Thousands of Android apps are tracking children, study finds

Story image for Android from CNET

That kid’s app might be doing more than keeping your children busy, according to a new international study.

Researchers from the International Computer Science Institute say the majority of popular, free children’s Android apps are tracking data on kids in violation of the Children’s Online Privacy Protection Act, or COPPA, a federal law that regulates data collection from users who are under 13 years old.

The research was published on April 6 and will be presented at the Privacy Enhancing Technologies Symposium in July.

The study looked at 5,855 apps targeted at children, which had each been downloaded an average of 750,000 times, the researchers said. Using a Nexus 5X phone, researchers downloaded top apps targeted toward kids from November 2016 to March 2018, running them for about 10 minutes to simulate an actual user.

The study found thousands of kid-targeted apps were collecting data from the device, some including GPS location and personal information. It’s bound to concern for parents, who would need an expert’s level of technical knowledge to figure it out themselves, Serge Egelman, the paper’s co-author said.

“They’re not expected to reverse-engineer applications in order to make a decision whether or not it’s safe for their kids to use,” Egelman said.

Data privacy concerns have come into focus in the wake of Facebook’s Cambridge Analytica scandal, with people and lawmakers giving a closer look into how much information tech companies have on them. YouTube, which Google also owns, was is the subject of a complaint filed earlier this month in which privacy groups said the video site was also violating COPPA.

With apps, people often give permission for ad-tracking in exchange for free service. Children’s apps have a different standard because of COPPA, and typically aren’t allowed to track data without explicit parental consent. The study found that many of these apps targeted to kids were violating that law.

Up to 235 apps were accessing the phone’s GPS data, 184 of which transmitted the device’s location to advertisers, according to the study. These apps, which had 172 million downloads combined, were games like Fun Kid Racing and Motocross Kids — Winter Storm.

Fun Kid Racing alone has more than 10 million downloads, according to the app page. The app’s developers, Tiny Lab Productions, said in an email that its apps are “directed for families,” and not children, because “we see that grownups and teens plays our games.” Players are supposed to enter their birth date, and if they are under 13, the app doesn’t collect any data, said Tiny Labs Productions CEO Jonas Abromaitis.

“The researchers must have stated that they are over 13 while performing these simulations,” he said.

Egelman denied that claim and said that even if it was true, it wasn’t relevant to the study. The simulated use was done through a machine randomly pressing buttons, the researcher said. It followed the FTC’s requirement of “verifiable consent,” which means that developers had to take steps to ensure that people knew what information they were giving up.

“If a robot is able to click through their consent screen which resulted in carrying data, obviously a small child that doesn’t know what they’re reading is likely to do the same,” Egelman said.

More than 1,000 of the apps in the study also collected personal information, even though Google’s terms of service prohibits those trackers in kid-targeted apps. Google didn’t immediately respond to a request for comment.

In 2014, Google allowed people to reset their Android Advertising ID, which gave them better control on how online services track their data. Developers are required to only use that ID as a way to track data on users — but the study found that two-thirds of children’s apps don’t allow people to reset that data.

The study also looked at how the apps were transferring the data and found that 40 percent of them failed to do it in a secure way.

Up to 2,344 children’s apps transferring collected data did not use TLS encryption, a security standard that makes sure the data and its recipient are authentic. The security measure is the “standard method for securely transmitting information,” the researchers said.