Betrayed by The Guardian: Security and Privacy Risks of Parental Control Solutions
Betrayed by The Guardian: Security and Privacy Risks of Parental Control Solutions
essential by many parents and schools, and thus are not expected (Kidswatch) completely lacks HTTPS, and communicates with
to be removed due to the lack of better alternatives. the backend server via HTTP.
We undertake the first comprehensive study to analyze differ- • 2/10 Chrome extensions and 4/13 Android solutions transmit
ent types of parental control hardware and software solutions. We the full URLs from the browser to their server, possibly leaking
design a set of security and privacy tests, and systematically ana- sensitive (session) information.
lyze popular representative parental control solutions available in As part of responsible disclosure, we contacted the developers
network devices, Windows and Android OSes, and Chrome exten- of the solutions we analyzed, and shared our findings, including
sions. While developing our comprehensive analysis framework for proof-of-concept scenarios and possible fixes. Two months after
solutions in multiple platforms, we faced several challenges. Most disclosure, only ten companies responded, seven custom and three
parental control solutions implement various techniques that hin- automatic replies. Blocksi, KoalaSafe, MMGuardian, KidsPlace, Fam-
der traffic analysis (e.g., VPNs, SSLpinning and custom protocols). iSafe, and FamilyTime responded that they are investigating the
The use of proprietary firmware and code obfuscation techniques issues. Kidoz responded that some of our reported issues are on their
also poses challenges for static analysis. Understanding long-term fixing backlog, and acknowledged the new vulnerabilities. Other
behaviors of these solutions by running them for hours/days in a re- vendors either sent automatic/ambiguous response, or no response
alistic way (e.g., triggering all their features), is also time consuming at all. Notable changes after the disclosure: MMGuardian depre-
(compared to simple, automated UI fuzzing). cated their custom browser; FamiSafe fixed the Firebase database
Contributions. Our contributions can be summarized as follows. security issue; and FamilyTime enabled HSTS on their server.
(i) We developed an experimental framework for systematically
evaluating security and privacy issues in parental control software
and hardware solutions. (ii) We utilized this framework to conduct 2 RELATED WORK
the first comprehensive study of parental control tools on multiple In this section, we first list a few example cases from real-world
platforms, including 8 network devices, 8 Windows applications, data breaches involving parental control tools, and then summarize
10 Chrome extensions, and 29 Android apps representing 13 An- related academic studies (mostly privacy analyses of Android apps).
droid solutions grouped by vendor.1 The in-depth analysis aims to Over the past years, several parental control tools have made the
inspect the apps’ web traffic for personally identifiable information news for security and privacy breaches. The teen-monitoring app
(PII) leakage, insecure API endpoints authentication, potential vul- TeenSafe leaked thousands of children’s Apple IDs, email addresses
nerabilities, and the presence of third-parties and known trackers. and passwords [46]. Family Orbit exposed nearly 281 GB of chil-
(iii) Our analysis reveals 135 vulnerabilities among the solutions dren data from an unsecured cloud server [54]. In 2019, a privacy
tested and highlights that the majority of solutions broadly fail to flaw in Kaspersky anti-virus and parental control application was
adequately preserve the security and privacy of their users—both found [24]. This application included a script to perform content
children and parents. checking on each page intercepted by a TLS proxy. However, some
Notable findings and disclosure. Our notable findings include: unique IDs were also included in the process, allowing the web-
• The Blocksi parental control router allows remote command site to track the user. In 2010, EchoMetrix settled US FTC charges
injections, enabling an attacker with a parent’s email address to for collecting and selling children’s information to third-parties
eavesdrop/modify the home network’s traffic, or use the device through their parental control software [25].
in a botnet (cf. Mirai [8]). Blocksi’s firmware update mechanism Between 2015 and 2017, researchers from the Citizen Lab (citizen-
is also completely vulnerable to a network attacker. lab.ca), Cure53 (cure53.de), and OpenNet Korea (opennetkorea.org)
• 8/13 Android solutions and 4/8 network devices do not properly published a series of technical audits of three popular Korean par-
authenticate their server API endpoints, allowing illegitimate enting apps mandated by the Korean government, Smart Sheriff,
access to view/modify server-stored children/parents data. Cyber Security Zone and Smart Dream [4]. The security audits
• 5/13 Android solutions allow an attacker to easily compromise found serious security and privacy issues in the three parental con-
the parent account at the server-end, enabling full account trol Android apps. For example, Smart Sheriff failed to adequately
control to the child device (e.g., install/remove apps, allow/block encrypt PII either on storage or in transit. Smart Dream allowed
phone calls and internet connections). unauthorized access to children’s messages and search history.
• 7/13 Android solutions transmit PII via HTTP (e.g., kidSAFE [64] Feal et al. [28] studied 46 parental control Android apps for data
certified Kidoz sends account credentials via HTTP). collection and data sharing practices, and the completeness and
• Among the parental control tools with a web interface, 9/13 correctness of their privacy policies. They used the Lumen Android
Android solutions, 4/8 network devices, and 3/8 Windows ap- app (see https://haystack.mobi/) for their analysis, which is unable
plications are vulnerable to SSLStrip attacks (cf. [43, 44]), a to analyze target apps with VPN or certificate pinning. Parental
man-in-the-middle (MITM) attack, due to the lack of HSTS. apps and dashboards are also excluded. Our analysis framework
• 2/8 Windows applications utilize a TLS proxy that degrades has no such limitations, and consequently we are able to identify
connection security, by accepting certificates and ciphers that new critical security issues (e.g., leakage of plaintext authentication
are rejected by modern browsers. Another Windows application information), even among the apps analyzed by Feal et al.
Reyes et al. [62] analyzed children Android apps for COPPA com-
1 An
pliance. Out of 5855 apps, the majority of the analyzed apps were
Android solution is typically composed of a child app, a parent app, and an
online parental dashboard. We consider an Android solution vulnerable if any of its found to potentially violate COPPA, and 19% were found to send PII
component is vulnerable. in their network traces. Wisniewski et al. [79] evaluated 42 features
Betrayed by the Guardian ACSAC 2020, December 7–11, 2020, Austin, USA
in 75 parental control Android apps, showing that most apps value device may create an explicit access point exclusively for children
control over self-regulation strategies, and boast the use of privacy to enforce parental control filtering on all devices connected to it.
invasive techniques. Marsh [47] measured the effectiveness and Android apps. Android apps rely on several Android-specific
usability of two parental control apps. mechanisms, including the following (see Table 6 in Appendix for
Web extensions have been subjected to security evaluation for per Android solution capabilities). (1) Device administration [5, 67]
over a decade (see e.g., [14, 69]), but no past studies focused on provides several administrative features at the system level, includ-
parental control extensions. Windows parental control applications ing: device lock, factory reset, certificate installation, and device
have been only studied for the security of their TLS proxies [19]. storage encryption. (2) Mobile device management (MDM [45])
Similarly, parental control network devices remained unexplored, enables additional control and monitoring features, designed for
except the Disney Circle, analyzed by Cisco Talos in 2017, and businesses to fully control/deploy devices in an enterprise setting.2
found to have 23 different security vulnerabilities [77]. Among (3) Android accessibility service [6, 67] enables apps to perform
other devices, we also analyzed Circle, but used a newer version several functions including monitoring user actions by receiving
released in 2019. notifications when the user interacts with an app, capturing and
In contrast to previous work, we conduct a comprehensive, sys- retrieving window content, logging keystrokes, and controlling
tematic study of security and privacy threats in parental control so- website content by injecting JavaScript code into visited web pages.
lutions across multiple platforms: mobile (Android), desktop (Win- (4) Notification access enables Android apps to read or dismiss all
dows), web browser (Chrome extensions) and stand-alone network notifications displayed in the status bar; notifications may include
devices, as popular solutions are available in all these platforms. personal information such as contact names and messages. (5) An-
Our analysis therefore sheds light on the broader picture of security droid VPN, custom browsers, and third-party domain classifiers
and privacy risks of parental control tools. Compared to existing (e.g., Komodia.com [39]), which are used to filter web content. (6)
Android app studies, our framework is more in-depth (e.g., moni- Facebook [27] and YouTube OAuth [33] features, which are used to
toring the apps from the OS instead of the application level), and monitor the child’s activities on Facebook (e.g., posts and photos),
inclusive (e.g., analyze apps with VPNs and key pinning). and YouTube (e.g., playlists and comments). (7) Miscellaneous tech-
niques including: having browser history and bookmarks permis-
sion, using custom browsers, or TLS interceptions via Android VPN.
3 BACKGROUND AND THREAT MODEL Windows applications. As opposed to Android parental control
We use the term “parental control tools” to cover different types of apps, Windows applications operate with more privileges, and use
parental solutions: network devices, Android apps, Chrome exten- the following techniques: (1) TLS-interception: a proxy is installed
sions and Windows applications. Personally identifiable informa- by inserting a self-signed certificate in the trusted root certificate
tion (PII) refers to any information related to the user as defined by store. This allows the Windows applications to perform content
the US FTC and Office of the Privacy Commissioner of Canada. Any analysis and alter content from HTTPS webpages. (2) Application
entity that is not directly related to a parental control solution, is monitoring: user applications are monitored for their usage and
labelled as a third-party; this includes but is not limited to trackers duration. (3) User activity monitoring: some Windows applications
and advertisers. In what follows, we briefly discuss some common take screenshots, record keystrokes, and access the webcam.
techniques used by parental control tools, define our threat model, Chrome extensions. With appropriate permissions, a parental
and list the vulnerabilities that we test against each solution. control extension can use the Chrome API and retrieve the URL
contacted by the user, intercept and redirect traffic, read and modify
page content and meta-data including cookies.
3.1 Monitoring Techniques
Parental control tools generally allow the parent to remotely con- 3.2 Threat Model
trol the child device, perform web filtering, and monitor activities We consider the following attacker types with varying capabilities.
on social media. We derive the following monitoring techniques (1) On-device attacker: a malicious app with limited permissions on
from product documentation, our observations from installation the child/parent device. (2) Local network attacker: an attacker with
procedure and use/analysis of these solutions. These techniques direct or remote access to the same local network as the child device.
vary significantly across platforms, and are grouped here as such. This attacker can eavesdrop, modify, and drop messages from the
Network devices. Being network-based, parental control devices local network. (3) On-path attacker: a man-in-the-middle attacker
can monitor network traffic but cannot inspect the content of en- between the home network and a solution’s backend server. (4) Re-
crypted traffic. The devices analyzed act as a man-in-the-middle mote attacker: any attacker who can connect to a solution’s backend
between the client device and the internet router by using one server. Attacks requiring physical access to either the child/parent
of two techniques: performing Address Resolution Protocol (ARP) device are excluded from our threat model.
spoofing, or creating a separate access point. ARP spoofing enables
the network device to impersonate the internet router on the local
network. The device achieves that by sending forged ARP packets 2 Note that, MDM features may be just too powerful, and may enable dangerous remote
that bind the router’s IP with the network device’s MAC address. control operations including device wipe. Apple has removed several popular parental
control apps from App Store due to their use of such highly invasive features (https:
As a result, all the local network traffic is routed through the de- //www.apple.com/ca/newsroom/2019/04/the-facts-about-parental-control-apps/). In
vice before going to the internet router. Alternatively, the network contrast, Google Play apparently still allows these features in parental apps.
ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al.
3.3 Potential Security and Privacy Issues 29 popular Android apps representing 13 parental control solutions.
We define the following list of potential security and privacy issues Each solution may include child app(s), parent app(s), and online
to evaluate parental control tools (tested using only our own ac- parental dashboard.
counts where applicable). This list is initially inspired by previous
work [4, 19, 60, 68], and then iteratively refined by us. 4 METHODOLOGY
(1) Vulnerable client product: A parental control product (including We combine dynamic (primarily traffic and usage) and static (pri-
its update mechanism) being vulnerable, allowing sensitive in- marily code review/reverse-engineering) analysis to identify secu-
formation disclosure (e.g., via on-device side-channels), or even rity and privacy flaws in parental control tools; for an overview,
full product compromise (e.g., via arbitrary code execution). see Fig. 1. For each product, we first conduct a dynamic analy-
(2) Vulnerable backend: The use of remotely exploitable outdated sis and capture the parental control tool traffic during its usage
server software, and misconfigured or unauthenticated backend (as parents/children); if the traffic is in plaintext or decryptable
API endpoints (e.g., Google Firebase [35] in Android apps). (e.g., via TLS MITM), we also analyze the information sent. Second,
(3) Improper access control: Failure to properly check whether the we statically analyze their binaries (via reverse engineering) and
requester owns the account before accepting queries at the scripts (if available). We pay specific attention to the API requests
server-end (e.g., insecure direct object reference). and URLs present in the code to complement the dynamic analysis.
(4) Insecure authentication secrets: Plaintext storage or transmission After merging the findings, we look into the domains contacted and
of authentication secrets (e.g., passwords and session IDs). check the traffic for security flaws (e.g., TLS weaknesses). Third, we
(5) SSLStrip attack: The parental control tool’s online management test the security and privacy issues described in Sec. 3.3 against the
interface is vulnerable to SSLStrip attack, possibly due to lack collected API URLs and requests. Lastly, in case the parental control
of HSTS enforcement (cf. [43, 44]) . tool presents an online interface, we assess the password-related
(6) Weak password policy: Acceptance of very weak passwords (e.g., issues and test the SSLStrip attack against the login page.
with 4 characters or less).
(7) Online password brute-force: No defense against unlimited login 4.1 Dynamic Analysis
attempts on the online parental login interface. We set up test environments for each solution, emulate user actions
(8) Uninformed suspicious activities: No notifications to parents for hours to days, collect the traffic from the child, parent, and
about potentially dangerous activities (e.g., the use of parental network devices, and then perform relevant analysis (see Sec. 3.3).
accounts on a new device, or password changes).
(9) Insecure PII transmission: PII from the client-end is sent without 4.1.1 Usage Emulation and Experimental Setup. We analyze each
encryption, allowing an adversary to eavesdrop for PII. solution by manually mimicking regular users’ operations with
(10) PII exposure to third-parties: Direct PII collection and sharing the goal of triggering parental control mechanisms. We test for
(from client devices) with third-parties. potential vulnerabilities in these mechanisms (see Sec. 4.1.2). We
evaluate the web filtering mechanism by visiting a blocked website
3.4 Selection of Parental Control Solutions (gambling/adult) and a university website. We also perform user
activities monitored by platform-specific parental control features
We chose solutions used in the most popular computing platforms
(see Sec. 3.1, and Table 6 in the Appendix), and evaluate the so-
for mobile devices (Android), personal computers (Windows), web
lution’s operations. For example, on Android, we perform basic
browser (Chrome), and selected network products from popular
phone activities (SMS, phone call) and internet activities (Instant
online marketplaces (Amazon).3 We used “Parental Control” as a
messaging, social media, browsing, and accessing blocked content).
search term on Amazon and Chrome Web Store and selected eight
The network devices are evaluated in a lab environment by con-
devices and ten extensions. For Windows applications, we relied
necting them to an internet-enabled router (like in a domestic net-
on rankings and reviews provided by specialized media outlets
work setup) with the OpenWrt firmware [51]. We use test devices
(e.g., [13, 38, 52]), and selected eight applications. For Android apps,
with web browsing to emulate a child’s device. If the parental con-
we searched the following terms on Google Play: “Parental Control”
trol device uses ARP spoofing, the test device is connected directly
and “Family Tracker”. From a total of 462 apps, we selected 158
to the router’s wireless access point (AP); see Fig. 2 (a). Otherwise,
apps with over 10K+ installations, and analyzed them automatically.
the test device is connected to the parental control device’s wireless
We also downloaded the companion apps for four network devices
AP; see Fig. 2 (b). We capture network traffic on both the test device
(Circle companion app was already in our dataset as it had 50K+
and the router using Wireshark and tcpdump, respectively.
installs). For six of these apps, the developers made available (via
For Android apps, we maintain two experimental environments
their official websites) alternative APKs with additional features.
to concurrently record and inspect network traffic originating from
These APKs were also included in the set of automatically analysed
the child and parent apps. We examine the child apps using a Sam-
apps, adding up to 168 apps. We installed these apps on an Android
sung Galaxy S6 phone running Android 7.0; for the parent apps,
phone and removed 15 unresponsive/unrelated apps, making the
we use a Nexus 4 with Android 5.1.1. We run a full Linux distri-
total of apps analyzed to 153; 51/153 are pure children apps; 24 are
bution with mitmproxy [48] and tcpdump on each experimental
pure parent apps; and 78 are used for both parent and child devices,
environment by installing Linux Deploy [7], and configured An-
which we termed as “shared apps”. For in-depth analysis, we picked
droid’s network settings to proxy all traffic going through the WiFi
3 As
of May 2020, current market shares according one estimate (https://gs.statcounter. adapter to the mitmproxy server. This enables us to capture the
com) are: Android 72.6%, Windows 77% and Chrome 63.9%. network traffic directly within the mobile devices.
Betrayed by the Guardian ACSAC 2020, December 7–11, 2020, Austin, USA
Insecure PII
Dynamic analysis transmission
Check for
communication flaws Insecure
No authentication
secret
Improper access
control
Is traffic Yes Analyze URLs and Extract domains
decryptable? APIs contacted
Vulnerable
backend
No End
Is code Extract/download Perform code Vulnerable client
Start
accessible? source code analysis product
Yes
Weak password
policy
Online interface analysis
Assess password Online password
related issues brute-force
Has
Yes
an online
Uninformed
interface?
suspicious activities
No
End
Lack of HSTS
enforcement
Internet
Internet
Client device
Spoofed Client device Network device Router
connection
Network device
Figure 2: Network devices test environment. Wireshark is installed on both the client device and home router.
We test each Windows application and Chrome extension on URL encoding) and encode possible PII using hashing algorithms
a fresh Windows 10 virtual machine with Chrome, tcpdump and (MD5, SHA1, SHA256, and SHA512) to find out obfuscated leaks.
mitmproxy installed. We intercept inbound and outbound traffic Improper access control. We parse the traffic to find API end-
using mitmproxy on the host, and record packets using tcpdump. points with improper access control. First, we try to identify all the
APIs that can be potentially exploited (without strong authentica-
4.1.2 Traffic Analysis. After intercepting traffic, we parse and com- tion), using Postman (postman.com) to replay the recorded HTTP re-
mit the collected tcpdump traffic to an SQLite database and check quest stripped of authentication headers (e.g., cookies and authoriza-
for the following security and privacy related issues. tion header). Any request successfully replayed is labeled as poten-
PII and authentication secrets leakage. We examine the col- tially vulnerable (in a database). Afterwards, we retrieve the parame-
lected traffic to check for PII and authentication secrets transmitted ters used by these APIs (e.g., keys, tokens, or unique IDs), and assess
in plaintext, or leakage of PII to third-party domains. We create a the parameters in terms of their predictability and confidentiality.
list of possible PII (see Table 8 in the Appendix) that can be leaked For instance, we deem a device’s access control insecure if its own
via the Request URL, Referer, HTTP Cookie, requests’ payload, and MAC address is used for API endpoints authentication, as the MAC
LocalStorage. We automatically search for PII items (i.e., case insen- address can easily be found by an attacker on the local network.
sitive partial string match) in the collected traffic, and record the Identifying trackers. We use the EasyList [21], EasyPrivacy [22],
leaked information, including the HTTP request URL. We decode and Fanboy [23] to identify known trackers. We also add known
the collected network traffic using common encoding (base64 and
ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al.
trackers from past work [58, 75] to our list. To identify third-party uses its own encrypted certificate store, for which, we extract the
SDKs in the parental control tools traffic, we use the WHOIS [57] associated TLS proxy private key by dumping the process memory.
registration record to compare the SDK owner name to the parental It is possible that due to our employed measures for traffic analy-
control website owner. In cases where the SDK information is pro- sis and attribution (e.g., rooted device, disabled VPN), some parental
tected by the WHOIS privacy policy, we visit the SDK’s domain control solutions may have functioned differently, which is difficult
to detect any redirect to a parent site; we then lookup the parent to verify due to the use of heavily obfuscated code. Hence, our
site’s registration information. If this fails, we manually review the findings may be the lower-end of the actual privacy exposure.
SDK’s “Organization” in its TLS certificate, if available. Otherwise,
we try to identify the SDK owner by searching in crunchbase.com. 4.2 Static Analysis
Our static analysis aims to complement the dynamic analysis when-
4.1.3 Backend Assessment. Due to ethical/legal concerns, we re- ever we could not decrypt the network traffic (e.g., in case of net-
frain from using any invasive vulnerability scanning tools to assess work devices using TLS). We use static analysis to identify PII leak-
backend servers. Instead, we look into the backends’ software com- age, contacted domains, weak security measures (e.g., bad input
ponents as disclosed by web servers or frameworks in their HTTP sanitization), or potential flaws in implemented mechanisms.
response headers, such as “Server” and “X-Powered-By”. We then Network devices. We analyze the network device firmware when-
match these components against the CVE database to detect known ever possible. We either attempt to extract the firmware directly
vulnerabilities associated with these versions. Additionally, we use from the device (via JTAG, UART, or ICSP interfaces), or down-
the Qualys SSL Test (Qualys 2020: ssllabs.com) to evaluate the secu- load the device firmware from the vendor’s website. We found 3/8
rity of the SSL configuration of the parental control tools’ backends. network devices with an accessible serial UART port (KoalaSafe,
Blocksi, and Fingbox) that we used to extract the firmware from the
4.1.4 Challenges. During the interception and traffic analysis phase,
devices. Another device (Circle) made its firmware available online.
we encountered several challenges. We summarize them here, in-
Among the remaining devices (without access to their firmware),
cluding the tools and techniques we use to address them.
we scan for the presence of open remote admin services (e.g., SSH),
Network traffic attribution. On Android apps, a key issue is to which are often closed or key-protected. To identify vulnerable
identify the process that generated the traffic in the absence of services, we scan the network devices with several tools (OpenVas,
the packets’ referral metadata. We test how the app behaves when Nmap, Nikto [16] and Routersploit [61]), and match the identified
the child uses her device normally (e.g., phone calls, messaging, software versions against public vulnerability databases.
browsing). These activities produce a large amount of traffic that
Chrome extensions. We manually analyze the source code of the
we need to match to the corresponding processes. We use the mitm-
Chrome extensions, which mainly consists of scripts, separated into
proxy addon [48] to call netstat to detect the process name for
content scripts and background scripts. As most Chrome extensions’
every packet. We directly use netstat from the underlying Linux
codebase is relatively small, and do not involve serious obfuscation,
kernel (in our Linux Deploy setup) to capture the process ID and
we can investigate their operations and detect security and privacy
process name as soon as a connection is created, while previous
issues (e.g., PII leakage, common JavaScript vulnerabilities).
work [41, 59] read and parse the system proc directory from the
Android apps. We perform an automated analysis on all 153 An-
Android Linux kernel by checking the directory periodically. This
droid apps using Firebase Scanner [63] to detect security miscon-
past approach misses connections that are opened and closed before
figurations in Firebase.4 We also use LibScout [10] to identify third-
the next time they check the proc directory, while our approach
party libraries embedded in these apps. Since LibScout does not
looks into the live connection as soon as a connection is created. We
distinguish which libraries are used for tracking purposes, we use
may only miss very short-lived connections that are not detected
Exodus-Privacy [56] to classify tracking SDKs. We use MOBSF [49]
by netstat. To the best of our knowledge, we achieve more reliable
to extract the list of third-party tracking SDKs from all 153 apps
traffic-process attribution compared to past work. We leave a full
based on Exodus-Privacy’s tracker list.
evaluation of the effectiveness of the technique to future work.
Traffic interception. Most network devices use TLS for commu-
4.3 Online Interface Analysis
nicating with their backends. This prevented us from inserting a
root certificate on these devices, so some of the network traffic The online user interface is the primary communication channel
generated by them is completely opaque to us. In these cases, we between parents and parental control tools. It displays most of the
rely on static analysis of the device’s firmware. In cases where an data collected by the solutions, and may remotely enable more
Android app uses certificate pinning to refuse server certificates intrusive features. Compromising the parent account can be very
signed by any CA other than the pinned certificate in the app, we damaging, and thus we evaluate the security of this interface.
use SSLUnpinning [1] to attach several hooks in the SSL classes in SSLStrip attack. To check for SSLStrip attacks, we first set up a
order to bypass this feature and intercept the communication. In WiFi AP with mitmproxy, SSLStrip2 [40] and Wireshark installed.
cases where the child app installs a VPN on the child device to filter Then, we connect the parental control tool to our WiFi access point.
and block websites, we intercept the traffic by deleting the VPN con- Wireshark is utilized to record network traffic while mimicking
figuration from Android setting on the child device. If the app stops common use case scenarios with the goal of triggering all parental
functioning without the VPN, we update the app configuration file control monitoring and control UI and API requests looking for
whenever possible to disable the setup of the VPN on startup of 4 Google Firebase (https://firebase.google.com/) provides support for backend infras-
the app on the child device. One Windows application, Qustodio tructure management for Android apps.
Betrayed by the Guardian ACSAC 2020, December 7–11, 2020, Austin, USA
signs of successfully SSL Stripping attack on the traffic. We con- the local network. By calling a KoalaSafe API endpoint,6 an exter-
firm the effectiveness of the attack by comparing the result to the nal attacker can detect when a reverse SSH tunnel is open using
corresponding traffic in a regular testing environment (i.e., without only the victim device’s MAC address. If the tunnel is open, the
SSLStrip). API endpoint responds with the tunnel’s port number, 0 otherwise.
Weak password policy. During the parental control tool’s account For large-scale exploitation, an attacker can query the aforemen-
creation, we evaluate its password policy. We adopt a fairly con- tioned API endpoint to enumerate all KoalaSafe devices with the
servative stance and only labelled as weak the password policy reverse tunnel open. This enumeration is feasible as KoalaSafe uses
accepting password with 4 characters or less. the GuangLia network interface card (NIC), and MAC addresses
Online password brute-force. We use Burp Suite [55] to perform assigned to GuangLia NICs [70] are limited to only 220 values.
password brute-force attacks on our own online accounts. To keep Android apps. We found 3/13 Android solutions (FamiSafe, Kid-
the load on the server minimal, we test for the presence of defensive sPlace and Life360) do not encrypt stored user data on shared ex-
mechanisms by 50 attempts on our account from a single computer. ternal storage that can be accessed by any other apps with the
Uninformed suspicious activities. To determine whether the permission to access the SD card. Examples of the sensitive infor-
solution presents measures to report suspicious activities, we test mation include: the parent’s email and PIN code, phone numbers,
two scenarios in which the user should be notified: modification the child’s geolocation data, messages and social media chats, vis-
of the user’s password, and connection to the account from a ited websites, and even authentication tokens—which enabled us
new/unknown device. We deem a parental control tool that does to read private information from the child account remotely.
not alert (e.g., via email) in either case to be vulnerable. We also found that Kidoz, KidsPlace, and MMGuardian use cus-
tom browsers to restrict and filter web content. The three browsers
5 RESULTS fail to enforce HSTS, and lack persistent visual indication if the web-
site is served on HTTP. KidsPlace safe browser keeps the address bar
Following the methodology in Sec. 4, we analyzed the parental
that shows visited URL to help with visual identification. However,
control tools between Mar. 2019 to May 2020, which include: 8
MMGuardian shows the URL in the address bar until the page is
network devices, 29 Android apps representing 13 Android solu-
fully loaded and then the URL is replaced with the webpage title. Fol-
tions, 10 Chrome extensions and 8 Windows applications. We also
lowing our disclosure, MMGuardian removed their custom browser.
performed an automated analysis of 153 parental control Android
Windows applications and Chrome extensions. Other than
apps to detect vulnerable backend databases and check for tracking
Kidswatch, all tested Windows applications relied on TLS proxies
SDKs. In this section, we report our findings on the tested security
to operate. Some of these proxies do not properly perform cer-
and privacy issues (as outlined in Sec. 3.3); for an overview, see
tificate validation. For example, Qustodio and Dr. Web accepted
Table 1.
intermediate certificates signed with SHA1, despite the enhanced
collision attack on SHA1 [42]. Dr. Web also accepted Diffie-Hellman
5.1 Vulnerable Client Product 1024 (considered weak [2], and deprecated in Safari and Chrome
Network devices. The importance of securing the update mecha- since 2016 [15]). In addition, none of the proxies rejected revoked
nism has been known for years, cf. [11]. Surprisingly, the Blocksi certificates. We also found that upon uninstallation of these appli-
firmware update happens fully through HTTP. An integrity check cations, the root certificates associated with the proxies remained
is done on the downloaded binary image, using an unkeyed SHA256 in the Windows trusted root certificate store, with four of them
hash, again retrieved using HTTP, and thus rendering it useless. having a validity duration over one year.
Therefore, an on-path attacker can trivially alter the update file and Two Chrome extensions (Adult Blocker and MateCode Blocker)
inject their own malicious firmware into the device. We confirmed download and run a third-party tracking script at run time. The do-
this vulnerability to be exploitable. We also found another vulner- mains hosting the scripts are not apparently related to the extension
ability that enables executing a command as root on the Blocksi providers (or libraries from well-known companies). Note that run-
device via command injection (i.e., unsanitized user input is passed time loaded scripts bypass the static control of Chrome for extension
directly to a system shell for execution). We confirmed this vulnera- security, which has been exploited in the wild by tricking developers
bility to be exploitable by sending a router_setGeneralSettings into adding malicious scripts masquerading as tracking scripts [34].
request to the Blocksi API endpoint, and injecting a command in
the timezone field in the request parameters. The settings change 5.2 Vulnerable Backend
triggers a WebSocket Secure (WSS) message to the Blocksi device.
Network devices. Examples of vulnerable software components
The device then reads the new configuration from the API endpoint
from our analysis of backend server API endpoints include: Apache
and updates its local configuration.5
2.4.34 with 11 CVEs in KoalaSafe; PHP 7.0.27 with 26 CVEs in
We also found that KoalaSafe runs Dropbear v2014.63 SSH server/client
KidsWifi; Nginx versions with the same 3 CVEs in KidsWifi, Circle,
(released on Feb. 19, 2014), associated with four known remote code
HomeHalo and Fingbox. The Blocksi’s API endpoint only indicates
execution vulnerabilities. Under certain conditions, the KoalaSafe
that it runs on OpenResty and Google Frontend (no version info).
device opens a reverse SSH tunnel through its backend server, ex-
posing the vulnerable SSH Dropbear server to an attacker outside Android apps. Since 115/153 Android apps use Google Firebase
as a backend service, we analyzed their Firebase configuration for
5 The timezone value is passed as tz to [“echo” + tz + “> /etc/TZ”]. Thus, if tz is “$(ls)”,
the ls command would be executed and its output written to /etc/TZ. 6 https://api.koalasafe.com/api/router/[MACaddress]/et
ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al.
ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al.
Table
Table1:1:Overall results
Overall results for security
security
for security flaws in
in parental
flawscontrol
flaws in parental parental control
control
tools labelled tools
tools
following thelabelled
labelled following
in Sec. 3.2. the
following
threat model the threat
threatmodel
: On-device modelin
inSec. 3.2. # : On-device
Sec.3.2.
attacker;
attacker; :: :Local
Local
Local network
network
network attacker;
attacker;
attacker; G
# : attacker;
: On-path On-path
: On-path :attacker;
attacker;
Remote : Remote
attacker; -:: not
Remote attacker;
attacker;
applicable; not
blank:-:no -: applicable;
not
flaw blank:
applicable;
found. In no flaw
blank: found.
no flaw In case
found. In
thecase
case the vulnerabilitycan
vulnerability
the vulnerability can be
be exploited
canexploitedby 2 types
be exploited by 2ofbyattackers,
types2 types we display thewe
of attackers,
of attackers, fullest circle applicable.
display
we the fullest
display circlecircle
the fullest applicable.
applicable.
Network devices Android solutions Chrome extensions Windows applications
Network devices Android solutions Chrome extensions Windows applications
MateCode Blocker
Blocksi Web Filter
Circle Home plus
Anti-porn addon
Parental control
FamilyFriendly
Router
MateCode Blocker
Filter
MMGuardian
FindMyKids
FamilyTime
Bitdefender
ScreenTime
Anti-porn addon
FingBox KidControl
Kidoz SecureTeen
KidsWifiHomeHalo
control
Kidswatch
Kaspersky
KidLogger
TinyFilter
KoalaSafe
KidsPlace
FamilyFriendly
QustodioMetaCert
Kurupira
Roqos FamiSafe
Qustodio
Qustodio
KidsWifi
Blocksi Router
FingBox
Dr. Web
ParentalNorton
MMGuardian
Spyrix
Porn Blocker
Roqos
Circle
Kidoz
Circle Home
MobileFence
Blocksi Web
FindMyKids
FamilyTime
Bitdefender
ScreenTime
KidControl
SecureTeen
HomeHalo
Kidswatch
Kaspersky
KidLogger
TinyFilter
KoalaSafe
KidsPlace
Security Flaw
MetaCert
Kurupira
Qustodio
Dr. Web
Norton
Vulnerable client product
Spyrix
Circle
Vulnerable backend
Improper access control - - - - - - - - - -
Security
InsecureFlaw
authentication secret - - - - - - - - - -
SSLStrip attack - - - - - - - - - - - - - - - -
Vulnerable client product
Online password bruteforce - - - - - - - - - - - - - - -
Vulnerable
Weak passwordbackend
policy - - - - - - - - - - - - - - -
Uninformed
Improper suspicious
access activities
control - - - - - - - - - -- -- --
- -- -- - - - -
Insecure PII transmission
Insecure authentication
PII exposure to third-parties secret - - - - - - - - - -
SSLStrip attack - - - - - - - - - - - - - - - -
Online password bruteforce
security issues by performing an automated analysis using Fire-
- 7 - - - - - -
KoalaSafe device. Thus, a local network attacker can easily collect
- - - - - - - -
Weak password
base Scanner [63].policy
Critical misconfigurations can allow attackers -
the information - the
needed for authentication and use - API
- endpoint
- - - - - - - - - - -
to retrieve all the
Uninformed unprotectedactivities
suspicious data stored on the cloud server. We to access sensitive information such as the profile
- - name,
- - email
- - - - - - - - - -
followed PII
Insecure a similar approach to Appthority’s work [9] on scanning
transmission address, and browsing history.
apps for Firebase misconfigurations. We found 8/153 Android apps For Blocksi’s login API endpoint, the device’s serial number (SN)
PIIwith
exposure to third-parties
insecure Firebase configurations. We then evaluated the type and the registered user’s email are required to authenticate the
of sensitive data exposed by each app to determine the impact of device to the server. However, a remote attacker needs to know
the data being leaked. For ethical reasons and to protect other cus- only one of these parameters to authenticate. This is because a
tomers privacy,
security issueswe bycreated a parental account
performing on the eightanalysis
an automated apps. remote attacker
using Fire- can retrieve a user’s email
KoalaSafe using7 their
device. Thus, device SN or network attacker can easily collect
a local
8 By sending both parameters to the7API endpoint in a
security
Then, weissues
updated by performing
the Firebase scanner toanautomatically
automated searchanalysis
for using
vice-versa.Fire- KoalaSafe device. Thus, a local network attacker can easily collect
base Scanner [63]. Critical misconfigurations
our test data in the its response and record the leaked information can allow attackers the information needed for authentication and use the API endpoint
base Scanner [63]. Critical misconfigurations can allowPOST message, any remote attacker can authenticate to the server,
attackers the information needed for authentication and use the API endpoint
to retrieve
from our own all account.
the unprotected
We found three data stored
apps exposingonpersonal
the cloud server.
and accessWe to access
sensitive information aboutsensitive information
the home network, e.g., the such as the profile name, email
to retrieve
information: all1) the unprotected
FamiSafe with 500K+ data stored
exposeson the the cloud WiFi
server. We and MAC toaddresses
accessofsensitive information such as the profile name, email
followed aLocate
similar approach to installs
Appthority’s parent
work password,
[9] on scanning address, and connected devices.
browsing history.
followed
email; 2) a similar approach
with 10K+ to Appthority’s
installs exposes the child name,workphone[9] on scanning
The HomeHalo device address,
uses only and browsing
the device’s SN andhistory.
an HTTP
apps for Firebase
number, and email; misconfigurations.
and 3) My Family OnlineWe withfound 8/153 Android
10K+ installs appssecretTokenFor
header called Blocksi’stologin
to authenticate its APIAPI endpoint,
endpoint. In the device’s serial number (SN)
apps for Firebase misconfigurations. We foundparent 8/153 Android apps Fora fixed
Blocksi’s login API endpoint, the device’s serial number (SN)
with insecure
exposes Firebase
the child name, childconfigurations. We then evaluated
and parent phone numbers, ourthecase,type
the secretToken andhadthe registered
value of 100500.user’s email are required to authenticate the
An on-path
with insecure
email, and appsFirebase
installed onconfigurations.
child phone. FamiSafe We then
fixed evaluated
the Fire- the type
attacker can intercept and and thethese
modify registered
messages, anduser’s email are required to authenticate the
gain access
of sensitive
base security data exposed
issue following ourby each Additionally,
disclosure. app to determine
we found the impact of e.g., reading
deviceor to the server. However,
SSID, pass- a remote attacker needs to know
of sensitive data exposed by each app to determine thetoimpact
admin controls,
of device changing the wireless
to the server. However, a remote attacker needs to know
thethat
data being leaked.
MMGuardian, For ethical
MobileFence, reasons
and SecureTeen andsupport
servers to protectword,other cus-the device’s
or even onlyrootone of these
password. parameters
Other privacy sensitive to authenticate. This is because a
theRC4,
dataandbeing leaked.
SecureTeen Foris ethical reasons and to protectinformation
other cus- onlyincluding:
one of the these parameters to authenticate. This is because a
tomers privacy, webackend
created vulnerable to the POODLE
a parental accountattack. on the eight apps. is also exposed,
remote attackerdevices connectedatouser’s
can retrieve email using their device SN or
tomers
Windows privacy, we created
applications. We foundathatparental account
some Windows on the eight
applica- HomeHalo’sapps. network and remote attacker
the parental 8 controlcan retrieve
profile setup. a user’s email using their device SN or
Then, we
tions’we updated
servers the
also do not Firebase scanner to automatically search
The for
Circle Home Plusvice-versa.
creates a 8
profile By
for sending
each child and both
stores parameters
it to the API endpoint in a
Then, updated theuseFirebase
ideal TLS configurations.
scanner to For instance,
automatically search for vice-versa. By sending both parameters to the API endpoint in a
ourQustodio’s
test data in the
server has anitsintermediate
responsecertificate
and record the SHA1
signed with leaked information POST the
locally on the device, including message, any remote
child age groups, attacker can authenticate to the server,
usage history
ourintest dataof in theQustodio
its response and record the leaked information
and statistics, child photo, POST username
message, any remote attacker can authenticate to the server,
from its chain
our own trust.
account. and KidLogger
We found three servers support the
apps exposing personal andand access (i.e.,
sensitive some parents may
information about the home network, e.g., the
from
RSAour own account.
key exchange We lacks
protocol which found three
forward apps exposingusepersonal
secrecy. and access
child name). We identify sensitiveused
two API endpoints information
to transmit about the home network, e.g., the
information: 1) FamiSafe with 500K+ installs exposes the child parent WiFiover
information in plaintext password, and MAC
the local network. addresses
The first API of connected devices.
information: 1) FamiSafe with 500K+ installs exposes endpoint the parent 9 sends child WiFi password, and MAC addresses of connected devices.
email; 2) Locate with 10K+ installs exposes the child name, phone Theusage
account HomeHalo
history and device uses
statistics, and only the device’s SN and an HTTP
email; 2) Locate with 10K+ installs exposes the child name, phone
profileID. TheonHomeHalo
It insecurely relies the requester’s device
MAC addressusesto only the device’s SN and an HTTP
number, and email;
5.3 Improper and Control
Access 3) My Family Online with 10K+ installs header called secretToken to authenticate to its API endpoint. In
number, and email; and 3) My Family Online with 10K+ installs header called secretToken to authenticate to its API endpoint. In
exposes
Network the childThe
devices. name, child
KoalaSafe andendpoint
API login parentrequires
phone numbers,
three parenttoken and device ourtimecase, the secretToken had a fixed value of 100500. An on-path
exposes the child name, child and parent phone numbers, parent our case, the secretToken had a fixed value of 100500. An on-path
7 Authentication are available at https://device.koalasafe.com/
email, and apps
parameters installed
that are onanyone
available to childonphone.
the localFamiSafe
network: a fixed the
auth.lua, Fire-
and the MAC addressattacker can intercept and modify these messages, and gain access
at https://device.koalasafe.com/status.lua
email, and appsauthentication
device-generated installed on child
token, phone.date
the device’s FamiSafe
and time, fixed the Fire- attacker can intercept and modify these messages, and gain access
8 For SN to email, use https://service.block.si/config_router_v2/router_checkRouters/
base security
andsecurity issue
the device’s following
MAC following our disclosure.
address for successful Additionally,
authentication. These we
null/[SN],found
and for email to toSN, admin controls, e.g., reading or changing the wireless SSID, pass-
https://service.block.si/config_router_v2/router_
base issue our disclosure. Additionally, we found
checkRouters/[email]. to admin controls, e.g., reading or changing the wireless SSID, pass-
thatparameters
MMGuardian, MobileFence,
can be obtained and SecureTeen
by visiting endpoints hosted by theservers support word, or even the device’s root password. Other privacy sensitive
9 http://10.123.234.1/api/USERINFO?host=ios&nocache=1572292313630HTTP/1.1
that MMGuardian, MobileFence, and SecureTeen servers support word, or even the device’s root password. Other privacy sensitive
RC4, and SecureTeen backend is vulnerable to the POODLE attack. information is also exposed, including: the devices connected to
RC4, and SecureTeen backend is vulnerable to the POODLE attack. information is also exposed, including: the devices connected to
Windows applications. We found that some Windows applica- HomeHalo’s network and the parental control profile setup.
Windows applications. We found that some Windows applica- HomeHalo’s network and the parental control profile setup.
tions’ servers also do not use ideal TLS configurations. For instance, The Circle Home Plus creates a profile for each child and stores it
tions’ servers also do not use ideal TLS configurations. For instance, The Circle Home Plus creates a profile for each child and stores it
Qustodio’s server has an intermediate certificate signed with SHA1 locally on the device, including the child age groups, usage history
Qustodio’s server has an intermediate certificate signed with SHA1 locally on the device, including the child age groups, usage history
in its chain of trust. Qustodio and KidLogger servers support the and statistics, child photo, and username (i.e., some parents may
in its chain of trust. Qustodio and KidLogger servers support the and statistics, child photo, and username (i.e., some parents may
RSA key exchange protocol which lacks forward secrecy. use child name). We identify two API endpoints used to transmit
RSA key exchange protocol which lacks forward secrecy. use child name). We identify two API endpoints used to transmit
child information in plaintext over the local network. The first API
child information in plaintext over the local network. The first API
endpoint99 sends child account usage history and statistics, and
endpoint sends child account usage history and statistics, and
profileID. It insecurely relies on the requester’s MAC address to
5.3 Improper Access Control profileID. It insecurely relies on the requester’s MAC address to
Network devices. The KoalaSafe API login endpoint requires three 77Authentication token and device time are available at https://device.koalasafe.com/
parameters that are available to anyone on the local network: a auth.lua, and the MAC address at https://device.koalasafe.com/status.lua
88For SN to email, use https://service.block.si/config_router_v2/router_checkRouters/
device-generated authentication token, the device’s date and time,
null/[SN], and for email to SN, https://service.block.si/config_router_v2/router_
and the device’s MAC address for successful authentication. These checkRouters/[email].
parameters can be obtained by visiting endpoints hosted by the 99http://10.123.234.1/api/USERINFO?host=ios&nocache=1572292313630HTTP/1.1
Betrayed by the Guardian ACSAC 2020, December 7–11, 2020, Austin, USA
identify the child device and communicate sensitive information. on the child device, or upload harmful content to the child mobile.
This API endpoint is called whenever a child device attempts to The attacker can also lock the child phone making her unable to
access a restricted domain. The second API endpoint10 fetches the contact the parent or perform an emergency call.
profile photo corresponding to the received profile ID.
Android apps. We found 8/13 Android solutions lack authentica- 5.5 SSLStrip and Online Account Issues
tion for accessing PII. Prominent examples include the following. We found that nine Android solutions, four network devices and
In FamilyTime, a six-digit parameter childID is generated through three Windows applications transmitted the parent account creden-
a sequential counter incremented by one per user. An attacker can tials via HTTP under an SSLStrip attack. This allows an adversary
retrieve the child name, gender, date of birth, email address, and to compromise the parent account for a long time, particularly if the
child phone number through an API request that requires only app does not send any notification to the parent when the account
the childID value. Hence, an attacker can remotely exploit this is accessed from a new device. More seriously, in Kidoz, we could
vulnerability at a large scale, simply by trying all 6-digit values.11 see the parent’s credit card account number and email in HTTP
In FamiSafe, an attacker can retrieve all the child social media when using their BlueSnap online payment solution [12], while
messages and YouTube activities labeled as suspicious through connected to our WiFi access point. This was possible because the
an API request that requires the following parameters: deviceid, online payment server is not configured to use HSTS. In Qusto-
memberid, client_sign, and access token. However, any app dio, we could extract the child Facebook credentials provided by
installed on the child device can access these parameters from the the parent during the configuration of the monitoring component.
FamiSafe log file on the shared external storage.12 Following our disclosure, FamilyTime enabled HSTS on their server.
In terms of defense against online password guessing, we found
5.4 Insecure Authentication Secret that two network devices and 10 Android solutions leave their on-
Network devices. During the setup procedure of KidsWifi, the line login interfaces open to password brute-force attacks. Also,
device creates an open wireless AP with SSID “set up kidswifi”, two network devices, five Android solutions, and three Windows
making it temporarily vulnerable to eavesdropping. The parent has applications enforced a weak password policy (i.e., shorter than four
to use this AP’s captive portal to configure the KidsWifi device to characters). We also observed that five network devices, 12 Android
connect to the home network. Consequently, as this AP is open and solutions and four Windows applications do not report suspicious
the client-device communication happens through HTTP, the home activities on the parent’s account such as password changes and
router’s WAN and KidsWifi’s LAN credentials become available to accesses from unrecognized devices. These activities are possible in-
local attackers. We deem this a minor risk as the vulnerability is dicators of account compromise and should be reported to the user.
only present for a limited duration (during device setup), and the
attacker must be within close proximity. 5.6 Insecure PII transmission
Android apps. In SecureTeen, we found an API endpoint that can Network devices. We found that the KoalaSafe and Blocksi net-
be used to authenticate the user to the parental control account. work devices append the child device’s MAC address, firmware ver-
This API endpoint enables any adversary to remotely compromise sion number, and serial number into outgoing DNS requests. This
any parental account by knowing only the parent’s email. When the can allow on-path attackers to track the child’s web activities [18].
API request is invoked by the browser, the adversary is logged in to The HomeHalo device suffers from a similar problem: whenever a
the parental dashboard and obtains full access to the parent account, domain is requested by a user device inside its network, HomeHalo
including the ability to monitor and control the child device.13 sends an HTTP request, including the child device’s MAC address,
Kidoz exposes the user email and password in HTTP when the to its backend server to identify the requested domain’s category.
“Parental Login” link is clicked from the https://kidoz.net home page. Android apps. Several Android solutions send cleartext PII, see
KidsPlace and Qustodio leak session authentication cookies via Table 9 in the Appendix. Examples include: FindMyKids (the child’s
HTTP, with validity periods of one year and two hours respectively. surrounding sounds and photo); KidControl (the parent’s name
Even with the 2-hour cookie in Qustodio, the attacker can easily and email, geolocation, and SOS requests); and MMGuardian (the
access sensitive information about the child including the child’s parent’s email and phone number, and child’s geolocation). MM-
current location, and history of movements. The attacker can also Guardian transmits the child visited URL (Base64 encoded) to a
access remote control functions on the child phone, such as block third-party domain classifier Komodia.com [39]) via HTTP. When
all incoming/outgoing calls. In the case of KidsPlace, the attacker we contacted MMGuardian, they informed us that they are working
can access a wide spectrum of remote control functions to the child with Komodia on a resolution. Other products using Komodia are
phone such as: disable the Internet, silently install a malicious app also apparently affected by this.
10 http://10.123.234.1/api/USERPHOTO?profileID=[profileID]. Windows application and Chrome extensions. During the in-
11 Byusing e.g., a cURL commad (the last parameter is childID): $ curl -v https://mesh. stallation phase of Kurupira, the user has to set up an SMTP server
familytime.io/v2/child/Android/profile/456***. with the assistance of the application to receive activity reports.
12 By using e.g., a cURL command: $ curl -v https://u.famisafe.com/load-
page/index?page=suspicious-text/detail&access_from=1&device_id=165***& However, in case the user uses an SMTP server with an unencrypted
member_id=1045***&client_sign={fffff***-be**-19ec-0000-000075b3****}&access_ protocol, Kurupira does not warn about transmitting child activ-
token=dtwMtFarI********&lang=en. ity report in plaintext. Kidswatch sends child activity reports over
13 An example call to the API is as follows: https://cp.secureteen.com/auth.php?
&productName=secureteen&resellerId=careteen&page=menu&loginFromApp= HTTP. We also found that three extensions (Blocksi Web Filter,
Yes&j_username=parentemail**@gmail.com&gType=monitoring. FamilyFriendly Parental Control, Porn Blocker) send the domain
ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al.
contacted by the user to the extension’s server using HTTP to check require developers to set the appropriate parameters; and the last
whether or not the website should be blocked. one (Supersonic/ironSource) removed any restriction.
From static analysis, we found several prohibited SDKs being
5.7 Third-party SDKs and Trackers used: 25/44 children apps and 8/73 shared apps use Google Crash-
Some legislations (e.g., US COPPA and EU GDPR) regulate the Lytics; unGlueKids children app uses Branch SDK (without the
use of third-party trackers in the services targeting children (e.g., do-no-track mode); and Limitly uses Appnext SDK. Aside from
under 13 years of age). We thus evaluate potential use of third-party Google CrashLytics, we also observed Branch (7 apps), Amplitude
tracking SDKs in the parental control tools. We found notable use (6 apps), Braze (4 apps), and Tapjoy (1 app) SDKs in the shared apps.
of third-party SDKs in parental control tools, except in Windows. Through analysing traffic generated from child device, we con-
For network devices, we identified the use of third-party SDKs in firm that five Android solutions use prohibited SDKs. Also for
the companion apps but not in the firmware. Life360, we note that Branch SDK “do-not-track” mode was dis-
Trackers. In Android, we found use of trackers in most apps via abled since the network traffic from child device contains Android
static analysis, including: the children apps (targeted for children’s ID, Android Advertising ID (AAID), and local private IP. Addition-
devices only, 44/51 apps with tracking SDKs), shared apps (the same ally, three Android solutions FindMyKids, KidsPlace, and Circle
app is used by both parents and children, 73/78 apps), and parent contact Crashlytics prohibited SDK server (reports.crashlytics.com),
apps (targeted for parents’ devices only, 22/24 apps); see Table 7 and Qustodio communicates with the Braze prohibited SDK.
in the Appendix. Over 25% of children apps utilize advertising PII exposure to third-parties. We found that all Android solu-
networks (e.g., Google Ad and Doubleclick SDKs; see Fig. 3 in the tions share personal and unique device information with third-party
Appendix) which could potentially violate US COPPA. For network domains (see Table 10 in the Appendix). Prominent examples in-
devices, our static analysis for five companion apps reveals the use clude: ScreenTime shares the child Android ID with Facebook. Four
of tracking SDKs (2–12 unique trackers) in all those apps except extensions send the requested domains to their server to check
for KoalaSafe. For Chrome extensions, we found that half of the whether the website should be blocked, which can also be locally
Chrome extensions send behavioral information (e.g. web browser performed similar to Google Safe Browsing. More concerning 2/10
usage) to Google Analytics. extensions send the complete URL, possibly leaking personal in-
We also identify tracking third-party SDKs from network traf- formation not required for blocking. Another extension, Parental
fic generated during our dynamic analysis from child device. Ex- Control, overrides Chrome setting and replaces the default search
cept SecureTeen, 12/13 Android solutions use tracking SDKs (1–16 URL by its server domain, which automatically redirects to Google
unique trackers; see Fig. 4 in the Appendix). Our traffic analysis con- Safe Search, but exposes the search terms to the extension’s server.
firms violations of COPPA—over 30% of Android solutions utilize We also found that another Chrome extension, Porn Blocker, redi-
doubleclick.net without passing the proper COPPA compliant pa- rects the user to https://www.purplestats.com/page/blocked/ when
rameter from child device.14 We also found that one of the network visiting a blocked website, and leaks the full URL of the previous
devices’ companion app, Circle, includes a third-party analytical webpage through the referer header.
SDK from Kochava. Every time the app is launched, or it returns to COPPA Safe Harbor providers. We check the behavior of (3/13)
the foreground, the following information is shared with Kochava: (Kidoz, FamilyTime, FindMyKids) Android solutions certified by the
Device ID (enables tracking across apps), device data (enables de- US FTC’s COPPA Safe Harbor program [74] (by kidSAFE [65]; we
vice fingerprinting for persistent tracking). Kochava provides an also checked other programs under Safe Harbor, and the parental
opt-out option (app_limit_tracking=true) that can be used to control tools websites/descriptions). Our traffic analysis collected
comply with COPPA. However, the Circle transmits this flag as from the child device reveals that FindMyKids use three trackers and
false from the child device.15 leak Android Advertising ID to at least two trackers graph.facebook.
For Android solutions that have a safe custom browser, such com and adjust.com. FindMyKids includes two flags when calling
as Kidoz, MMGuardian, and KidsPlace, we found that all these Facebook to enable application tracking and advertiser tracking
browsers allow visited websites to store persistent tracking HTTP (both were enabled) [26]. FindMyKids also shares child Android ID
cookies (or Local Storage) on the child device. These cookies are with Yandex Metrica (appmetrica.yandex.net). Yandex Metrica pro-
not erased when the browser app is closed. vides an option (limit_ad_tracking) that can be used to restrict
Restricted SDKs from past work. We also study the SDKs iden- tracking. However, the FindMyKids transmits this flag as false
tified in past studies [28, 62] that are restricted by their developers from the child device [80]. We also found that FamilyTime sends
(e.g., fully prohibited, or use with particular parameters) for use the child’s name, email address and phone # (hashed in SHA256)
in children’s apps (as stated in their policies as of June 2020). We to facebook.com. Kidoz uses eight trackers and leaks the Android
evaluated the privacy policies for the seven prohibited SDKs de- Advertising ID to the third-party domain googleapis.com through
tected, and concluded that four companies, Crashlytics, Amplitude, the referer header.
Braze (formerly Appboy), and Appnext, still prohibit the use of
their SDKs in children’s apps; two others (Tapjoy and Branch) now 6 POTENTIAL PRACTICAL ATTACKS
14 The use of tfcd=1 marks an ad request as child-directed; see https://support.google. In this section, we summarize the impact of exploiting some of the
com/admanager/answer/3671211?hl=en.
15 Note that Disney, a former partner of Circle, is the target of a class action lawsuit for
discovered vulnerabilities in the analyzed parental control tools.
using a similar SDK in children’s apps; see https://unicourt.com/case/pc-db1-rushing- Device compromise. Device compromise presents serious secu-
et-al-v-the-walt-disney-company-et-al-494632. rity and privacy risks, especially if a vulnerability can be exploited
Betrayed by the Guardian ACSAC 2020, December 7–11, 2020, Austin, USA
remotely. We found multiple vulnerabilities in the Blocksi network instrument to provide children a safer online experience by many
device that can compromise the device itself. These include an ex- parents, these solutions should be subjected to more rigorous and
ploitable command injection vulnerability and a vulnerability in systematic evaluation, and more stringent regulations.
protecting the device’s serial number, which is used in authentica-
tion. A remote attacker can use these vulnerabilities to take control
over the Blocksi device by simply knowing the parent’s email ad-
ACKNOWLEDGMENTS
dress (see Sec. 5.1 and Sec. 5.3). In particular, using the serial number This work was partly supported by a grant from the Office of the
and email, an attacker can exploit the command injection vulnera- Privacy Commissioner of Canada (OPC) Contributions Program.
bility and spawn a reverse TCP shell on the device. At this stage, the We thank the anonymous ACSAC 2020 reviewers for their insightful
attacker gains full control of the device, and can read/modify unen- suggestions and comments.
crypted network traffic, disrupt the router’s operation (cf. DHCP
starvation [71]), or use it in a botnet (cf. Mirai [8]). REFERENCES
Account takeover. Parental accounts can be compromised in mul- [1] ACPM. 2016. SSLUnpinning - Xposed Module. https://github.com/ac-pm/
tiple ways. First, none of the parental control tools’ web interface SSLUnpinning_Xposed/.
except Norton enforced HSTS, and most were found vulnerable [2] David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,
Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel
to SSLStrip attacks. Therefore, an on-path attacker can possibly Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-
gain access to the parent account using SSLStrip, unless parents Béguelin, and Paul Zimmermann. 2015. Imperfect Forward Secrecy: How Diffie-
Hellman Fails in Practice. In ACM CSS. 5–17.
carefully check the HTTPS status. Second, login pages that allow [3] Kendra Allison. 2018. Online Risks, Sexual Behaviors, And Mobile Technology
unlimited number of password trials could allow password guessing Use In Early Adolescent Children: Parental Awareness, Protective Practices, And
(especially for weak passwords). Note that most parental control Mediation. Ph.D. Dissertation. University of South Carolina.
[4] Collin Anderson, Masashi Crete-Nishihata, Chris Dehghanpoor, Ron Deibert,
tools’ password policies are apparently weak (cf. NIST [36]); some Sarah McKune, Davi Ottenheimer, and John Scott-Railton. 2015. Are the Kids
products accept passwords as short as one character. Third, prod- Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application.
ucts with broken authentication allow access to parental accounts Article.
[5] Android. Last accessed Oct. 2020. Android Device Administration. https:
without credentials. For example, SecureTeen provides an API end- //developer.android.com/guide/topics/admin/device-admin/.
point (see Sec. 5.4) to access the parental account, by knowing only [6] Android. Last accessed Oct. 2020. UI/Application Exerciser Monkey. https:
//developer.android.com/studio/test/monkey.html.
the parent email address. If logged-in, the attacker has access to [7] Anton Skshidlevsky. Last accessed Oct. 2020. Linux Deploy. https://github.com/
a large amount of PII, social media/SMS messages, phone history, meefik/linuxdeploy/.
child location—even enabling possibilities of physical world attacks. [8] Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein,
Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis
Data leakage from backends. Failure to protect the parental con- Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher,
trol backend databases exposes sensitive child/parent data at a Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding
the Mirai Botnet. In USENIX Security. 1093–1110.
large scale. Firebase misconfigurations exposed data that belongs [9] Appthority. 2018. Appthority: ENTERPRISE MOBILE THREAT REPORT - Fire-
to 500K+ children and parents from three apps. Such leakage may base Vulnerability: Exposing Sensitive Data via Thousands of Mobile Apps.
lead to potential exploitation of children both online and offline. [10] Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable third-party library
detection in android and its security applications. In ACM SIGSAC CCS. 356–367.
PII on the network. COPPA mandates reasonable security proce- [11] Anthony Bellissimo, John Burgess, and Kevin Fu. 2006. Secure Software Updates:
dures for protecting children’s information [32]. However, we found Disappointments and New Challenges. In USENIX HotSec.
[12] Bluesnap.com. Last accessed Oct. 2020. BlueSnap: Online Payment Solutions.
several parental control tools transmit PII insecurely. For example, https://home.bluesnap.com/.
FindMyKids leaks surrounding voice, and the child’s picture. This [13] C. Marshall and C. Ellis. 2019. The best free parental control software 2019.
could put a child in physical danger since the attacker can learn https://www.techradar.com/news/the-best-free-parental-control-software/.
[14] Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering information
intimate details from the child’s voice records and her surrounding, leakage from browser extensions.. In ACM SIGSAC CCS. 1687–1700.
and also recognize the child from her photo. KidControl allows the [15] Chrome. 2017. Remove DHE-based ciphers. https://www.chromestatus.com/
child to send SOS messages when she is in a dangerous situation. feature/5128908798164992.
[16] CIRT.net. Last accessed Oct. 2020. Nikto Web Server Scanner. https://cirt.net/
However, an attacker can identify and drop the SOS message at will Nikto2/.
as it is sent via HTTP. Moreover, KoalaSafe and Blocksi network [17] Common Sense Media and SurveyMonkey. 2017. Think You Know
What Your Kids Are Doing Online? Think Again. Survey re-
devices append the child’s device MAC address to outgoing DNS port, https://www.commonsensemedia.org/blog/think-you-know-what-your-
requests, enabling persistent tracking. kids-are-doing-online-think-again.
[18] Mathieu Cunche. 2014. I know your MAC address: targeted tracking of individual
using Wi-Fi. Journal of Computer Virology and Hacking Techniques (2014).
7 CONCLUSION [19] Xavier de Carné de Carnavalet and Mohammad Mannan. 2016. Killed by proxy:
Analyzing client-end TLS interception software. In NDSS.
Parental control solutions are used by parents to help them protect [20] DQinstitute.org. 2020. Nearly two-thirds of children surveyed around the world
their children from online risks. Nevertheless, some of these solu- are exposed to cyber risks, first-ever global Child Online Safety Index reveals.
Online article. https://www.dqinstitute.org/news-post/nearly-two-thirds-of-
tions have made news in the recent years for the wrong reasons. children-surveyed-around-the-world-are-exposed-to-cyber-risks-first-ever-
Our cross-platform comprehensive analysis of popular solutions global-child-online-safety-index-reveals/.
[21] EasyList. Last accessed Apr. 24, 2020. https://easylist.to/easylist/easylist.txt.
shows systematic problems in the design and deployment of all the [22] EasyList. Last accessed Apr. 24, 2020. https://easylist.to/easylist/easyprivacy.txt.
analyzed solutions (except Bitdefender, TinyFilter, Anti-porn addon, [23] EasyList. Last accessed Apr. 24, 2020. https://easylist.to/easylist/fanboy-social.txt.
Kaspersky, and Norton) from a security and privacy point of view. [24] Ronald Eikenberg. 2019. Kaspersky script injection. https://www.heise.de/ct/
artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html.
Indeed several of these solutions can undermine children’s online [25] EPIC.org. 2010. FTC Settles with Company that Failed to Tell Par-
and real-world safety. As these solutions are viewed as an essential ents that Children’s Information Would be Disclosed to Marketers.
ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al.
https://www.ftc.gov/news-events/press-releases/2010/11/ftc-settles-company- [57] Pypi.org. Last accessed Oct. 2020. Python WHOIS Library. https://pypi.org/
failed-tell-parents-childrens-information. project/whois/.
[26] Facebook.com. Last accessed Oct. 2020. App Events API. https://developers. [58] Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth
facebook.com/docs/marketing-api/app-event-api/. Sundaresan, Mark Allman, and Christian Kreibich Phillipa Gill. 2018. Apps,
[27] Facebook.com. Last accessed Oct. 2020. Manually Build a Login Flow. https: trackers, privacy, and regulators. In NDSS.
//developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/. [59] Abbas Razaghpanah, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Christian
[28] Álvaro Feal, Paolo Calciati, Narseo Vallina-Rodriguez, Carmela Troncoso, and Kreibich, Phillipa Gill, Mark Allman, and Vern Paxson. 2015. Haystack: In situ
Alessandra Gorla. 2020. Angel or Devil? A Privacy Study of Mobile Parental mobile traffic analysis in user space. arXiv preprint arXiv:1510.01419 (2015).
Control Apps. In PETS. [60] Bradley Reaves, Jasmine Bowers, Nolen Scaife, Adam Bates, Arnav Bhartiya,
[29] OWASP Foundation. Last accessed Oct. 2020. HTML5 Security Cheat Patrick Traynor, and Kevin RB Butler. 2017. Mo (bile) money, mo (bile) problems:
Sheet. https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_ Analysis of branchless banking applications. ACM TOPS (2017).
Sheet.html#local-storage. [61] Reverse Shell Security. Last accessed Oct. 2020. Routersploit Embedded Devices
[30] OWASP Foundation. Last accessed Oct. 2020. REST Security Cheat Sheet. https: Exploitation framework. https://github.com/threat9/routersploit/.
//cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html. [62] Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Raza-
[31] FTC.gov. 2014. Parental Controls. Online article. https://www.consumer.ftc.gov/ ghpanah, Narseo Vallina-Rodriguez, and Serge Egelman. 2018. “Won’t somebody
articles/0029-parental-controls. think of the children?” examining COPPA compliance at scale. PETS (2018).
[32] FTC.gov. Last accessed Oct. 2020. Children’s Online Privacy Protection Rule: [63] Shiv Sahni. Last accessed Mar. 2020. FireBase Scanner. https://github.com/
A Six-Step Compliance Plan for Your Business. https://www.ftc.gov/tips- shivsahni/FireBaseScanner.
advice/business-center/guidance/childrens-online-privacy-protection-rule- [64] Samet Privacy, LLC. Last accessed Oct. 2020. Official membership page. https:
six-step-compliance. //www.kidsafeseal.com/certifiedproducts/kidoz_sdk_app.html.
[33] Google. 2012. Implementing OAuth 2.0 Authorization. https://developers.google. [65] Samet Privacy, LLC. Last accessed Oct. 2020. Official membership page. https:
com/youtube/v3/guides/authentication. //www.kidsafeseal.com/certifiedproducts/familytime_app.html.
[34] Google. Last accessed June 2020. Multiple Extensions are Compromised in a [66] Sellcell.com. 2019. Kids Cell Phone Use Survey 2019 – Truth About Kids & Phones.
Browser Hijacking Scam. https://support.google.com/chrome/thread/46798301. News article. https://www.sellcell.com/blog/kids-cell-phone-use-survey-2019/.
[35] Google. Last accessed Oct. 2020. Google Firebase. https://firebase.google.com/. [67] Zhiyong Shan, Raina Samuel, and Iulian Neamtiu. 2019. Device Administrator
[36] Paul A Grassi, Ray A Perlner, Elaine M Newton, Andrew R Regenscheid, William E Use and Abuse in Android: Detection and Characterization. In MobiCom.
Burr, Justin P Richer, Naomi B Lefkovitz, Jamie M Danker, and Mary F Theo- [68] Sharon Shasha, Moustafa Mahmoud, Mohammad Mannan, and Amr Youssef.
fanos. 2017. Digital identity guidelines: Authentication and lifecycle management 2019. Playing with danger: A taxonomy and evaluation of threats to smart toys.
[including updates as of 12-01-2017]. Technical Report. IEEE Internet of Things Journal (2019), 2986–3002.
[37] IETF.org. Last accessed Oct. 2020. HTTP Strict Transport Security (HSTS). https: [69] Oleksii Starov and Nick Nikiforakis. 2017. Extended tracking powers: Measuring
//tools.ietf.org/html/rfc6797. the privacy diffusion enabled by browser extensions.. In WWW.
[38] Jon Martindale. 2019. Keep your kids safe online with these great parental control [70] Stiller, Nate. Last accessed Oct. 2020. MAC Address Lookup. https://www.
tools. Article. https://www.digitaltrends.com/computing/best-free-parental- macvendorlookup.com/mac-address-lookup/.
control-software/. [71] Nikhil Tripathi and Neminath Hubballi. 2015. Exploiting dhcp server-side ip
[39] Komodia.com. Last accessed Oct. 2020. Komodia URLs classification SDK. https: address conflict detection: A dhcp starvation attack. In IEEE ANTS. IEEE, 1–3.
//url-classification.io/industry/parental-control/. [72] UK Council for Child Internet Safety (UKCCIS). 2016. Child Safety Online: A
[40] L. Nve. Last accessed Oct. 2020. SSLStrip2. https://github.com/LeonardoNve/ Practical Guide for Providers of Social Media and Interactive Services. On-
sslstrip2/. line article. https://www.gov.uk/government/publications/child-safety-online-a-
[41] Anh Le, Janus Varmarken, Simon Langhoff, Anastasia Shuba, Minas Gjoka, and practical-guide-for-providers-of-social-media-and-interactive-services.
Athina Markopoulou. 2015. AntMonitor: A system for monitoring from mobile [73] Unicef. 2020. Children at increased risk of harm online during global COVID-
devices. In ACM SIGCOMM C2B(I)D. 19 pandemic. Press release. https://www.unicef.org/press-releases/children-
[42] Gaëtan Leurent and Thomas Peyrin. 2019. From collisions to chosen-prefix increased-risk-harm-online-during-global-covid-19-pandemic.
collisions application to full SHA-1. In EUROCRYPT. Springer. [74] U.S. Federal Trade Commission. Last accessed Oct. 2020. COPPA Safe Harbor
[43] Xurong Li, Chunming Wu, Shouling Ji, Qinchen Gu, and Raheem Beyah. 2017. Program. https://www.ftc.gov/safe-harbor-program/.
HSTS Measurement and an Enhanced Stripping Attack Against HTTPS. In Se- [75] Narseo Vallina-Rodriguez, Srikanth Sundaresan, Abbas Razaghpanah, Rishab
cureComm. Springer. Nithyanand, Mark Allman, Christian Kreibich, and Phillipa Gill. 2016. Track-
[44] Meng Luo, Pierre Laperdrix, Nima Honarmand, and Nick Nikiforakis. 2019. Time ing the trackers: Towards understanding the mobile advertising and tracking
Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism ecosystem. arXiv preprint arXiv:1609.07190 (2016).
Support in Mobile Browsers. In NDSS. [76] Verizon. 2019. Verizon 2019 Data Breach Investigation Report. https://enterprise.
[45] Jack Madden and Brian Madden. 2013. Enterprise Mobility Management: Every- verizon.com/resources/reports/2019-data-breach-investigations-report.pdf.
thing you need to know about MDM, MAM, and BYOD. Jack Madden. [77] William Largent. 2017. Vulnerability Spotlight: The Circle of a Bug’s Life. News
[46] Mark Jones, Komando.com. 2018. Parental control app database article. https://blog.talosintelligence.com/2017/10/vulnerability-spotlight-circle.
exposed, leaving kids’ information compromised. News article. html.
https://www.komando.com/happening-now/461381/parental-control-app- [78] Wired.co.uk. 2019. A series of dumb security flaws left millions of EA Origin
database-exposed-leaving-kids-information-compromised. users exposed. News article. https://www.wired.co.uk/article/ea-origin-account-
[47] Abigail Marsh. 2018. An Examination of Parenting Strategies for Children’s Online login-security-flaw.
Safety. Ph.D. Dissertation. Carnegie Mellon University. [79] Pamela Wisniewski, Arup Kumar Ghosh, Heng Xu, Mary Beth Rosson, and
[48] MITMProxy.org. Last accessed Oct. 2020. HTTPS proxy. https://MITMProxy.org/. John M Carroll. 2017. Parental Control vs. Teen Self-Regulation: Is there a middle
[49] MOBSF. Last accessed Oct. 2020. Mobile-Security-Framework-MobSF. https: ground for mobile online safety?. In ACM CSCW. 51–69.
//github.com/MobSF/Mobile-Security-Framework-MobSF. [80] yandex.ru. Last accessed June 2020. AppMetrica tracking URL parame-
[50] Brendan Moran, Hannes Tschofenig, David Brown, and Milosch Meriac. 2019. A ters. https://appmetrica.yandex.ru/docs/mobile-tracking/concepts/postback-
Firmware Update Architecture for Internet of Things. Internet-Draft draft-ietf-suit- specification.html.
architecture-08. Internet Engineering Task Force. https://datatracker.ietf.org/ [81] ZDNet.com. 2019. The latest dark web cyber-criminal trend: Selling children’s
doc/html/draft-ietf-suit-architecture-08 Work in Progress. personal data. News article. https://www.zdnet.com/article/the-latest-dark-web-
[51] OpenWrt Project. Last accessed Oct. 2020. OpenWrt. https://openwrt.org/. cyber-criminal-trend-selling-childrens-personal-data/.
[52] PCMag.com. 2019. The Best Parental Control Software for 2019. https://www.
pcmag.com/article2/0,2817,2346997,00.asp/.
[53] Pew Research Center. 2016. Parents, Teens and Digital Monitoring. Sur- 8 APPENDIX
vey report, http://www.pewinternet.org/2016/01/07/parents-teens-and-digital-
monitoring/. In this appendix, we first provide some recommendations for parental
[54] Pierluigi Paganini. 2018. Parental control spyware app Family Orbit hacked, control solution providers. Then, we present the corpus of parental
pictures of hundreds of monitored children were exposed. News article. https:
//securityaffairs.co/wordpress/75888/data-breach/family-orbit-hacked.html.
control tools that we evaluated. Then, we provide a summary of the
[55] Portswigger.net. Last accessed Mar. 2020. The Burp Suite family. https:// techniques adopted by the analyzed Android solutions to monitor
portswigger.net/burp. child activities. Finally, we report our observations of tracking and
[56] Exodus Privacy. Last accessed Mar. 2020. The privacy audit platform for Android
applications. https://reports.exodus-privacy.eu.org/en/trackers/. PII sharing done by third-party SDKs and libraries embedded in
these parental control tools.
Betrayed by the Guardian ACSAC 2020, December 7–11, 2020, Austin, USA
8.3 Techniques
8.3 TechniquesAdopted
Adoptedby
byAndroid
Androidsolutions
solutions 100%
100%
Shared
Shared
Table66provides
Table providesaasummary
summaryofofsomesometechniques
techniquesadopted
adoptedbybythe
the Children
Children
analyzed Android solutions. Four Android solutions (MMGuardian, 80%
80% Parents
Parents
analyzed Android solutions. Four Android solutions (MMGuardian,
MobileFence,Qustodio,
MobileFence, Qustodio,and
andSecureTeen),
SecureTeen),distributed
distributedvia
viatheir
theircom-
com-
apps
Percentageofofapps
60%
60%
panywebsites,
pany websites,support
supportadditional
additionalfeatures
featurescompared
comparedtototheir
theirGoogle
Google
Playstore
storeversion.
version.
Percentage
Play
40%
40%
Table6:6:Techniques
Table Techniquesusedusedto
tomonitor
monitorchild
childactivities
activitiesinclud-
includ- 20%
20%
ingweb
ing webfiltering,
filtering,phone
phonecalls,
calls,SMS,
SMS,and
andsocial
socialmedia.
media.
: :refers
refersto
toservice
servicesupported
supportedby byGoogle
GooglePlay
Playversion;
version; 0%
0%
Analytics
CrashLytics
Login
Share
Analytics
Analytics
DoubleClick
Analytics
DoubleClick
Analytics
Analytics
Manager
Places
Analytics
CrashLytics
Analytics
Analytics
Places
DoubleClick
Ads
Manager
Places
CrashLytics
Ads
Login
Share
Login
Share
Ads
Manager
G
#: :refers
refersto
toaafeature
featuresupported
supportedby byaaversion
versiondistributed
distributedvia
via
Analytics
CrashLytics
Login
Share
Analytics
TagAnalytics
DoubleClick
Analytics
DoubleClick
Analytics
Analytics
Manager
Places
Analytics
CrashLytics
CrashLytics
Analytics
Analytics
Places
GoogleDoubleClick
Ads
Manager
GoogleAds
Share
FacebookLogin
FacebookPlaces
Login
Share
Ads
TagManager
Google
Google
thecompany
the companywebsite.
website.
Google
Facebook
Facebook
Facebook
Facebook
Facebook
Facebook
Facebook
Facebook
Facebook
Facebook
Facebook
Facebook
Google Tag
Firebase
Google Firebase
Google
Facebook
Firebase
Google
Facebook
Tag
Tag
GoogleTag
Firebase
Google
Facebook
Firebase
Google
Firebase
Google
Facebook
Google
Google
Google
Google
GoogleGoogle
GoogleGoogle
Google
Google
Google
Google
Google
MobileFence17
MMGuardian
SecureTeen18
FindMyKids
FamilyTime
ScreenTime
Google
KidControl
FamiSafe16
KidsPlace
Qustodio
Life360
Circle
Kidoz
googleadservices.com
google-analytics.com
doubleclick.net
googleadservices.com
facebook.com
facebook.net
googletagmanager.com
crashlytics.com
google.com
google.ca
gstatic.com
crashlytics.com
facebook.com
google.com
adjust.com
newrelic.com
google.ca
nr-data.net
doubleclick.net
google-analytics.com
googleadservices.com
google-analytics.com
doubleclick.net
googleadservices.com
facebook.com
facebook.net
googletagmanager.com
crashlytics.com
google.com
google.ca
gstatic.com
crashlytics.com
facebook.com
google.com
adjust.com
newrelic.com
google.ca
nr-data.net
Facebook Login
YouTube OAuth
Custom video player
Take screenshot
8.4 Third-Parties
Third-PartiesAnalysis
AnalysisResults
Results Figure4:4:Tracking
Figure TrackingSDKs
SDKspresent
presentininAndroid
Androidsolutions
solutionsfound
found
8.4 through dynamic analysis, see Sec.
through dynamic analysis, see Sec. 5.7.5.7.
Table77shows
Table showsthe theuse
useofofthird-party
third-partytracking
trackingSDKs
SDKsininthe
theana-
ana-
lyzed 153 Android apps. We used MOBSF [49] to extract the list ofof
lyzed 153 Android apps. We used MOBSF [49] to extract the list
third-partytracking
third-party trackingSDKs
SDKsfrom
fromallallapps
appsbased
basedon
onExodus-Privacy’s
Exodus-Privacy’s
tracker list. On average, we found 4.5 SDKs per
tracker list. On average, we found 4.5 SDKs per app (max app (max1010SDKs)
SDKs) Table7:7:Use
Table Useof
oftracking
trackingSDKs
SDKsin inchildren
childrenapps,
apps,shared
sharedapps
apps
in children apps. The average number of SDKs increases
in children apps. The average number of SDKs increases to about to about (i.e., the same is used by both parents and children), and
(i.e., the same is used by both parents and children), and par-par-
5.3 SDKs per app in shared apps and parent apps.
5.3 SDKs per app in shared apps and parent apps. We also foundWe also found entapps
ent appsfound
foundthrough
throughstatic
staticanalysis.
analysis.
GoogleFirebase
Google FirebaseAnalytics,
Analytics,Google
GoogleCrashLytics
CrashLyticsarearepresent
presentininover
over
50% of all types of apps; see Fig. 3. We also identified tracking
50% of all types of apps; see Fig. 3. We also identified tracking third- third- Children Shared
Shared Parent
partySDKs
SDKsfrom fromnetwork
networktraffic
trafficgenerated
generatedduring
duringourourdynamic
dynamic Children Parent
party apps
apps apps
apps apps
apps
analysis; see Fig.
analysis; see Fig. 4. 4.
## Android
Android apps
apps 51
51 78
78 24
24
1616FamiSafe
FamiSafeAndroid
Androidapp
appgets
getsfull
fullaccess
accesstotothe
thechild’s
child’sYouTube
YouTubeaccount
accountincluding
including ## Unique
Unique tracking
tracking SDKs
SDKs 35
35 41
41 31
31
rightstotoview,
rights view,edit,
edit,delete
deletethe
thechild’s
child’sYouTube
YouTubevideos
videosandandplaylists,
playlists,and
andrate
ratevideos,
videos, ## apps
apps with
with tracking
tracking SDKs
SDKs 44
44 73
73 22
22
post,edit/delete
post, edit/deletecomments
commentsand andcaptions.
captions.
1717MobileFence
MobileFenceinitially
initiallysetup
setupbybydefault
defaulttotomonitor
monitorboth
boththe
thechild
childand
andparent
parentdevices.
devices. Average ## SDKs
Average SDKs perper app
app 4.5
4.5 5.3
5.3 5.4
5.4
1818SecureTeen
SecureTeenAndroid
Androidappappuses
usesaakeylogger
keyloggertotorecord
recordall
allsocial
socialmedia
mediaactivities
activitieson
onthe
the Max ## SDKs
Max SDKs perper app
app 10
10 22
22 12
12
childdevice.
child device.
Betrayed by the Guardian ACSAC 2020, December 7–11, 2020, Austin, USA
8.5 Data Sharing and Privacy Leaks Table 10: Sharing PII with third-parties.
Table 8 lists the personal information used to detect PII data in
network traffic. Tables 9 and 10 show the PII transmitted by Android Solution Shared PII 3rd-parties (number, domains [max. 2]) *
solutions in plaintext through HTTP, and PII shared with third- Circle Child Android ID 1 (kochava.com)
Circle Parent Android ID 2 (kochava.com, mixpanel.com)
parties, respectively. Circle Child/parent AAID 1 (kochava.com)
Circle Child/parent AP BSSID 1 (kochava.com)
Table 8: The list of personal information used to detect PII Circle Child/parent AP SSID 1 (kochava.com)
Circle Child name 1 (intercom.com)
data in network traffic. Circle Parent email 5 (intercom.com, apptentive.com)
Circle Parent name 3 (facebook.com, mixpanel.com)
Circle Child mobile carrier 1 (kochava.com)
PII Description Circle Parent mobile carrier 2 (kochava.com, apptentive.com)
AAID Android Advertising ID FamilyTime Child name 1 (facebook.com)
Android ID Android ID generated on device setup FamilyTime Child email 1 (facebook.com)
GSF ID Google Services Framework ID FamilyTime Child phone # 1 (facebook.com)
Phone Serial Mobile serial number FamilyTime Parent email 11 (doubleclick.net, facebook.com)
IMEI Phone equipment ID FamilyTime Parent name 11 (fastspring.com, google-analytics.com)
SIM ID SIM card ID FamilyTime Parent address 1 (fastspring.com)
AP BSSID MAC addresses of used hotspots FamilyTime Parent AAID 1 (facebook.com)
AP SSID SSIDs of used hotspots FamilyTime Parent mobile carrier 1 (facebook.com)
Nearby AP BSSID MAC addresses of surrounding hotspots FamilyTime Parent phone # 1 (fastspring.com)
Nearby AP SSID SSIDs of surrounding hotspots FamiSafe Child AAID 1 (graph.facebook.com)
MAC Address MAC address of the WiFi interface FamiSafe Child name 1 (facebook.com)
IP address IP address of the WiFi interface FamiSafe Child Geolocation 1 (maps.googleapis.com)
BD ADDR MAC address of the Bluetooth interface FamiSafe Child browsing history 2 (facebook.com, google-analytics.com)
Google Email Google play account email address FamiSafe Child device carrier 1 (graph.facebook.com)
User credentials Account ID and password Kidoz Child AAID 1 (googleapis.com)
Name User’s first and last names FindMyKids Child/parent AAID 3 (yandex.net, facebook.com)
Email User’s email address FindMyKids Child/parent Android ID 1 (yandex.net)
Phone # User’s phone number FindMyKids Child Geolocation 2 (openstreetmap.org, yandex.net)
Geolocation Latitude & Longitude FindMyKids Child Nearby AP BSSID 1 (yandex.net)
Contacts Contact list entries FindMyKids Child Nearby AP SSID 1 (yandex.net)
Browsing history Visited URLs in browser FindMyKids Child/parent mobile carrier 1 (facebook.com)
Used App Apps used on the device KidControl Child Geolocation 1 (openstreetmap.org)
Installed Apps Apps installed on the device KidControl Parent email 1 (firestore.googleapis.com)
Social messages SMS/social media messages KidsPlace Child AAID 2 (google-analytics.com, onesignal.com)
Search history Search strings used on Google or Youtube KidsPlace Child mobile carrier 1 (onesignal.com)
Mobile carrier User’s mobile carrier KidsPlace Child Geolocation 1 (maps.googleapis.com)
Address User’s address (street name, city, country, and postal code) KidsPlace Parent email 1 (sendgrid.com)
Life360 Child Android ID 1 (branch.io)
Life360 Parent Android ID 2 (branch.io, amazonaws.com)
Life360 Child AAID 3 (appsflyer.com, branch.io)
Life360 Parent AAID 4 (appsflyer.com, facebook.com)
Table 9: Android solutions sending sensitive data in plain- Life360 Child/parent name 2 (braze.com, pubnub.com)
text. Life360 Child email 2 (helpshift.com, braze.com)
Life360 Parent email 3 (helpshift.com, braze.com)
Life360 Child/parent local IP 1 (branch.io)
Solution Data Destination Life360 Child/parent Geolocation 3 (locationiq.com, braze.com)
Life360 Parent phone # 1 (amazonaws.com)
Kidoz Account username/password kidoz.net Life360 Parent AP BSSID 1 (amazonaws.com)
Kidoz Child name kidoz.net Life360 Parent AP SSID 1 (amazonaws.com)
KidsPlace Child Android ID kiddoware.com Life360 Child/parent mobile carrier 3 (appsflyer.com, braze.com)
KidsPlace Child phone serial kiddoware.com MMGuardian Child/parent AAID 2 (facebook.com, googleadservices.com)
KidsPlace Parent email kiddoware.com MMGuardian Child browsing history 1 (komodia.com)
MMGuardian Child/parent mobile carrier 1 (facebook.com)
KidControl Child Geolocation kid-control.com
MobileFence Parent email & name 1 (livechatinc.com)
KidControl Parent email kid-control.com MobileFence Parent AAID 1 (googleadservices.com)
KidControl Parent name kid-control.com MobileFence Child Geolocation 2 (googleapis.com, amazonaws.com)
Life360 Child name pubnub.com MobileFence Child browsing history 1 (google.com)
Life360 Parent name pubnub.com Qustodio Child/parent Android ID 2 (amazonaws.com, rollout.io)
Qustodio Child/parent AAID 1 (adjust.com)
MMGuardian Account username/password * mmguardian.com
Qustodio Parent email 3 (adroll.com, braze.eu)
MMGuardian Parent email mmguardian.com Qustodio Parent name 1 (referralcandy.com)
MMGuardian Parent IMEI mmguardian.com Qustodio Child used app 1 (google-analytics.com)
MMGuardian Parent/child phone # mmguardian.com Qustodio Child/parent mobile carrier 1 (braze.eu)
MMGuardian Parent phone serial mmguardian.com ScreenTime Child/parent AAID 1 (graph.facebook.com)
MMGuardian Browsing history komodia.com ScreenTime Child Android ID 4 (facebook.com, googleapis.com)
ScreenTime Parent Android ID 1 (appspot.com)
MMGuardian Parent AAID mmguardian.com ScreenTime Child name 3 (appspot.com, facebook.com)
MMGuardian Child Geolocation mmguardian.com ScreenTime Parent email & name 2 (appspot.com, facebook.com)
MMGuardian Child installed apps mmguardian.com ScreenTime Child Geolocation 4 (google.com, googleapis.com)
SecureTeen Parent email secureteen.com ScreenTime Child installed apps 1 (appspot.com)
SecureTeen Parent name secureteen.com ScreenTime Parent Mobile carrier 1 (facebook.com)
ScreenTime Child/parent mobile carrier 1 (graph.facebook.com)
*: The parent’s password is hashed using SHA1 without salting. SecureTeen Parent email 27 (adroll.com, ads.yahoo.com)
SecureTeen Child browsing history 1 (komodia.com)
SecureTeen Child Geolocation 1 (google.com)
*: Number of domains limited to 2 to fit display; AAID refers to Android Advertising ID;
We use the word “domain” to refer to second-level domains.