According to a recently published study, popular communication apps for daycares and daycare centers are “dangerously insecure,” putting children and parents at risk of data breaches with lax security settings and permissive or outright privacy policies. misleading.
The details come from a new report from the Electronic Frontier Foundation (EFF), which released the results of a month-long research project on Tuesday.
The research, led by Alexis Hancock, EFF’s engineering director for the Certbot project, found that popular apps such as Brightwheel, HiMama and Tadpoles lacked two-factor authentication (2FA), which means that everything malicious actor capable of obtaining the password of a user could log in remotely. Further analysis of the application code revealed a number of other privacy-compromising features, including data sharing with Facebook and other third parties, which were not disclosed in the privacy policies.
After being contacted by the EFF, Brightwheel implemented 2FA and claims to be “the first in the preschool industry to add this extra layer of security.” HiMama reportedly said it would forward the feature request to its design team, but has yet to implement the additional security feature. It is unclear whether Tadpoles intends to implement 2FA.
Hancock began researching the privacy and security settings of various daycare apps after being asked to download Brightwheel when her two-year-old daughter was first enrolled in daycare. hancock said The edge that she initially enjoyed using the app to receive updates about her daughter, but became concerned about a lack of security given the potentially sensitive nature of the information.
“In the beginning, there was a lot of comfort to see [my daughter] during the day, with the images they were sending me,” Hancock said. “Then I was looking at the app like, huh, I don’t really see the security controls that I would normally see in most services like this.”
With a background in software development, Hancock was able to use a range of tools like Apktool and mitmproxy to analyze app code and investigate the network calls made by each of the babysitting apps, and she was surprised to find a number of easily fixable errors. .
“I found trackers in a few apps. I found weak security policy, weak password policies,” Hancock said. that I was reviewing some of the apps. Really just handy fruits.
The new EFF report is not the first to draw attention to serious flaws in trusted apps to keep children safe. For years, researchers have raised concerns about security weaknesses in baby monitoring apps and related hardware, with some of those weaknesses being exploited by hackers to send messages to children. More broadly, a survey of 1,000 apps likely to be used by children found that more than two-thirds send personal information to the advertising industry.
Hancock hopes reports of these privacy and security flaws could lead to better regulation of child-focused apps — but nonetheless, the findings have left her worried.
“It made me, as a parent, feel even more afraid for my child,” she said. “I don’t want her to suffer a data breach until she is five years old. I’m doing everything I can to make sure that doesn’t happen. »