Over 3,300 Android apps may be violating kids’ privacy, study says

Tomas Foltyn, security writer at ESET
Tomas Foltyn, security writer at ESET
7 years ago

Researchers find that a great portion of popular children’s apps may run afoul of US privacy legislation by improperly collecting data – albeit often probably unintentionally. A response from Google to the unflattering findings wasn’t long in coming.

More than 3,300 children-oriented Android apps on Google Play are possibly gathering kids’ data in an improper manner, which could put the apps in violation of US child privacy legislation, a recent paper has found.

The study, called “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale, examined 5,855 of the most popular children-focused Android apps. It found that “roughly 57%” of the apps – which makes out to 3,337 in number – are potentially violating the US’ Children’s Online Privacy Protection Act (COPPA).

COPPA protects children under 13 from invasive collection of personally identifiable information (PII). The law regulates how apps, games or websites are allowed to gather and process sensitive data from children. In so doing, it prohibits some data collection practices outright while requiring a parent’s consent for others.

The 5,855 apps tested were made by 1,889 developers and have racked up 4.5 billion installs between them. They are listed in 63 different Google Play categories, obviously most of them in various ‘games’ categories.

So what exactly are the apps up to?

The team of seven researchers hailing mainly from US and Canadian universities used an automatic testing process to detect how the apps handled data.

They found that the potential violations came in several forms. For example, 28% of the apps accessed sensitive data protected by Android permissions. Perhaps most worryingly, nearly 5% of all apps collected children’s geolocation or contact information, notably the device owner’s email address or phone number, without the permission of a parent.

Nearly three-fourths (73%) transmitted sensitive data over the internet, but 40% of them didn’t apply reasonable security measures by failing to use Transport Layer Security (TLS), the standard for securing data in transit.

The study also identified potential non-compliance in almost 19% of the apps that collected so-called persistent identifiers (such as the device’s unique IMEI number or WiFi MAC address) with third parties for prohibited purposes, notably user profiling and ad targeting. According to COPPA, these identifiers are considered personal information if they can be used to recognize a user over time and across different websites or online services.

In addition, 39% of the apps transmitted Google’s advertising identifier known as AAID together with another (and immutable) identifier to the same destination, thus apparently acting in breach of the terms of service of the Google Play’s Designed for Families (DFF) program.

The researchers pinned the bulk of the blame for the data slurping on the apps’ inclusion and use of third-party software development kits (SDKs). “While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs,” reads the paper.

Bearing this in mind, the researchers surmise that “many privacy violations are unintentional and caused by misunderstandings of third-party SDKs.”

Over to Google

The researchers acknowledged Google’s steps to ensure compliance with COPPA, but added that “there appears to not be any (or only limited) enforcement”. As a result, they urged the company to be more active in its vetting process.

Meanwhile, Tom’s Guide quoted a Google spokesperson as saying in response to the findings:

“We’re taking the researchers’ report very seriously and looking into their findings. Protecting kids and families is a top priority, and our Designed for Families program requires developers to abide by specific requirements above and beyond our standard Google Play policies. If we determine that an app violates our policies, we will take action. We always appreciate the research community’s work to help make the Android