Popular daycare and childcare communications apps are “dangerously insecure” according to newly published research, exposing children and parents to the risk of data breaches with lax security settings and indulgent or downright misleading privacy policies.
The details come from a new report from the Electronic Frontier Foundation (EFF), which released the results of a months-long research project on Tuesday.
The investigation, conducted by Alexis Hancock, EFF’s technical director for the Certbot project, found that popular apps such as Brightwheel, HiMama, and Tadpoles lacked two-factor authentication (2FA), meaning any malicious actor who could obtain a user’s password, log in remotely. Closer analysis of the application code revealed a number of other privacy-damaging features, including data sharing with Facebook and other third parties, that were not mentioned in the privacy policy.
After contacting the EFF, Brightwheel implemented 2FA, claiming to be “the first in the early education industry to add this extra layer of security”. HiMama reportedly said it would pass the feature request on to its design team, but has not yet implemented the additional security feature. It is unknown if Tadpoles plans to implement 2FA.
Hancock began researching the privacy and security settings of several childcare apps after she was asked to download Brightwheel when she first enrolled her two-year-old daughter in childcare. Hancock told The edge that she initially liked using the app to get updates about her daughter, but was concerned about a lack of security given the potentially sensitive nature of the information.
“In the beginning there was a lot of comfort in seeing [my daughter] during the day, with the images they sent me,” Hancock said. “Then I looked at the app from, huh, I don’t really see security controls that I would normally see in most services like this.”
With a background in software development, Hancock was able to use a range of tools such as Apktool and mitmproxy to analyze the application code and examine network calls made by each of the childcare apps, and was surprised to find some easily fixable errors.
“I found trackers in a few apps. I found a weak security policy, a weak password policy,” Hancock said. “I discovered vulnerabilities that were very easy to fix as I went through some of the applications. Basically just low hanging fruit.”
The new report from the EFF isn’t the first to draw attention to serious flaws in applications trusted to protect children. For years, researchers have raised concerns about security vulnerabilities in baby monitor apps and associated hardware, with some of these weaknesses being exploited by hackers to send messages to children. More broadly, a survey of 1,000 apps likely to be used by children found that more than two-thirds sent personal information to the advertising industry.
Hancock hopes that reporting on these privacy and security flaws could lead to better regulation of child-directed apps, but the findings nevertheless worry her.
“As a parent, I felt even more afraid of my child,” she said. ‘I don’t want her to have a data breach before she’s five. I’m doing everything I can to make sure that doesn’t happen.”