Daycare apps are dangerously insecure

Daycare apps are dangerously insecure

Last year, several EFF parents signed their children up for daycare and were instantly prompted to download an app to manage their childcare. Daycare and preschool apps often include notifications for feedings, diaper changes, pictures, activities, and which guardian picked up/dropped off the child, features potentially helpful in overcoming separation anxiety for newly enrolled children and their anxious parents. Working in a privacy-oriented organization like we do, we asked questions: Do we have to use this? They’re safe? Unfortunately, the answer to the first was “yes,” in part so schools could adhere to health guidelines to avoid unnecessary in-person contact. But worryingly, the answer to the second was a resounding “no.”

As is the case with many of these services, there are some apps that are more popular than others. While we started with the one we were asked to use, it led us to take a closer look at the entire industry.

“The (Mostly) Cold Shoulder”

These days, offering two-factor authentication (2FA), where two different methods are used to verify a user’s login, is pretty standard. EFF has frequently claimed that it is one of the easier ways to increase your security. So it seemed like a basic first step for daycare apps.

In October 2021, we tried to contact one of the most popular childcare services, Brightwheel, about the lack of two-factor authentication on their mobile app. We searched the site for an email to report security concerns and issues, but couldn’t find any.

After some cold emails and a bit of networking, we landed a meeting. The conversation was productive and we were happy to learn that Brightwheel was implementing 2FA for all admins and parents. In fact, the company’s ad claimed they were the “First partner to offer this level of security” in the industry, an interesting statement but also potentially worrying.

It was true? Supossely Yes. This prompted us to get closer to other popular daycare apps. In April 2022, we reached out to the VP of Engineering for another popular app, HiMama (no response). We then sent a HiMama support email about 2FA and received a quick but unpromising response that our feature request would be forwarded to the product team for support. So we dig deeper.

Digging deeper—and a cold story

Looking at several popular daycare and early education apps, we quickly found more issues than just a lack of 2FA. Through static and dynamic analysis of various applications, we discover not only security issues, but also privacy-compromising features. Issues like weak password policies, Facebook tracking, clear text traffic enabled, and vectors for malicious apps to view sensitive data.

As a note about research tools and methodology: we use MobSF Y apktool for static analysis of application code and mitmproxy, Fridaand adb (Android Debug Bridge) for dynamic analysis to capture network traffic and application behavior.

Initially, we had inferred that many of these services would not be aware of their problems, and we planned to disclose any vulnerabilities to each company. However, we found that not only were we not alone in wondering about the security of these apps, we were not alone in receiving little to no response from companies.

In March 2022, a group of academic and security researchers from the AWARE7 agency, the Institute for Internet Security, the Max Planck Institute for Security and Privacy, and the Ruhr University Bochum presented a paper towards PET Symposium (Privacy Enhancing Technologies) in Sydney, Australia. They described the lack of response they found to their own revelations:

“Precisely because children’s data is at stake and the response in the disclosure process was poor (6 of 42 providers (±14%) responded to our disclosure), we hope that our work will bring attention to this sensitive issue. Daycare administrators, daycare providers and parents can’t review those apps themselves, but they have to help decide which app to introduce.”

In fact, researchers revealed the vulnerability in many of the same apps we were investigating in November 2021. Even though they knew children’s data was at stake, security controls hadn’t yet been put on top. of the agenda in this industry. Privacy issues also remained. For example, The Tadpoles Android app (v12.1.5) sends event-based app activity to Facebook’s Graph API. In addition to very extensive information about the device for branch.io.

Tadspoles Android app that uses the Facebook SDK to send custom app event data to graph.facebook.com

[Related: How to Disable Ad ID Tracking on iOS and Android, and Why You Should Do It Now]

Extensive information sent to branch.io

In its Privacy Policy, Branch.io claims that they do not sell or “rent” this information, but the precise amount of data sent to them, down to the CPU type of the device, is very granular, creating an extensive profile about the external parent/guardian . of the Tadpoles application. A profile that is subject to data sharing in situations such as a merger or acquisition by Branch.io. Neither Branch.io nor Facebook appear or are mentioned in Tadpole’s Privacy Policy.

A note on cloud security

Another common trend in many daycare apps: relying on cloud services to convey your security posture. These apps often claim to use “the cloud” to provide top-of-the-line security. HiMama, for example, writes in her Internet Safety Statement that Amazon’s AWS “is suitable for running sensitive government applications and is used by more than 300 US government agencies, as well as the Navy, Treasury, and NASA.” This is technically true, but AWS has a particular offer (AWS GovCloud) that is isolated and configured to meet federal standards required for government servers and applications on those servers. In any case, regardless of whether an app uses standard or government-grade cloud offerings, a significant portion of app configuration and security is left up to the developers and the business. We wish HiMama and others Similary apps would only highlight the specific security settings they use in the cloud services they use.

Child care needs conflict with informed choice

When a parent has an immediate childcare need and a daycare center opens close to home or work with one location, they are less likely to fight over which apps the center chooses. And preschools and daycare centers are not required to use a specific app. But they are effectively trusting a third party to act ethically and securely with a school’s children’s data. Regulations like COPPA (Children’s Online Privacy Protection Act) probably don’t apply to these apps. Some Service providers Appear to refer to COPPA indirectly with legal language that they do not collect data directly of children under 13 and us I found a statement in an application committing to COPPA compliance.

Between vague language that could confuse parents about the reality of data security, fewer options for daycares (especially the first two years of the pandemic), insecure and leaky apps, and lack of account security control options, parents cannot make a fully informed or sound privacy decision.

Call to Action for Childcare and Early Education Apps

It is crucial that the companies that create these applications do not ignore common and easy-to-fix security vulnerabilities. Providing parents and schools with the proper security controls and hardening application infrastructure should be top priority for a suite of applications handling data from children, especially the very young children served by the daycare industry. We call on all of these services to prioritize the following basic protections and guidelines:

Immediate tasks:

  • 2FA available to all administrators and staff.
  • Resolve known security vulnerabilities in mobile apps.
  • Disclose and list any trackers and analytics and how they are used.
  • Use tanning cloud server pictures. Additionally, there is a process in place to continually update outdated technology on those servers.
  • Block any public cloud bucket that hosts videos and photos of children. These should not be publicly available and a child’s daycare and parents/guardians should be the only ones who can access and view this sensitive data.

Those solutions would create a significantly more secure and private environment for data about children too young to speak for themselves. But more can always be done to build apps that create industry benchmarks for children’s privacy.

Strongly Recommended Tasks:

E2EE (end-to-end encryption) messaging between school and parents

Consider communication between schools and parents highly sensitive. The service itself does not need to see the communication that is transmitted between schools and parents.

Create security channels to report vulnerabilities

Both EFF and AWARE7 (et al.) researchers had trouble finding the right channels when we discovered problems with different applications. It would be great if they put a simple security.txt file in your website for investigators to contact the right people, rather than waiting for a response from company support emails.

At EFF we are also parents. And the current landscape is not fair to parents. If we want a better digital future, it starts by being better stewards today and not allowing a precedent of data leaks that could lead to extensive profiling, or worse, of children who have not yet taken their first steps.

Leave a Comment