Android apps with over 85 million installations spy on the parents that use them to track their children, and some even contain links to malicious sites. Experts think it's not entirely safe to expose kids' data to third-party vendors.
Parent concern about the safety of their children has translated to surveillance in the digital age. A 2021 survey showed that half of parents in the US use parental control apps, while another carried out in the UK found at least 40% use GPS tracking on their offspring.
New research by the Cybernews team shows that tracking your children can be a double-edged sword: while parents do so digitally, apps use the opportunity to collect their data. Moreover, the same apps that ought to provide safety don't always adhere to the highest security standards.
Researchers found four in 10 popular apps contain links deemed malicious by some security vendors, and not a single Android app our team reviewed received the highest grade for privacy.
According to Jason Glassberg, a cofounder of Casaba Security, a cybersecurity and ethical hacking company, not only do tracking apps breach children's privacy, but they can also expose kids' information to unauthorized viewers.
"That is essentially a backdoor into your child's phone, which at a minimum will be collecting reams of data on them, and in a worst-case scenario could be doing things that are much more malicious," Glassberg told Cybernews.
Millions of users
The team analyzed 10 Android apps available in the Google Play store, designed to track children or family members. Due to the limitations of Google's metrics, it's impossible to say the exact number of cumulative app installations.
However, open source data shows that child-tracking apps covered in this research have been installed over 85 million times. Even though the exact number may vary, it's safe to say tens of millions of people have downloaded these apps.
Each of the reviewed apps were installed over a million times, with the most popular one boasting over 50 million installations.
The team used the Mobile Security Framework (MobSF), a common open-source app security analysis tool, to evaluate the security and privacy of selected tracking apps.
Regarding security, the score varies from zero to 100, with the latter representing the most desired outcome. The privacy grade within the MobSF framework is letter-based and ranges from A to F, with A indicating the most desirable grade.
Seven apps in 10 received a B for privacy, and two were awarded Cs. One app with over 50 million installations, Phone Tracker By Number (6.28), received the lowest grade, indicating a “critical risk.”
The worst-graded app, which ranks as the 47th top free app in the social category in the US, demonstrated questionable security approaches such as keeping Android intents open. Namely, the app shares Broadcast Receivers, Android components that allow an application to respond to messages broadcast by the operating system (OS) or another application.
Sharing Broadcast Receivers with other apps means that Phone Tracker By Number can be accessed by other unspecified applications on the device, leaving a lot of room for threat actors to maneuver. A malicious app on the device could theoretically access the tracking app data and let the threat actor know the location of a child that a parent is tracking.
The team has surmised that due to an insecure implementation of the Secure Sockets Layer (SSL) certificate handling, the app is vulnerable to man-in-the-middle (MITM) attacks. These intrusions appear when attackers insert themselves between the data sender and receiver. For example, developers of Phone Tracker By Number or threat actors could, in theory, spy on the traffic flowing through the app.
Family Locator - GPS Tracker & Find Your Phone App (5.29.2) (10 million + installations), Family GPS tracker KidsControl (k5.3.6) (1 million+), and FamiSafe: Parental Control App (18.104.22.168) (1 million+) were also deemed vulnerable to MITM attacks.
According to Karim Hijazi, CEO of cyber intelligence company Prevailion and Mandiant's former director of intelligence, organizations behind independent tracking apps might not have robust software development programs to ensure the code is secure. To cut costs, companies utilize third-party code from open-source libraries or specific features built by other developers.
"It's like making cheap sausage, and you don't know what kind of ingredients are going into it. The problem for the end-user is that you really don't know all that is in the app or how many different parties are receiving this information," Hijazi told Cybernews.
Outsourcing child's data
In a twist of irony, all analyzed apps had third-party trackers bundled within the apps meant to track children. That means that both parties, parents and children alike, have their data collected. Hardly a surprise, given that a violation of privacy is the app's primary goal.
An app could easily use that data for malicious purposes if the company behind it isn't honest, thinks Chris Hadnagy, CEO of a cybersecurity firm Social-Engineer.
"If the child sends an inappropriate or sensitive photo, that app may have access to it. Anything that has been shared with the app, such as accounts, passwords, personal information,, can be exposed if the app is ever breached," Hadnagy told Cybernews.
According to Hijazi, companies behind tracking apps collect specific data to track the person who has the app installed. Third parties may find that information useful for various purposes, from targeted advertising to monitoring.
"Once you start plotting out all the different entities that end up buying and reselling this information from the original app company and its third-party components, you will find there is an enormous ecosystem for even a small-time app. That is something that users, and especially parents, should be concerned with," Hijazi said.
"It's like making cheap sausage, and you don't know what kind of ingredients are going into it,"Karim Hijazi, CEO of cyber intelligence company Prevailion, told Cybernews.
Nine trackers were discovered in two apps: Find my kids: location tracker (1.9.5) (10 million +) and Family Locator - GPS Tracker & Find Your Phone App (5.29.2). Another two, MMGuardian App For Child Phone (3.10.26) (1 million +) and Find my Phone. Family GPS Locator by Familo (2.70.6) (1 million +), had eight trackers. Two more, My Family locator, GPS tracker (5 million +), and FamiSafe: Parental Control App (22.214.171.124), had seven trackers.
Phone Tracker by Number (6.2.8) had six trackers, MMGuardian Parent App (3.6.77) (1 million +) had five, Pingo by Findmykids (2.4.83) (5 million +) had three, and only two trackers were present in Family GPS tracker KidsControl (k5.3.6).
App names can be subject to frequent change by the developers on the Google Play store, and these were the correct ones discovered by the Cybernews team at the time of writing.
Looking inside the innards of popular tracking apps, the team discovered that all of them store hard-coded application programming interface (API) keys. Generally, API keys are used for authentication purposes, to allow apps to recognize individual users and vice versa. Storing API keys can lead to security issues if a threat actor finds a way to access them.
Find my Phone. Family GPS Locator by Familo had the most: four API keys hard-coded in the app. Four apps had three each, while the remaining two had a couple apiece.
Majority of the hard-coded API keys were meant to protect app data, information that is not too sensitive or useful for threat actors. However, the team noted that some hard-coded API keys might be responsible for protecting user data.
For example, Phone Tracker by Number had a hard-coded “Account Kit Client” token. Losing this ‘master key’ to a threat actor might result in a loss of sensitive user data. Find my Phone. Family GPS Locator by Familo also had a potentially sensitive API key.
Worryingly, the team discovered that four in 10 reviewed apps contain links deemed malicious by some security vendors. While that does not mean that the app is infected with malware, the links within the app may lead users to websites with malware.
For example, FamiSafe: Parental Control App (126.96.36.199) contained two links some security vendors deemed. At the same time, Phone Tracker by Number (6.28), Find my kids: location tracker (1.9.5), Family GPS tracker KidsControl (k5.3.6) had one potentially malicious link each.
Is it worth it?
As long as humans will be behind making tracking apps, there's no way to guarantee absolute safety. At the end of the day, the parents have to decide whether installing a potentially harmful app on their offspring's phone is worth the sense of safety it supposedly provides.
Experts we've discussed the issue with had diverging opinions about the matter. For example, Hadnagy said that tracking children can be a cybersafe solution. However, parents should spend some time researching what they're downloading.
"At a minimum, I would recommend that parents do some online research about these apps. It's easy to search Google to see if there are other reviews of the software and the user experience with the app," Hadnagy explained.
Meanwhile, Glassberg said parents should not use tracking apps, since doing so violates the bond of trust between them and their children. Instead, he emphasized the need to teach kids how to recognize online grooming and stay away from dangerous websites.
According to Hijazi, the benefits of using child tracking apps hardly outweigh the hazards. Even though data protection laws stipulate what data collectors can and cannot do with it, there's no way to actually know how app developers use the collected data or how it will be utilized in the future.
"By installing this type of app on the child's phone, you've essentially embedded a fully capable trojan on their most personal of devices, which, in addition to having access to their browsing activity, communications, friends, etc, can also track their real-time location," Hijazi said.
More from Cybernews:
Subscribe to our newsletter