Angel or Devil? A Privacy Study of Mobile Parental Control Apps

Álvaro Feal; Paolo Calciati; Narseo Vallina-Rodriguez; Carmela Troncoso; Alessandra Gorla

Angel or Devil? A Privacy Study of Mobile Parental Control Apps

Authors: Álvaro Feal (IMDEA Networks Institute / Universidad Carlos III de Madrid), Paolo Calciati (IMDEA Software Institute / Universidad Politécnica de Madrid), Narseo Vallina-Rodriguez (IMDEA Networks Institute / ICSI), Carmela Troncoso (Spring Lab EPFL), Alessandra Gorla (IMDEA Software Institute)

Volume: 2020
Issue: 2
Pages: 314–335
DOI: https://doi.org/10.2478/popets-2020-0029

Download PDF

Abstract: Android parental control applications are used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps usage, web browsing, calling, and texting). In order to offer this service, parental control apps require privileged access to system resources and access to sensitive data. This may significantly reduce the dangers associated with kids’ online activities, but it raises important privacy concerns. These concerns have so far been overlooked by organizations providing recommendations regarding the use of parental control applications to the public. We conduct the first in-depth study of the Android parental control app’s ecosystem from a privacy and regulatory point of view. We exhaustively study 46 apps from 43 developers which have a combined 20M installs in the Google Play Store. Using a combination of static and dynamic analysis we find that: these apps are on average more permissions-hungry than the top 150 apps in the Google Play Store, and tend to request more dangerous permissions with new releases; 11% of the apps transmit personal data in the clear; 34% of the apps gather and send personal information without appropriate consent; and 72% of the apps share data with third parties (including online advertising and analytics services) without mentioning their presence in their privacy policies. In summary, parental control applications lack transparency and lack compliance with regulatory requirements. This holds even for those applications recommended by European and other national security centers.

Keywords: Parental control, Android, mobile apps, static analysis, dynamic analysis PACS:

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.