Parental control apps not as secure as you might think

A pair of researchers at SEC Consult Vulnerability Lab have found that a wide range of parental control apps on Android devices are remarkably insecure.

Writing on the SEC Consult blog, researchers Fabian Densborn and Bernhard Gründling explain that while their research is not the equivalent of a full security review, even casual observation has revealed a lot for parents to worry about.

The apps were first studied via static analysis, using the mobile security framework MobSF. Dynamic analysis was achieved by installing various parental control apps on a rooted Google Pixel 4a with Android 11. Where apps also had a web dashboard to remotely control devices, they too were looked at.

The researchers do not point out which vulnerabilities were found on which app in particular, and they go out of their way to point out that all vendors have been notified of the findings, and that fixes should be issued soon.

============

The findings, however, are quite damning.

One app allowed an API to read a list of installed apps and other metadata.
Two apps made an attack against the hosting device possible via a JavaScript payload. These devices could then take advantage of the app’s web dashboard to circumvent restrictions or gain access to a parent’s credentials.
All of the apps could be simply bypassed by changing a device’s settings in Android by simply removing app permissions.
Finally, booting an Android device into safe mode disables all third-party apps, including parental controls. Since this also disables internet connectivity, no notification is sent to parents.

In total, all apps had at least one or two vulnerabilities. The exception that stands out is Kids Place Parental Control, which had an alarming five.

The full list of apps tested comprises Boomerang, FamilyTime, Find My Kids, Kidssecurity Parental Control, Kids Place Parental Control, Parental Control Kroha, Qustodio, and Wondershare.

The researchers also point out that many of the vendors behind parental control apps store user data in the cloud, which comes with its own set of security concerns. User data can also be accessed by a number of third domains that may not necessarily be obvious to end users.

“It’s crucial not only for parents to feel safe about their children’s smartphone usage, but also for children to feel comfortable with their parents’ safety measures,” said Bernhard Gründling in the blog post.

VIEW ALL

At the end of the day, parents need to do proper research into both the apps they wish to use, and the vendors who operate them. Ignorance, in this case, is far from blissful.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it

newsletter

Be the first to hear the latest developments in the cyber industry.

Parental control apps not as secure as you might think

David Hollingworth

Introducing Cyber Daily, the new name for Cyber Security Connect

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED