Angel or Devil? A Privacy Study of Mobile Parental Control Apps

Abstract Android parental control applications are used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps usage, web browsing, calling, and texting). In order to offer this service, parental control apps require privileged access to system resources and access to sensitive data. This may significantly reduce the dangers associated with kids’ online activities, but it raises important privacy concerns. These concerns have so far been overlooked by organizations providing recommendations regarding the use of parental control applications to the public. We conduct the first in-depth study of the Android parental control app’s ecosystem from a privacy and regulatory point of view. We exhaustively study 46 apps from 43 developers which have a combined 20M installs in the Google Play Store. Using a combination of static and dynamic analysis we find that: these apps are on average more permissions-hungry than the top 150 apps in the Google Play Store, and tend to request more dangerous permissions with new releases; 11% of the apps transmit personal data in the clear; 34% of the apps gather and send personal information without appropriate consent; and 72% of the apps share data with third parties (including online advertising and analytics services) without mentioning their presence in their privacy policies. In summary, parental control applications lack transparency and lack compliance with regulatory requirements. This holds even for those applications recommended by European and other national security centers.

[1]  Alvaro A. Cárdenas,et al.  Security & Privacy in Smart Toys , 2017, IoT S&P@CCS.

[2]  Florian Michahelles,et al.  Google play is not a long tail market: an empirical analysis of app adoption on the Google play app market , 2013, SAC '13.

[3]  Alessandra Gorla,et al.  How Do Apps Evolve in Their Permission Requests? A Preliminary Study , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[4]  Ivan Martinovic,et al.  To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution , 2017, AsiaCCS.

[5]  Vern Paxson,et al.  Towards Mining Latent Client Identifiers from Network Traffic , 2016, Proc. Priv. Enhancing Technol..

[6]  Adam Wilson Best parental control software , 2020 .

[7]  Erik Derr,et al.  On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis , 2016, USENIX Security Symposium.

[8]  Narseo Vallina-Rodriguez,et al.  Bug Fixes, Improvements, ... and Privacy Leaks - A Longitudinal Study of PII Leaks Across Android App Versions , 2018, NDSS.

[9]  Pamela J. Wisniewski,et al.  Parental Control vs. Teen Self-Regulation: Is there a middle ground for mobile online safety? , 2017, CSCW.

[10]  Michalis Faloutsos,et al.  Permission evolution in the Android ecosystem , 2012, ACSAC '12.

[11]  Narseo Vallina-Rodriguez,et al.  Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem , 2018, NDSS.

[12]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[13]  Leslie Haddon,et al.  Risks and safety on the internet : the perspective of European children : initial findings from the EU Kids Online survey of 9-16 year olds and their parents , 2010 .

[14]  Narseo Vallina-Rodriguez,et al.  Studying TLS Usage in Android Apps , 2018, ANRW.

[15]  Patrick C. K. Hung,et al.  Privacy Preservation Framework for Smart Connected Toys , 2017 .

[16]  K. Mathiesen The Internet, children, and privacy: the case against parental monitoring , 2013, Ethics and Information Technology.

[17]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[18]  Haoyu Wang,et al.  LibRadar: Fast and Accurate Detection of Third-Party Libraries in Android Apps , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[19]  Narseo Vallina-Rodriguez,et al.  Haystack: In Situ Mobile Traffic Analysis in User Space , 2015, ArXiv.

[20]  Yanick Fratantonio,et al.  Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[21]  Cynthia J. Larose,et al.  Children's Online Privacy Protection Act , 2015 .

[22]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[23]  L. Haddon,et al.  Risks and safety for children on the internet: the UK report: summary of key findings , 2010 .

[24]  Nicola Dell,et al.  The Spyware Used in Intimate Partner Violence , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[25]  Urs Gasser,et al.  Teens, social media, and privacy , 2013 .

[26]  J. Merrills,et al.  Terms of Service , 2008 .

[27]  Leslie Haddon,et al.  Risks and safety for children on the internet: the UK report: full findings from the EU Kids Online survey of UK 9-16 year olds and their parents , 2010 .

[28]  Benjamin Shmueli,et al.  Privacy for Children , 2011 .

[29]  S. Livingstone,et al.  Parental Mediation of Children's Internet Use , 2008 .

[30]  Colin Potts,et al.  Privacy policies as decision-making tools: an evaluation of online privacy notices , 2004, CHI.

[31]  Vitaly Shmatikov,et al.  What Mobile Ads Know About Mobile Users , 2016, NDSS.

[32]  Alessandra Gorla,et al.  What did Really Change with the New Release of the App? , 2018, 2018 IEEE/ACM 15th International Conference on Mining Software Repositories (MSR).

[33]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[34]  Narseo Vallina-Rodriguez,et al.  “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale , 2018, Proc. Priv. Enhancing Technol..

[35]  Ram Krishnan,et al.  Toward a Framework for Detecting Privacy Policy Violations in Android Application Code , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[36]  Carl A. Gunter,et al.  Resolving the Predicament of Android Custom Permissions , 2018, NDSS.

[37]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[38]  Alessandra Gorla,et al.  Automated Test Input Generation for Android: Are We There Yet? (E) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[39]  Declan O'Sullivan,et al.  Queryable Provenance Metadata For GDPR Compliance , 2018, SEMANTiCS.

[40]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[41]  Sonia Livingstone,et al.  Risks and safety on the internet: the perspective of European children: full findings and policy implications from the EU Kids Online survey of 9-16 year olds and their parents in 25 countries , 2011 .

[42]  Frederick Liu,et al.  The Creation and Analysis of a Website Privacy Policy Corpus , 2016, ACL.

[43]  Christo Wilson,et al.  Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications , 2018, Proc. Priv. Enhancing Technol..

[44]  M. Eastin,et al.  Parenting the Internet , 2006 .

[45]  R. Alexander How To Protect Children From Internet Predators: A Phenomenological Study. , 2015, Studies in health technology and informatics.

[46]  Alessandra Gorla,et al.  Mining Apps for Abnormal Usage of Sensitive Data , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[47]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[48]  Michele L. Ybarra,et al.  National Trends in Exposure to and Experiences of Violence on the Internet Among Children , 2011, Pediatrics.

[49]  Sébastien Gambs,et al.  Show me how you move and I will tell you who you are , 2010, SPRINGL '10.

[50]  Narseo Vallina-Rodriguez,et al.  Beyond Google Play: A Large-Scale Comparative Study of Chinese Android App Markets , 2018, Internet Measurement Conference.

[51]  Narseo Vallina-Rodriguez,et al.  50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System , 2019, USENIX Security Symposium.

[52]  Seungyeop Han,et al.  TaintDroid , 2010, OSDI.

[53]  Gabi Nakibly,et al.  Gyrophone: Recognizing Speech from Gyroscope Signals , 2014, USENIX Security Symposium.

[54]  Narseo Vallina-Rodriguez,et al.  An Analysis of Pre-installed Android Software , 2019, 2020 IEEE Symposium on Security and Privacy (SP).