Coursera, Duolingo, Moodle, or Udemy – all of the top educational apps have access to your private data, Cybernews research has found.
Technology is here to stay in schools and universities, with Gen Z being the evangelists for a revolution in the learning process.
The educational app industry is experiencing rapid growth. According to a report by Business of Apps, 709 million people used learning apps, which generated $5.93 billion in revenue in 2023. It's no surprise that the sector is the second largest in the Google Play Store and the third largest in the Apple App Store.
Learning with apps is fun, but do you pay the price with your privacy? At Cybernews, we decided to test the top educational apps and discovered that many popular apps request sensitive permissions that can open the door to your private data.
Methodology
We examined 25 popular learning and education apps with millions of downloads on the Google Play Store to determine the sensitive app permissions they require and what privacy implications this might have. According to Google, Android app permissions help users have more control over privacy by protecting access to restricted data or actions.
In a perfect scenario, app developers should require only the essential permissions required for the app to function. However, Cybernews' previous research into popular airlines and travel planning apps showed that this is not always the case.
Users should always exercise extreme caution regarding certain app permissions. Google classifies these as sensitive because they allow apps to access your device's communication features or personal information, such as your location, camera, storage, or contacts.
Access to the data does not necessarily mean misuse of it, but there are always risks involved. We’ve contacted app developers to find out why their apps need such permissions.
Absolute champions of invasive permissions
Our research showed that the absolute champion in asking for sensitive permissions is the San Francisco-based Remind app, which provides communication services for schools. The app requests a total of 12 sensitive permissions. Next up are the online learning platform Coursera (11), the AI homework assistant Question.AI (10), course and class management systems Moodle (10), and ClassDojo (9).
Most learning apps will have access to your camera
The camera is a sensitive hardware component that can capture visual information about the user's surroundings. Granting access permission enables apps to take photos, record videos, and conduct video calls.
Often, apps rely on camera access to allow users to take photos, record videos, or engage in video calls directly within the app. This feature not only makes it easier for users to create and share content but also facilitates interactive experiences, such as augmented reality games or real-time document scanning.
For educational apps, camera access might be needed to make in-app pictures and submit them to the app. However, if this permission is compromised, it could allow malicious actors to access the user's camera and microphone without their knowledge.
In total, 17 of the tested educational apps have access to your camera:
A spokesperson for Moodle told Cybernews that the app requests sensitive permissions only when it’s “absolutely necessary” and “with full transparency to the user.”
According to the statement, camera permission is only requested when the user initiates a task that requires taking photos or videos, submitting profile pictures, or uploading visual elements as part of the student's coursework.
Coursera explained that the app uses a camera for profile verification, peer reviews, and webview.
Coursera and Duolingo are among those to access your accounts
Five of the tested apps had redundant and dangerous permissions to access accounts on the device. This type of permission for educational apps is not necessary for their functionality but could potentially pose privacy and security risks.
The permission to get accounts grants an app access to the user's accounts associated with the device. This means the app can retrieve a list of accounts registered on the device, such as those from Google, Meta, and Samsung.
Account information can contain sensitive data, including email addresses, usernames, and account identifiers. This information can be personally identifiable and is tied to the user's online identity.
Access to the user's accounts can be invasive to their privacy, as it can reveal the user's online presence, communication channels, and potentially sensitive account data. All of this could also be exploited by threat actors.
Apps that can scrape your accounts:
- Canvas Student
- Coursera
- Duolingo
- Remind
- Simplilearn
Coursera’s spokesperson told Cybernews that the company is planning to remove the “Get Accounts” permission. “We actually plan to deprecate this prompt, and it is currently on our roadmap to look into resolving,” the spokesperson said.
Duolingo wants to know your contacts
Duolingo, a language learning app that has already become an internet meme for its persistent reminders to open the app and complete lessons, requests permission to access the contacts stored on your device.
Permission to access contacts is considered sensitive, as it allows apps to write and read contact lists on the device. Contact information is sensitive, as it may contain private data about friends, family, colleagues, and acquaintances, including names, phone numbers, email addresses, and other contact details.
If misused, this permission might lead to unwanted data scraping, infringement of user privacy, or even the exploitation of data to craft various fraudulent schemes.
Most apps can read your files and storage
In general, access to the device’s storage is considered sensitive because it allows an app to write and change data on the device's external storage, such as the SD card. Apps can access user files, photos, videos, documents, and other private information. If misused by malicious individuals, this access could lead to data loss and privacy violations.
Research showed that 21 of the tested apps can write to your storage, and 20 can read files on it. Certain apps had more precise permissions to read the video or audio media libraries stored on the device.
The plant-identifying app PictureThis has even more extensive permission – access to the geolocation metadata embedded in media files – which enables it to find the location where the image was taken.
The Moodle spokesperson explained that access to media files stored on the user’s device is necessary when uploading course-related documents, audio, images, or videos. The app requests to write into the users' storage to save or download files from Moodle to the user’s device, enabling offline access to course materials.
“Users are prompted to grant access only when the action is needed,” the spokesperson said.
Coursera responded that the app needs to access storage to enable learners to upload files for peer reviews and download content.
Khan Academy’s statement explains that its users must have access to storage to download educational videos for offline viewing. “Some students have limited or unreliable internet access and download videos to watch later,” a spokesperson explained.
Apps that can get your phone number and IMEI
Khan Academy, Question.AI, and Remind apps request dangerous permissions to read the phone state. This permission is considered sensitive because it allows an app to access information that can identify both the device and its user.
The data accessed may include the device's phone number, network status, network operator, IMEI codes, SIM card details, and information about the internet provider.
If this information falls into the wrong hands, it could be exploited to intercept communications taking place on the device.
Khan Academy stated that while the app accommodates students across 50 languages, permission is required to read phone states on its apps to detect changes to the user's language so that the app can automatically restart as needed.
“The application does not collect or store phone numbers or other sensitive device data that is not needed to provide our service,” the spokesperson said.
Ten apps that will record your audio
Microphone permission is used to access the device's microphone and record audio input. This functionality might be needed in the learning process. Anyone who’s tried, for example, Duolingo, knows that the app records your voice to check if your responses are correct.
However, if exploited, access to the microphone might lead to unauthorized surveillance, capturing sensitive conversations and personal information. It might also be used for unconsented marketing.
Ten of the tested apps can access your microphone:
- Blackboard Learn
- Canvas Student
- Canvas Teacher
- ClassDojo
- Duolingo
- Moodle
- Lingokids
- PBS Kids
- Question.AI
- Remind
According to Moodle's statement, access to a microphone is necessary when users need to record audio for assignments, discussions, or other interactive features, such as language learning tasks where audio submissions may be required for pronunciation assessments.
“The app will prompt for permission only when the user opts to record audio,” Moodle spokesperson said.
One app can call and connect to Bluetooth on your behalf
Remind’s communication platform for students requires users to grant permission to access SMS and calls on their devices. This permission allows the app to send text messages and make calls on the user’s behalf.
While this access may be necessary for the app’s functionality, if misused, it could lead to privacy breaches and fraudulent spam communications, posing potential harm to users.
The app also contains sensitive permission to connect to Bluetooth. Apps may use Bluetooth to transfer data between devices or pair with nearby Bluetooth devices, such as wireless headphones, speakers, and smartwatches.
However, if this permission is misused, it can let an app connect to unauthorized devices or be used to access private information shared between Bluetooth-connected devices.
Malicious actors could take advantage of this access to track nearby devices and potentially gather information about their owners.
These apps know your location
Location permissions are considered highly sensitive because they grant an app access to the device's precise and accurate location information, including latitude and longitude coordinates. If abused, it could lead to tracking your precise location, which can lead to significant privacy violations.
Four of the tested apps could access the approximate location of their users, while two of them had access to the exact location.
Exact location:
- Moodle
- Question.AI
Approximate location:
- ClassDojo
- Moodle
- Question.AI
- Sololearn
According to the explanation sent by Moodle’s spokesperson, the app uses location data to accommodate location-based activities within courses, such as assignments that require students to identify or interact with elements in a specific location, such as field studies.
“The app only uses this permission to capture the latitude and longitude at the required moment. Due to the limited use of this feature, we will be removing this requirement in the next version of the app,” the spokesperson said.
How do you revoke app permissions?
As sensitive permissions can pose risks to the privacy of the user, Cybernews advises always reviewing permission requests before allowing access. Pay attention to permissions that seem unnecessary for the app's intended functionality. On the Android OS, you can manage and revoke app permission on your device’s settings by navigating to “Application Manager” or “Apps.”
If an app seems to be asking for too many permissions, it’s best to avoid using it. If the app is compromised, misuse of these permissions could lead to harmful consequences for users. One of the biggest risks is privacy invasion, as apps with excessive permissions can access sensitive information without proper consent.
Improperly handled permissions can also compromise data security, leaving user data vulnerable to unauthorized access, identity theft, or data breaches.
Updated on September 30th with Moodle's statement.
Updated on October 3rd with statements from Coursera and Khan Academy.
Your email address will not be published. Required fields are markedmarked