Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Parental control apps not as secure as you might think

A pair of researchers at SEC Consult Vulnerability Lab have found that a wide range of parental control apps on Android devices are remarkably insecure.

user iconReporter
Thu, 29 Dec 2022
Parental control apps not as secure as you might think
expand image

Writing on the SEC Consult blog, researchers Fabian Densborn and Bernhard Gründling explain that while their research is not the equivalent of a full security review, even casual observation has revealed a lot for parents to worry about.

The apps were first studied via static analysis, using the mobile security framework MobSF. Dynamic analysis was achieved by installing various parental control apps on a rooted Google Pixel 4a with Android 11. Where apps also had a web dashboard to remotely control devices, they too were looked at.

The researchers do not point out which vulnerabilities were found on which app in particular, and they go out of their way to point out that all vendors have been notified of the findings, and that fixes should be issued soon.

============
============

The findings, however, are quite damning.

  • One app allowed an API to read a list of installed apps and other metadata.
  • Two apps made an attack against the hosting device possible via a JavaScript payload. These devices could then take advantage of the app’s web dashboard to circumvent restrictions or gain access to a parent’s credentials.
  • All of the apps could be simply bypassed by changing a device’s settings in Android by simply removing app permissions.
  • Finally, booting an Android device into safe mode disables all third-party apps, including parental controls. Since this also disables internet connectivity, no notification is sent to parents.

In total, all apps had at least one or two vulnerabilities. The exception that stands out is Kids Place Parental Control, which had an alarming five.

The full list of apps tested comprises Boomerang, FamilyTime, Find My Kids, Kidssecurity Parental Control, Kids Place Parental Control, Parental Control Kroha, Qustodio, and Wondershare.

The researchers also point out that many of the vendors behind parental control apps store user data in the cloud, which comes with its own set of security concerns. User data can also be accessed by a number of third domains that may not necessarily be obvious to end users.

“It’s crucial not only for parents to feel safe about their children’s smartphone usage, but also for children to feel comfortable with their parents’ safety measures,” said Bernhard Gründling in the blog post.

At the end of the day, parents need to do proper research into both the apps they wish to use, and the vendors who operate them. Ignorance, in this case, is far from blissful.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.