Mobile apps that help people monitor their children are also leaking parental data to third parties and possibly malicious actors, the researchers found.
The Cybernews research team recently analyzed the top ten most popular child tracking apps. They are basically monitoring apps, designed for parents who fear for their children's safety and want to use their mobile devices to make sure they are safe.
Cumulatively, these apps have amassed over 85 million downloads between them. However, none received the highest rating for privacy, and one app with more than 50 million installs was even rated "critical risk."
One of the problems with these apps is that they contain third-party trackers, which means children and parents have their data collected, the researchers explained. The data can be used for a wide variety of things, but is primarily used for targeted advertising.
While some apps had two trackers, some were found to have up to nine trackers.
One of the apps, which was also among the top 50 free apps in the US social category, was Shared Broadcast Receivers, an Android component that allows apps to respond to messages broadcast by the operating system.
This means the tracker can be accessed by other apps on the device, including malicious apps, giving would-be attackers information about the movement of children, and parents as well.
Additionally, these applications have insecurely implemented Secure Sockets Layer (SSL) certificate management, making them vulnerable to man-in-the-middle attacks. In other words, attackers can "eavesdrop" on data flowing between two applications.
According to some experts, the problem lies in the fact that many application developers can't be bothered to create robust code themselves, instead taking full advantage of open source libraries, often without realizing the risks involved.
"It's like making cheap sausages and you don't know what kind of ingredients are in it. The problem for the end user is that you don't really know everything that's in the app or how many different parties get this information." Karim Hijazi, CEO of cyber intelligence firm Prevailion, told Cybernews.
Via Cybernews (Opens in a new tab)