Two of the most popular child-tracking Android apps are vulnerable to data leaks. Most collect the data of minors. Millions of parents put their families’ privacy at risk.

The Google Play Store features numerous child-tracking apps. A team from Cybernews decided to investigate the offering. The results are worrying.

The team selected ten of the most popular apps. The combined downloads amount to 85 million worldwide. The number of active users is difficult to determine, but it’s clear that the apps are used by millions of parents.

Each app contains third-party trackers for both parents and children. This means that each parent is providing their family’s personal data to an unknown party.

Workaround for the AVG/GDPR

Third-party trackers require consent to process data. The AVG/GDPR has extra rules for minors. If an app targets children, a child’s consent is insufficient. The parent or guardian must agree as well. The age limit varies between member states, ranging from 13 to 16 years.

Children-tracking apps have found a workaround. If an app isn’t aimed at children, any user can consent to third-party tracking, including minors. That’s why some apps avoid using terms like ‘child’ and ‘kids’. The developers present the app as a product for adults, thus waiving a section of the AVG/GDPR.

Third parties can use the data in several ways. Targeted ads are completely legal. Outside the law, the possibilities are endless. Monitoring a device is often prohibited, but some companies simply don’t care. The resale of personal data is usually illegal, but may occur nonetheless.

Security problem

Besides privacy, Cybernews suspects two apps of hiding a serious security problem. The apps use hard-coded API keys. Should the source code be compromised in a data breach, users’ data are at risk.

API keys have different functions, but are typically used as passwords for an API. In these cases, the API only answers to applications that provide a correct key. In doing so, sensitive data is gated to trusted apps.

A hard-coded API key is included in the source code of an application. If the source code ever falls into the wrong hands, the API key is included. Resultingly, any application can pose as a trusted app.

The seriousness of the problem depends on the data that an API exchanges. Some data are negligible. Think of the uptime, version or date. User data are a different story.

The ‘Phone Tracker by Number’ app (50 million downloads) has a hard-coded API key for ‘Account Kit Clients’. According to the researchers, the information likely leads to user data. The ‘Family GPS Locator by Familo’ (1 million downloads) has a sensitive hard-coded API key as well.

Solution

“At a minimum, I would recommend that parents do some online research about these apps”, Social-Engineer CEO Chris Hadnagy told Cybernews. Personally, we don’t believe that changes a thing. If you’re looking for an app to track your kids, privacy probably isn’t your biggest concern. The problem has no easy solution, but stricter supervision of tracking apps is a good start.

Tip: Google under fire over payment options in Play Store