In ICSE ’15, pages 280–291, 2015.

  • [56] Sonia Livingstone, Leslie Haddon, Anke Goerzig, and Kjartan Ólafsson. Risks and safety on the internet: The perspective of european children. full findings. 01 2011.

  • [57] Sonia Livingstone, Leslie Haddon, Anke Görzig, and Kjartan Ólafsson. Risks and safety for children on the internet: the uk report. Politics, 6(1), 2010.

  • [58] Livingstone, Sonia and Helsper, Ellen. Parental Mediation of Children’s Internet Use. Journal of Broadcasting & Electronic Media - J BROADCAST ELECTRON MEDIA, 52:581–599, 11 2008.

  • [59] Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. Libradar: Fast and accurate detection of third-party libraries in android apps. In ICSE 2016. ACM, 2016.

  • [60] Mary Madden, Amanda Lenhart, Sandra Cortesi, Urs Gasser, Maeve Duggan, Aaron Smith, and Meredith Beaton. Teens, social media, and privacy. Pew Research Center, 21:2–86, 2013.

  • [61] Kay Mathiesen. The internet, children, and privacy: the case against parental monitoring. Ethics and Information Technology, 15(4):263–274, 2013.

  • [62] Yan Michalevsky, Dan Boneh, and Gabi Nakibly. Gyrophoone: Recognizing speech from gyroscope signals. In 23rd {USENIX} Security Symposium ({USENIX} Security 14), pages 1053–1067, 2014.

  • [63] Monica Anderson. Parents, Teens and Digital Monitoring. https://stirlab.org/wp-content/uploads/2018/06/2017_Wisniewski_ParentalControl.pdf.

  • [64] New York Times. Uber hid 2016 breach, paying hackers to delete stolen data, 2017. https://www.nytimes.com/2017/11/21/technology/uber-hack.html.

  • [65] Ofcom: UK broadband, home phone and mobile services regulator. Children and parents: Media use and attitudes report 2018, 2018. https://www.ofcom.org.uk/__data/assets/pdf_file/0024/134907/Children-and-Parents-Media-Use-and-Attitudes-2018.pdf.

  • [66] Elleen Pan, Jingjing Ren, Martina Lindorfer, Christo Wilson, and David Choffnes. Panoptispy: Characterizing audio and video exfiltration from android applications. Proceedings on Privacy Enhancing Technologies, 2018.

  • [67] Harshvardhan J Pandit, Declan O’Sullivan, and Dave Lewis. Queryable provenance metadata for gdpr compliance, 2018.

  • [68] PCMag. The Best Parental Control Software of 2019. https://uk.pcmag.com/parental-control-monitoring/67305/the-best-parental-control-software.

  • [69] Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, and Phillipa Gill. Studying tls usage in android apps. In Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies, pages 350–362. ACM, 2017.

  • [70] Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, and Phillipa Gill. Apps, Trackers, Privacy and Regulators: A Global Study of the Mobile Tracking Ecosystem. In Network and Distributed System Security Symposium, February 2018.

  • [71] Abbas Razaghpanah, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Christian Kreibich, Phillipa Gill, Mark Allman, and Vern Paxson. Haystack: In situ mobile traffic analysis in user space. CoRR, 2015.

  • [72] Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system. In 28th {USENIX} Security Symposium ({USENIX} Security 19), pages 603–620, 2019.

  • [73] Jingjing Ren, Martina Lindorfer, Daniel J Dubois, Ashwin Rao, David Choffnes, and Narseo Vallina-Rodriguez. Bug fixes, improvements,... and privacy leaks. NDSS, 2018.

  • [74] Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, and Serge Egelman. “won’t somebody think of the children?” examining coppa compliance at scale. Proceedings on Privacy Enhancing Technologies, 2018(3):63–83, 2018.

  • [75] SafeWise. Best Parental Control Apps and Software Buyers Guide. https://www.safewise.com/resources/parental-control-filters-buyers-guide/.

  • [76] Samsung. Knox SDK. https://seap.samsung.com/sdk/knox-android.

  • [77] Screentime Labs. Screentime homepage. https://screentimelabs.com/.

  • [78] Benjamin Shmueli and Ayelet Blecher-Prigat. Privacy for children. Colum. Hum. Rts. L. Rev., 42:759, 2010.

  • [79] Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D Breaux, and Jianwei Niu. Toward a framework for detecting privacy policy violations in android application code. In International Conference on Software Engineering. ACM, 2016.

  • [80] Sooel Son, Daehyeok Kim, and Vitaly Shmatikov. What mobile ads know about mobile users. In NDSS, 2016.

  • [81] Statista. Mobile Internet, 2018. https://www.statista.com/topics/779/mobile-internet/.

  • [82] Vincent F. Taylor and Ivan Martinovic. To updae or not to update: Insights from a two-year study of android app evolution. In ASIA CCS ’17. ACM, 2017.

  • [83] Güliz Seray Tuncay, Soteris Demetriou, Karan Ganju, and C Gunter. Resolving the predicament of android custom permissions. 2018.

  • [84] Junia Valente and Alvaro A. Cardenas. Security & privacy in smart toys. In IoTS&P ’17. ACM, 2017.

  • [85] Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. Soot – a Java bytecode optimization framework. In CASCON. IBM Press, 1999.

  • [86] Haoyu Wang, Zhe Liu, Jingyue Liang, Narseo Vallina-Rodriguez, Yao Guo, Li Li, Juan Tapiador, Jingcun Cao, and Guoai Xu. Beyond google play: A large-scale comparative study of chinese android app markets. In IMC ’18. ACM, 2018.

  • [87] Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, and Michalis Faloutsos. Permission evolution in the android ecosystem. In ACSAC ’12. ACM, 2012.

  • [88] Shomir Wilson, Florian Schaub, Aswarth Abhilash Dara, Frederick Liu, Sushain Cherivirala, Pedro Giovanni Leon, Mads Schaarup Andersen, Sebastian Zimmeck, Kanthashree Mysore Sathyendra, N Cameron Russell, et al. The creation and analysis of a website privacy policy corpus. In Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2016.

  • [89] Pamela Wisniewski, Arup Kumar Ghosh, Heng Xu, Mary Beth Rosson, and John M Carroll. Parental control vs. teen self-regulation: Is there a middle ground for mobile online safety? In Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing, pages 51–69. ACM, 2017.

  • [90] Benjamin Yankson, Farkhund Iqbal, and Patrick C. K. Hung. Privacy Preservation Framework for Smart Connected Toys. Springer International Publishing, 2017.

  • [91] Michele L Ybarra, Kimberly J Mitchell, and Josephine D Korchmaros. National trends in exposure to and experiences of violence on the internet among children. Pediatrics, 2011.

  • [92] Nan Zhong and Florian Michahelles. Google play is not a long tail market: An empirical analysis of app adoption on the google play app market. In SAC. ACM, 2013.

OPEN ACCESS

Journal + Issues

Search