A raft of smartphone apps – all endorsed by schools around Australia – have been found to begin harvesting user data before the app has even been accessed, and sharing children’s data within seconds of use.
An audit by the University of New South Wales’ Institute for Cyber Security found glaring issues with almost 200 school-backed apps, with 89.3 transmitting data to third parties before any interaction with the app in question.
The harvested data, the audit found, includes device identifiers, location metadata, and “other sensitive information”.
Dr Rahat Masood, a cyber security expert at UNSW, said even simply opening an app would lead to the transfer of user data.
“Telemetry data, which mainly refers to tracker-related identifiers and used for the automatic collection and transmission of data to remote servers,” Dr Masood said of the data harvested.
“Despite just opening the app and not using any educational feature, it is still transferring a lot of information that is sensitive and can actually identify your device.”
In addition, more than 65 per cent of apps include some form of embedded tracking or analytics tool, such as Firebase, Facebook SDK, or Unity Analytics – apps, UNSW says, have zero educational purpose.
“None of these are needed to actually run the educational apps,” Dr Masood said.
Just as worrying, the vast majority of privacy policies were considered easy to read, with 97 per cent requiring at least a university-level education to understand.
“Nobody will understand these terminologies and jargon,” Dr Masood said.
“Comprehension, readability, understandability – all these metrics that we analysed were all very bad.”
Perhaps more damning, many apps that claimed to not collect data were doing so within moments of use.
“We matched the privacy policy with the dynamic analysis – when the app is running, whether it is collecting the data and whether it is mentioned in the privacy policy or not,” Dr Masood said.
“Only one in four were matching. Some of the policies appear to have been generated using AI tools.”
According to Dr Masood, while the various Departments of Education maintain lists of approved and assessed apps, the level of actual assessment falls far short.
“They look at very high-level details and they don’t download the app – they don’t do the dynamic analysis, they don’t go through the accessibility and readability of the privacy policies,” Dr Masood said.
Dr Masood and the team behind the study – UNSW researchers Sicheng Jin, Jung-Sook Lee, and Hye-Young (Helen) Paik – are working on a “traffic light” system to give parents the information they need to understand how these apps work and what they collect.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.