“We may share the number of diaper changes”: A Privacy and Security Analysis of Mobile Child Care Applications

Authors: Moritz Gruber (AWARE7 GmbH), Christian Höfig (AWARE7 GmbH), Maximilian Golla (Max Planck Institute for Security and Privacy), Tobias Urban (Institute for Internet Security – if(is); secunet Security Networks AG), Matteo Große-Kampmann (Ruhr University Bochum; AWARE7 GmbH; Institute for Internet Security – if(is))

Volume: 2022
Issue: 3
Pages: 394–414
DOI: https://doi.org/10.56553/popets-2022-0078

Download PDF

Abstract: Mobile child care management applications can help child care facilities, preschools, and kindergartens to save time and money by allowing their employees to speed up everyday child care tasks using mobile devices. Such apps often allow child care workers to communicate with parents or guardians, sharing their children’s most private data (e. g., activities, photos, location, developmental aspects, and sometimes even medical information). To offer these services, child care apps require access to very sensitive data of minors that should never be shared over insecure channels and are subject to restrictive privacy laws. This work analyzes the privacy and security of 42 Android child care applications and their cloud-backends using a combination of static and dynamic analysis frameworks, configuration scanners, and inspecting their privacy policies. The results of our analysis show that while children do not use these apps, they can leak sensitive data about them. Alarming are the findings that many third-party (tracking) services are embedded in the applications and that adversaries can access personal data by abusing vulnerabilities in the applications. We hope our work will raise awareness about the privacy risks introduced by these applications and that regulatory authorities will focus more on these risks in the future.

Keywords: child care, app, management, Android, privacy, security, COPPA, GDPR

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.