Betrayed by the Guardian:
Security and Privacy Risks of Parental Control Solutions
Suzan Ali Mounir Elgharabawy
[email protected]
[email protected]
[email protected]
Concordia University Concordia University
Montreal, Quebec, Canada Montreal, Quebec, Canada
Mohammad Mannan
[email protected]
[email protected]
arXiv:2012.06502v1 [cs.CR] 11 Dec 2020
Concordia University
Montreal, Quebec, Canada
ABSTRACT
For parents of young children and adolescents, the digital age has in-
troduced many new challenges, including excessive screen time, in-
appropriate online content, cyber predators, and cyberbullying. To
address these challenges, many parents rely on numerous parental
control solutions on different platforms, including parental con-
trol network devices (e.g., WiFi routers) and software applications
on mobile devices and laptops. While these parental control solu-
tions may help digital parenting, they may also introduce serious
security and privacy risks to children and parents, due to their
elevated privileges and having access to a significant amount of
privacy-sensitive data. In this paper, we present an experimental
framework for systematically evaluating security and privacy is-
sues in parental control software and hardware solutions. Using the
developed framework, we provide the first comprehensive study
of parental control tools on multiple platforms including network
devices, Windows applications, Chrome extensions and Android
apps. Our analysis uncovers pervasive security and privacy issues
that can lead to leakage of private information, and/or allow an
adversary to fully control the parental control solution, and thereby
may directly aid cyberbullying and cyber predators.
CCS CONCEPTS
• Security and privacy → Systems security.
KEYWORDS
Parental control network devices, Android apps, Windows applica-
tions, Web extensions, Privacy, Security
ACM Reference Format:
Suzan Ali, Mounir Elgharabawy, Quentin Duchaussoy, Mohammad Mannan,
and Amr Youssef. 2020. Betrayed by the Guardian: Security and Privacy Risks
of Parental Control Solutions. In Annual Computer Security Applications
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from
[email protected]
. extensions, and network devices. Note that, unlike other vulnerable
ACSAC 2020, December 7–11, 2020, Austin, USA
© 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ACM ISBN 978-1-4503-8858-0/20/12. . . $15.00
https://doi.org/10.1145/3427228.3427287
Quentin Duchaussoy
Concordia University
Montreal, Quebec, Canada
Amr Youssef
Concordia University
Montreal, Quebec, Canada
Conference (ACSAC 2020), December 7–11, 2020, Austin, USA. ACM, New
York, NY, USA, 15 pages. https://doi.org/10.1145/3427228.3427287
1 INTRODUCTION
Many of today’s children cannot imagine their daily lives without
internet. A recent survey [66] shows that 42% of US children (4–14
years) spend over 30 hours a week on their phones; nearly 70% of
parents think that such use has a positive effect on their children’s
development [66]. While the web could be an excellent environment
for learning and socializing, there is also a plethora of online content
that can be seriously damaging to children. In addition, children are
by nature vulnerable to online exploitation and other risk effects
of online social networking, including cyber-bullying and even
cyber-crimes (see e.g., [3, 20]); the current COVID-19 pandemic has
only increased these risks (see e.g., [73]).
To provide a safe, controlled internet experience, many parents
and school administrators rely on parental control solutions that
are easily accessible either for free, or for a relatively cheap price.
From recent surveys in the US, some forms of parental control
apps/services are used by 26–39% of parents [17, 53], indicating a
growing adoption of these solutions. Such solutions are also recom-
mended by government agencies, e.g., US FTC [31] and UK Council
for Child Internet Safety (UKCCIS) [72], despite their limited ef-
fectiveness (cf. EU commissioned benchmark at: sipbench.eu), and
questionable morality since they, arguably, can act as surveillance
tools [79]. This ethical/moral debate is outside the scope of our
work.
On the other hand, over the past few years, many attacks tar-
geted parental control solutions, exposing monitored children’s
data, sometimes at a large scale [46, 54]. Aside from endanger-
ing children’s safety (online and in the real-world), such leaked
children’s personal data may be sold by criminals (cf. [81]). Re-
cent reports also revealed several security and privacy issues in
the analyzed parental control solutions [4, 28, 77]. However, such
analysis was limited to the privacy of Android apps, and only one
network device, even though popular parental control solutions
are used across different platforms: mobile and desktop OSes, web
products (e.g., buggy gaming apps [78]), or non-complaint products
(e.g., Android apps for children [62]), which can be removed when
such concerns are known, parental control solutions are deemed
ACSAC 2020, December 7–11, 2020, Austin, USA
essential by many parents and schools, and thus are not expected
to be removed due to the lack of better alternatives.
We undertake the first comprehensive study to analyze differ-
ent types of parental control hardware and software solutions. We
design a set of security and privacy tests, and systematically ana-
lyze popular representative parental control solutions available in
network devices, Windows and Android OSes, and Chrome exten-
sions. While developing our comprehensive analysis framework for
solutions in multiple platforms, we faced several challenges. Most
parental control solutions implement various techniques that hin-
der traffic analysis (e.g., VPNs, SSLpinning and custom protocols).
The use of proprietary firmware and code obfuscation techniques
also poses challenges for static analysis. Understanding long-term
behaviors of these solutions by running them for hours/days in a re-
alistic way (e.g., triggering all their features), is also time consuming
(compared to simple, automated UI fuzzing).
Contributions. Our contributions can be summarized as follows.
(i) We developed an experimental framework for systematically
evaluating security and privacy issues in parental control software
and hardware solutions. (ii) We utilized this framework to conduct
the first comprehensive study of parental control tools on multiple
platforms, including 8 network devices, 8 Windows applications,
10 Chrome extensions, and 29 Android apps representing 13 An-
droid solutions grouped by vendor.1 The in-depth analysis aims to
inspect the apps’ web traffic for personally identifiable information
(PII) leakage, insecure API endpoints authentication, potential vul-
nerabilities, and the presence of third-parties and known trackers.
(iii) Our analysis reveals 135 vulnerabilities among the solutions
tested and highlights that the majority of solutions broadly fail to
adequately preserve the security and privacy of their users—both
children and parents.
Notable findings and disclosure. Our notable findings include:
• The Blocksi parental control router allows remote command
injections, enabling an attacker with a parent’s email address to
eavesdrop/modify the home network’s traffic, or use the device
in a botnet (cf. Mirai [8]). Blocksi’s firmware update mechanism
is also completely vulnerable to a network attacker.
• 8/13 Android solutions and 4/8 network devices do not properly
authenticate their server API endpoints, allowing illegitimate
access to view/modify server-stored children/parents data.
• 5/13 Android solutions allow an attacker to easily compromise
the parent account at the server-end, enabling full account
control to the child device (e.g., install/remove apps, allow/block
phone calls and internet connections).
• 7/13 Android solutions transmit PII via HTTP (e.g., kidSAFE [64]
certified Kidoz sends account credentials via HTTP).
• Among the parental control tools with a web interface, 9/13
Android solutions, 4/8 network devices, and 3/8 Windows ap-
plications are vulnerable to SSLStrip attacks (cf. [43, 44]), a
man-in-the-middle (MITM) attack, due to the lack of HSTS.
• 2/8 Windows applications utilize a TLS proxy that degrades
connection security, by accepting certificates and ciphers that
are rejected by modern browsers. Another Windows application
1 An
Android solution is typically composed of a child app, a parent app, and an
online parental dashboard. We consider an Android solution vulnerable if any of its
component is vulnerable.
S. Ali et al.
(Kidswatch) completely lacks HTTPS, and communicates with
the backend server via HTTP.
• 2/10 Chrome extensions and 4/13 Android solutions transmit
the full URLs from the browser to their server, possibly leaking
sensitive (session) information.
As part of responsible disclosure, we contacted the developers
of the solutions we analyzed, and shared our findings, including
proof-of-concept scenarios and possible fixes. Two months after
disclosure, only ten companies responded, seven custom and three
automatic replies. Blocksi, KoalaSafe, MMGuardian, KidsPlace, Fam-
iSafe, and FamilyTime responded that they are investigating the
issues. Kidoz responded that some of our reported issues are on their
fixing backlog, and acknowledged the new vulnerabilities. Other
vendors either sent automatic/ambiguous response, or no response
at all. Notable changes after the disclosure: MMGuardian depre-
cated their custom browser; FamiSafe fixed the Firebase database
security issue; and FamilyTime enabled HSTS on their server.
2 RELATED WORK
In this section, we first list a few example cases from real-world
data breaches involving parental control tools, and then summarize
related academic studies (mostly privacy analyses of Android apps).
Over the past years, several parental control tools have made the
news for security and privacy breaches. The teen-monitoring app
TeenSafe leaked thousands of children’s Apple IDs, email addresses
and passwords [46]. Family Orbit exposed nearly 281 GB of chil-
dren data from an unsecured cloud server [54]. In 2019, a privacy
flaw in Kaspersky anti-virus and parental control application was
found [24]. This application included a script to perform content
checking on each page intercepted by a TLS proxy. However, some
unique IDs were also included in the process, allowing the web-
site to track the user. In 2010, EchoMetrix settled US FTC charges
for collecting and selling children’s information to third-parties
through their parental control software [25].
Between 2015 and 2017, researchers from the Citizen Lab (citizen-
lab.ca), Cure53 (cure53.de), and OpenNet Korea (opennetkorea.org)
published a series of technical audits of three popular Korean par-
enting apps mandated by the Korean government, Smart Sheriff,
Cyber Security Zone and Smart Dream [4]. The security audits
found serious security and privacy issues in the three parental con-
trol Android apps. For example, Smart Sheriff failed to adequately
encrypt PII either on storage or in transit. Smart Dream allowed
unauthorized access to children’s messages and search history.
Feal et al. [28] studied 46 parental control Android apps for data
collection and data sharing practices, and the completeness and
correctness of their privacy policies. They used the Lumen Android
app (see https://haystack.mobi/) for their analysis, which is unable
to analyze target apps with VPN or certificate pinning. Parental
apps and dashboards are also excluded. Our analysis framework
has no such limitations, and consequently we are able to identify
new critical security issues (e.g., leakage of plaintext authentication
information), even among the apps analyzed by Feal et al.
Reyes et al. [62] analyzed children Android apps for COPPA com-
pliance. Out of 5855 apps, the majority of the analyzed apps were
found to potentially violate COPPA, and 19% were found to send PII
in their network traces. Wisniewski et al. [79] evaluated 42 features
Betrayed by the Guardian
in 75 parental control Android apps, showing that most apps value
control over self-regulation strategies, and boast the use of privacy
invasive techniques. Marsh [47] measured the effectiveness and
usability of two parental control apps.
Web extensions have been subjected to security evaluation for
over a decade (see e.g., [14, 69]), but no past studies focused on
parental control extensions. Windows parental control applications
have been only studied for the security of their TLS proxies [19].
Similarly, parental control network devices remained unexplored,
except the Disney Circle, analyzed by Cisco Talos in 2017, and
found to have 23 different security vulnerabilities [77]. Among
other devices, we also analyzed Circle, but used a newer version
released in 2019.
In contrast to previous work, we conduct a comprehensive, sys-
tematic study of security and privacy threats in parental control so-
lutions across multiple platforms: mobile (Android), desktop (Win-
dows), web browser (Chrome extensions) and stand-alone network
devices, as popular solutions are available in all these platforms.
Our analysis therefore sheds light on the broader picture of security
and privacy risks of parental control tools. Compared to existing
Android app studies, our framework is more in-depth (e.g., moni-
toring the apps from the OS instead of the application level), and
inclusive (e.g., analyze apps with VPNs and key pinning).
3 BACKGROUND AND THREAT MODEL
We use the term “parental control tools” to cover different types of
parental solutions: network devices, Android apps, Chrome exten-
sions and Windows applications. Personally identifiable informa-
tion (PII) refers to any information related to the user as defined by
the US FTC and Office of the Privacy Commissioner of Canada. Any
entity that is not directly related to a parental control solution, is
labelled as a third-party; this includes but is not limited to trackers
and advertisers. In what follows, we briefly discuss some common
techniques used by parental control tools, define our threat model,
and list the vulnerabilities that we test against each solution.
3.1 Monitoring Techniques
Parental control tools generally allow the parent to remotely con-
trol the child device, perform web filtering, and monitor activities
on social media. We derive the following monitoring techniques
from product documentation, our observations from installation
procedure and use/analysis of these solutions. These techniques
vary significantly across platforms, and are grouped here as such.
Network devices. Being network-based, parental control devices
can monitor network traffic but cannot inspect the content of en-
crypted traffic. The devices analyzed act as a man-in-the-middle
between the client device and the internet router by using one
of two techniques: performing Address Resolution Protocol (ARP)
spoofing, or creating a separate access point. ARP spoofing enables
the network device to impersonate the internet router on the local
network. The device achieves that by sending forged ARP packets
that bind the router’s IP with the network device’s MAC address.
As a result, all the local network traffic is routed through the de-
vice before going to the internet router. Alternatively, the network
ACSAC 2020, December 7–11, 2020, Austin, USA
device may create an explicit access point exclusively for children
to enforce parental control filtering on all devices connected to it.
Android apps. Android apps rely on several Android-specific
mechanisms, including the following (see Table 6 in Appendix for
per Android solution capabilities). (1) Device administration [5, 67]
provides several administrative features at the system level, includ-
ing: device lock, factory reset, certificate installation, and device
storage encryption. (2) Mobile device management (MDM [45])
enables additional control and monitoring features, designed for
businesses to fully control/deploy devices in an enterprise setting.2
(3) Android accessibility service [6, 67] enables apps to perform
several functions including monitoring user actions by receiving
notifications when the user interacts with an app, capturing and
retrieving window content, logging keystrokes, and controlling
website content by injecting JavaScript code into visited web pages.
(4) Notification access enables Android apps to read or dismiss all
notifications displayed in the status bar; notifications may include
personal information such as contact names and messages. (5) An-
droid VPN, custom browsers, and third-party domain classifiers
(e.g., Komodia.com [39]), which are used to filter web content. (6)
Facebook [27] and YouTube OAuth [33] features, which are used to
monitor the child’s activities on Facebook (e.g., posts and photos),
and YouTube (e.g., playlists and comments). (7) Miscellaneous tech-
niques including: having browser history and bookmarks permis-
sion, using custom browsers, or TLS interceptions via Android VPN.
Windows applications. As opposed to Android parental control
apps, Windows applications operate with more privileges, and use
the following techniques: (1) TLS-interception: a proxy is installed
by inserting a self-signed certificate in the trusted root certificate
store. This allows the Windows applications to perform content
analysis and alter content from HTTPS webpages. (2) Application
monitoring: user applications are monitored for their usage and
duration. (3) User activity monitoring: some Windows applications
take screenshots, record keystrokes, and access the webcam.
Chrome extensions. With appropriate permissions, a parental
control extension can use the Chrome API and retrieve the URL
contacted by the user, intercept and redirect traffic, read and modify
page content and meta-data including cookies.
3.2 Threat Model
We consider the following attacker types with varying capabilities.
(1) On-device attacker: a malicious app with limited permissions on
the child/parent device. (2) Local network attacker: an attacker with
direct or remote access to the same local network as the child device.
This attacker can eavesdrop, modify, and drop messages from the
local network. (3) On-path attacker: a man-in-the-middle attacker
between the home network and a solution’s backend server. (4) Re-
mote attacker: any attacker who can connect to a solution’s backend
server. Attacks requiring physical access to either the child/parent
device are excluded from our threat model.
2 Note that, MDM features may be just too powerful, and may enable dangerous remote
control operations including device wipe. Apple has removed several popular parental
control apps from App Store due to their use of such highly invasive features (https:
//www.apple.com/ca/newsroom/2019/04/the-facts-about-parental-control-apps/). In
contrast, Google Play apparently still allows these features in parental apps.
ACSAC 2020, December 7–11, 2020, Austin, USA
3.3 Potential Security and Privacy Issues
We define the following list of potential security and privacy issues
to evaluate parental control tools (tested using only our own ac-
counts where applicable). This list is initially inspired by previous
work [4, 19, 60, 68], and then iteratively refined by us.
(1) Vulnerable client product: A parental control product (including
its update mechanism) being vulnerable, allowing sensitive in-
formation disclosure (e.g., via on-device side-channels), or even
full product compromise (e.g., via arbitrary code execution).
(2) Vulnerable backend: The use of remotely exploitable outdated
server software, and misconfigured or unauthenticated backend
API endpoints (e.g., Google Firebase [35] in Android apps).
(3) Improper access control: Failure to properly check whether the
requester owns the account before accepting queries at the
server-end (e.g., insecure direct object reference).
(4) Insecure authentication secrets: Plaintext storage or transmission
of authentication secrets (e.g., passwords and session IDs).
(5) SSLStrip attack: The parental control tool’s online management
interface is vulnerable to SSLStrip attack, possibly due to lack
of HSTS enforcement (cf. [43, 44]) .
(6) Weak password policy: Acceptance of very weak passwords (e.g.,
with 4 characters or less).
(7) Online password brute-force: No defense against unlimited login
attempts on the online parental login interface.
(8) Uninformed suspicious activities: No notifications to parents
about potentially dangerous activities (e.g., the use of parental
accounts on a new device, or password changes).
(9) Insecure PII transmission: PII from the client-end is sent without
encryption, allowing an adversary to eavesdrop for PII.
(10) PII exposure to third-parties: Direct PII collection and sharing
(from client devices) with third-parties.
3.4 Selection of Parental Control Solutions
We chose solutions used in the most popular computing platforms
for mobile devices (Android), personal computers (Windows), web
browser (Chrome), and selected network products from popular
online marketplaces (Amazon).3 We used “Parental Control” as a
search term on Amazon and Chrome Web Store and selected eight
devices and ten extensions. For Windows applications, we relied
on rankings and reviews provided by specialized media outlets
(e.g., [13, 38, 52]), and selected eight applications. For Android apps,
we searched the following terms on Google Play: “Parental Control”
and “Family Tracker”. From a total of 462 apps, we selected 158
apps with over 10K+ installations, and analyzed them automatically.
We also downloaded the companion apps for four network devices
(Circle companion app was already in our dataset as it had 50K+
installs). For six of these apps, the developers made available (via
their official websites) alternative APKs with additional features.
These APKs were also included in the set of automatically analysed
apps, adding up to 168 apps. We installed these apps on an Android
phone and removed 15 unresponsive/unrelated apps, making the
total of apps analyzed to 153; 51/153 are pure children apps; 24 are
pure parent apps; and 78 are used for both parent and child devices,
which we termed as “shared apps”. For in-depth analysis, we picked
3 As
of May 2020, current market shares according one estimate (https://gs.statcounter.
com) are: Android 72.6%, Windows 77% and Chrome 63.9%.
S. Ali et al.
29 popular Android apps representing 13 parental control solutions.
Each solution may include child app(s), parent app(s), and online
parental dashboard.
4 METHODOLOGY
We combine dynamic (primarily traffic and usage) and static (pri-
marily code review/reverse-engineering) analysis to identify secu-
rity and privacy flaws in parental control tools; for an overview,
see Fig. 1. For each product, we first conduct a dynamic analy-
sis and capture the parental control tool traffic during its usage
(as parents/children); if the traffic is in plaintext or decryptable
(e.g., via TLS MITM), we also analyze the information sent. Second,
we statically analyze their binaries (via reverse engineering) and
scripts (if available). We pay specific attention to the API requests
and URLs present in the code to complement the dynamic analysis.
After merging the findings, we look into the domains contacted and
check the traffic for security flaws (e.g., TLS weaknesses). Third, we
test the security and privacy issues described in Sec. 3.3 against the
collected API URLs and requests. Lastly, in case the parental control
tool presents an online interface, we assess the password-related
issues and test the SSLStrip attack against the login page.
4.1 Dynamic Analysis
We set up test environments for each solution, emulate user actions
for hours to days, collect the traffic from the child, parent, and
network devices, and then perform relevant analysis (see Sec. 3.3).
4.1.1 Usage Emulation and Experimental Setup. We analyze each
solution by manually mimicking regular users’ operations with
the goal of triggering parental control mechanisms. We test for
potential vulnerabilities in these mechanisms (see Sec. 4.1.2). We
evaluate the web filtering mechanism by visiting a blocked website
(gambling/adult) and a university website. We also perform user
activities monitored by platform-specific parental control features
(see Sec. 3.1, and Table 6 in the Appendix), and evaluate the so-
lution’s operations. For example, on Android, we perform basic
phone activities (SMS, phone call) and internet activities (Instant
messaging, social media, browsing, and accessing blocked content).
The network devices are evaluated in a lab environment by con-
necting them to an internet-enabled router (like in a domestic net-
work setup) with the OpenWrt firmware [51]. We use test devices
with web browsing to emulate a child’s device. If the parental con-
trol device uses ARP spoofing, the test device is connected directly
to the router’s wireless access point (AP); see Fig. 2 (a). Otherwise,
the test device is connected to the parental control device’s wireless
AP; see Fig. 2 (b). We capture network traffic on both the test device
and the router using Wireshark and tcpdump, respectively.
For Android apps, we maintain two experimental environments
to concurrently record and inspect network traffic originating from
the child and parent apps. We examine the child apps using a Sam-
sung Galaxy S6 phone running Android 7.0; for the parent apps,
we use a Nexus 4 with Android 5.1.1. We run a full Linux distri-
bution with mitmproxy [48] and tcpdump on each experimental
environment by installing Linux Deploy [7], and configured An-
droid’s network settings to proxy all traffic going through the WiFi
adapter to the mitmproxy server. This enables us to capture the
network traffic directly within the mobile devices.
Betrayed by the Guardian ACSAC 2020, December 7–11, 2020, Austin, USA

Analysis techniques Security and privacy issues

Insecure PII
Dynamic analysis transmission
Check for
communication flaws Insecure
No authentication
secret
Improper access
control
Is traffic Yes Analyze URLs and Extract domains
decryptable? APIs contacted
Vulnerable
backend

Static analysis 3rd parties trackers

No End
Is code Extract/download Perform code Vulnerable client
Start
accessible? source code analysis product

Yes

Weak password
policy
Online interface analysis
Assess password Online password
related issues brute-force
Has
Yes
an online
Uninformed
interface?
suspicious activities
No
End
Lack of HSTS
enforcement

Figure 1: Overview of our evaluation framework.

Internet
Internet

Client device
Spoofed Client device Network device Router
connection

Network device

(a) ARP poisoning case. (b) Dedicated Access Point case.

Figure 2: Network devices test environment. Wireshark is installed on both the client device and home router.

We test each Windows application and Chrome extension on
a fresh Windows 10 virtual machine with Chrome, tcpdump and
mitmproxy installed. We intercept inbound and outbound traffic
using mitmproxy on the host, and record packets using tcpdump.
4.1.2 Traffic Analysis. After intercepting traffic, we parse and com-
mit the collected tcpdump traffic to an SQLite database and check
for the following security and privacy related issues.
PII and authentication secrets leakage. We examine the col-
lected traffic to check for PII and authentication secrets transmitted
in plaintext, or leakage of PII to third-party domains. We create a
list of possible PII (see Table 8 in the Appendix) that can be leaked
via the Request URL, Referer, HTTP Cookie, requests’ payload, and
LocalStorage. We automatically search for PII items (i.e., case insen-
sitive partial string match) in the collected traffic, and record the
leaked information, including the HTTP request URL. We decode
the collected network traffic using common encoding (base64 and
URL encoding) and encode possible PII using hashing algorithms
(MD5, SHA1, SHA256, and SHA512) to find out obfuscated leaks.
Improper access control. We parse the traffic to find API end-
points with improper access control. First, we try to identify all the
APIs that can be potentially exploited (without strong authentica-
tion), using Postman (postman.com) to replay the recorded HTTP re-
quest stripped of authentication headers (e.g., cookies and authoriza-
tion header). Any request successfully replayed is labeled as poten-
tially vulnerable (in a database). Afterwards, we retrieve the parame-
ters used by these APIs (e.g., keys, tokens, or unique IDs), and assess
the parameters in terms of their predictability and confidentiality.
For instance, we deem a device’s access control insecure if its own
MAC address is used for API endpoints authentication, as the MAC
address can easily be found by an attacker on the local network.
Identifying trackers. We use the EasyList [21], EasyPrivacy [22],
and Fanboy [23] to identify known trackers. We also add known
ACSAC 2020, December 7–11, 2020, Austin, USA
trackers from past work [58, 75] to our list. To identify third-party
SDKs in the parental control tools traffic, we use the WHOIS [57]
registration record to compare the SDK owner name to the parental
control website owner. In cases where the SDK information is pro-
tected by the WHOIS privacy policy, we visit the SDK’s domain
to detect any redirect to a parent site; we then lookup the parent
site’s registration information. If this fails, we manually review the
SDK’s “Organization” in its TLS certificate, if available. Otherwise,
we try to identify the SDK owner by searching in crunchbase.com.
4.1.3 Backend Assessment. Due to ethical/legal concerns, we re-
frain from using any invasive vulnerability scanning tools to assess
backend servers. Instead, we look into the backends’ software com-
ponents as disclosed by web servers or frameworks in their HTTP
response headers, such as “Server” and “X-Powered-By”. We then
match these components against the CVE database to detect known
vulnerabilities associated with these versions. Additionally, we use
the Qualys SSL Test (Qualys 2020: ssllabs.com) to evaluate the secu-
rity of the SSL configuration of the parental control tools’ backends.
4.1.4 Challenges. During the interception and traffic analysis phase,
we encountered several challenges. We summarize them here, in-
cluding the tools and techniques we use to address them.
Network traffic attribution. On Android apps, a key issue is to
identify the process that generated the traffic in the absence of
the packets’ referral metadata. We test how the app behaves when
the child uses her device normally (e.g., phone calls, messaging,
browsing). These activities produce a large amount of traffic that
we need to match to the corresponding processes. We use the mitm-
proxy addon [48] to call netstat to detect the process name for
every packet. We directly use netstat from the underlying Linux
kernel (in our Linux Deploy setup) to capture the process ID and
process name as soon as a connection is created, while previous
work [41, 59] read and parse the system proc directory from the
Android Linux kernel by checking the directory periodically. This
past approach misses connections that are opened and closed before
the next time they check the proc directory, while our approach
looks into the live connection as soon as a connection is created. We
may only miss very short-lived connections that are not detected
by netstat. To the best of our knowledge, we achieve more reliable
traffic-process attribution compared to past work. We leave a full
evaluation of the effectiveness of the technique to future work.
Traffic interception. Most network devices use TLS for commu-
nicating with their backends. This prevented us from inserting a
root certificate on these devices, so some of the network traffic
generated by them is completely opaque to us. In these cases, we
rely on static analysis of the device’s firmware. In cases where an
Android app uses certificate pinning to refuse server certificates
signed by any CA other than the pinned certificate in the app, we
use SSLUnpinning [1] to attach several hooks in the SSL classes in
order to bypass this feature and intercept the communication. In
cases where the child app installs a VPN on the child device to filter
and block websites, we intercept the traffic by deleting the VPN con-
figuration from Android setting on the child device. If the app stops
functioning without the VPN, we update the app configuration file
whenever possible to disable the setup of the VPN on startup of
the app on the child device. One Windows application, Qustodio
S. Ali et al.
uses its own encrypted certificate store, for which, we extract the
associated TLS proxy private key by dumping the process memory.
It is possible that due to our employed measures for traffic analy-
sis and attribution (e.g., rooted device, disabled VPN), some parental
control solutions may have functioned differently, which is difficult
to verify due to the use of heavily obfuscated code. Hence, our
findings may be the lower-end of the actual privacy exposure.
4.2 Static Analysis
Our static analysis aims to complement the dynamic analysis when-
ever we could not decrypt the network traffic (e.g., in case of net-
work devices using TLS). We use static analysis to identify PII leak-
age, contacted domains, weak security measures (e.g., bad input
sanitization), or potential flaws in implemented mechanisms.
Network devices. We analyze the network device firmware when-
ever possible. We either attempt to extract the firmware directly
from the device (via JTAG, UART, or ICSP interfaces), or down-
load the device firmware from the vendor’s website. We found 3/8
network devices with an accessible serial UART port (KoalaSafe,
Blocksi, and Fingbox) that we used to extract the firmware from the
devices. Another device (Circle) made its firmware available online.
Among the remaining devices (without access to their firmware),
we scan for the presence of open remote admin services (e.g., SSH),
which are often closed or key-protected. To identify vulnerable
services, we scan the network devices with several tools (OpenVas,
Nmap, Nikto [16] and Routersploit [61]), and match the identified
software versions against public vulnerability databases.
Chrome extensions. We manually analyze the source code of the
Chrome extensions, which mainly consists of scripts, separated into
content scripts and background scripts. As most Chrome extensions’
codebase is relatively small, and do not involve serious obfuscation,
we can investigate their operations and detect security and privacy
issues (e.g., PII leakage, common JavaScript vulnerabilities).
Android apps. We perform an automated analysis on all 153 An-
droid apps using Firebase Scanner [63] to detect security miscon-
figurations in Firebase.4 We also use LibScout [10] to identify third-
party libraries embedded in these apps. Since LibScout does not
distinguish which libraries are used for tracking purposes, we use
Exodus-Privacy [56] to classify tracking SDKs. We use MOBSF [49]
to extract the list of third-party tracking SDKs from all 153 apps
based on Exodus-Privacy’s tracker list.
4.3 Online Interface Analysis
The online user interface is the primary communication channel
between parents and parental control tools. It displays most of the
data collected by the solutions, and may remotely enable more
intrusive features. Compromising the parent account can be very
damaging, and thus we evaluate the security of this interface.
SSLStrip attack. To check for SSLStrip attacks, we first set up a
WiFi AP with mitmproxy, SSLStrip2 [40] and Wireshark installed.
Then, we connect the parental control tool to our WiFi access point.
Wireshark is utilized to record network traffic while mimicking
common use case scenarios with the goal of triggering all parental
control monitoring and control UI and API requests looking for
4 Google Firebase (https://firebase.google.com/) provides support for backend infras-
tructure management for Android apps.
Betrayed by the Guardian
signs of successfully SSL Stripping attack on the traffic. We con-
firm the effectiveness of the attack by comparing the result to the
corresponding traffic in a regular testing environment (i.e., without
SSLStrip).
Weak password policy. During the parental control tool’s account
creation, we evaluate its password policy. We adopt a fairly con-
servative stance and only labelled as weak the password policy
accepting password with 4 characters or less.
Online password brute-force. We use Burp Suite [55] to perform
password brute-force attacks on our own online accounts. To keep
the load on the server minimal, we test for the presence of defensive
mechanisms by 50 attempts on our account from a single computer.
Uninformed suspicious activities. To determine whether the
solution presents measures to report suspicious activities, we test
two scenarios in which the user should be notified: modification
of the user’s password, and connection to the account from a
new/unknown device. We deem a parental control tool that does
not alert (e.g., via email) in either case to be vulnerable.
5 RESULTS
Following the methodology in Sec. 4, we analyzed the parental
control tools between Mar. 2019 to May 2020, which include: 8
network devices, 29 Android apps representing 13 Android solu-
tions, 10 Chrome extensions and 8 Windows applications. We also
performed an automated analysis of 153 parental control Android
apps to detect vulnerable backend databases and check for tracking
SDKs. In this section, we report our findings on the tested security
and privacy issues (as outlined in Sec. 3.3); for an overview, see
Table 1.
5.1 Vulnerable Client Product
Network devices. The importance of securing the update mecha-
nism has been known for years, cf. [11]. Surprisingly, the Blocksi
firmware update happens fully through HTTP. An integrity check
is done on the downloaded binary image, using an unkeyed SHA256
hash, again retrieved using HTTP, and thus rendering it useless.
Therefore, an on-path attacker can trivially alter the update file and
inject their own malicious firmware into the device. We confirmed
this vulnerability to be exploitable. We also found another vulner-
ability that enables executing a command as root on the Blocksi
device via command injection (i.e., unsanitized user input is passed
directly to a system shell for execution). We confirmed this vulnera-
bility to be exploitable by sending a router_setGeneralSettings
request to the Blocksi API endpoint, and injecting a command in
the timezone field in the request parameters. The settings change
triggers a WebSocket Secure (WSS) message to the Blocksi device.
The device then reads the new configuration from the API endpoint
and updates its local configuration.5
We also found that KoalaSafe runs Dropbear v2014.63 SSH server/client
(released on Feb. 19, 2014), associated with four known remote code
execution vulnerabilities. Under certain conditions, the KoalaSafe
device opens a reverse SSH tunnel through its backend server, ex-
posing the vulnerable SSH Dropbear server to an attacker outside
5 The timezone value is passed as tz to [“echo” + tz + “> /etc/TZ”]. Thus, if
the ls command would be executed and its output written to /etc/TZ.
ACSAC 2020, December 7–11, 2020, Austin, USA
the local network. By calling a KoalaSafe API endpoint,6 an exter-
nal attacker can detect when a reverse SSH tunnel is open using
only the victim device’s MAC address. If the tunnel is open, the
API endpoint responds with the tunnel’s port number, 0 otherwise.
For large-scale exploitation, an attacker can query the aforemen-
tioned API endpoint to enumerate all KoalaSafe devices with the
reverse tunnel open. This enumeration is feasible as KoalaSafe uses
the GuangLia network interface card (NIC), and MAC addresses
assigned to GuangLia NICs [70] are limited to only 220 values.
Android apps. We found 3/13 Android solutions (FamiSafe, Kid-
sPlace and Life360) do not encrypt stored user data on shared ex-
ternal storage that can be accessed by any other apps with the
permission to access the SD card. Examples of the sensitive infor-
mation include: the parent’s email and PIN code, phone numbers,
the child’s geolocation data, messages and social media chats, vis-
ited websites, and even authentication tokens—which enabled us
to read private information from the child account remotely.
We also found that Kidoz, KidsPlace, and MMGuardian use cus-
tom browsers to restrict and filter web content. The three browsers
fail to enforce HSTS, and lack persistent visual indication if the web-
site is served on HTTP. KidsPlace safe browser keeps the address bar
that shows visited URL to help with visual identification. However,
MMGuardian shows the URL in the address bar until the page is
fully loaded and then the URL is replaced with the webpage title. Fol-
lowing our disclosure, MMGuardian removed their custom browser.
Windows applications and Chrome extensions. Other than
Kidswatch, all tested Windows applications relied on TLS proxies
to operate. Some of these proxies do not properly perform cer-
tificate validation. For example, Qustodio and Dr. Web accepted
intermediate certificates signed with SHA1, despite the enhanced
collision attack on SHA1 [42]. Dr. Web also accepted Diffie-Hellman
1024 (considered weak [2], and deprecated in Safari and Chrome
since 2016 [15]). In addition, none of the proxies rejected revoked
certificates. We also found that upon uninstallation of these appli-
cations, the root certificates associated with the proxies remained
in the Windows trusted root certificate store, with four of them
having a validity duration over one year.
Two Chrome extensions (Adult Blocker and MateCode Blocker)
download and run a third-party tracking script at run time. The do-
mains hosting the scripts are not apparently related to the extension
providers (or libraries from well-known companies). Note that run-
time loaded scripts bypass the static control of Chrome for extension
security, which has been exploited in the wild by tricking developers
into adding malicious scripts masquerading as tracking scripts [34].
5.2 Vulnerable Backend
Network devices. Examples of vulnerable software components
from our analysis of backend server API endpoints include: Apache
2.4.34 with 11 CVEs in KoalaSafe; PHP 7.0.27 with 26 CVEs in
KidsWifi; Nginx versions with the same 3 CVEs in KidsWifi, Circle,
HomeHalo and Fingbox. The Blocksi’s API endpoint only indicates
that it runs on OpenResty and Google Frontend (no version info).
Android apps. Since 115/153 Android apps use Google Firebase
as a backend service, we analyzed their Firebase configuration for
tz is “$(ls)”,
6 https://api.koalasafe.com/api/router/[MACaddress]/et
ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al.
ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al.

Table
Table1:1:Overall results
Overall results for security
security
for security flaws in
in parental
flawscontrol
flaws in parental parental control
control
tools labelled tools
tools
following thelabelled
labelled following
in Sec. 3.2. the
following
threat model the threat
threatmodel
: On-device modelin
inSec. 3.2. # : On-device
Sec.3.2.
attacker;
attacker; :: :Local
Local
Local network
network
network attacker;
attacker;
attacker; G
# : attacker;
: On-path On-path
: On-path :attacker;
attacker;
Remote : Remote
attacker; -:: not
Remote attacker;
attacker;
applicable; not
blank:-:no -: applicable;
not
flaw blank:
applicable;
found. In no flaw
blank: found.
no flaw In case
found. In
thecase
case the vulnerabilitycan
vulnerability
the vulnerability can be
be exploited
canexploitedby 2 types
be exploited by 2ofbyattackers,
types2 types we display thewe
of attackers,
of attackers, fullest circle applicable.
display
we the fullest
display circlecircle
the fullest applicable.
applicable.
Network devices Android solutions Chrome extensions Windows applications
Network devices Android solutions Chrome extensions Windows applications

MateCode Blocker
Blocksi Web Filter
Circle Home plus

Anti-porn addon
Parental control

FamilyFriendly
Router

Kids Safe Web

Adult Blocker

MateCode Blocker
Filter
MMGuardian

Life360 Porn Blocker

FamiSafeMobileFence
Blocksiplus

FindMyKids
FamilyTime
Bitdefender

ScreenTime

Anti-porn addon
FingBox KidControl

Kidoz SecureTeen
KidsWifiHomeHalo

control
Kidswatch
Kaspersky

KidLogger
TinyFilter
KoalaSafe

KidsPlace

FamilyFriendly
QustodioMetaCert

Kurupira
Roqos FamiSafe

Qustodio

Qustodio
KidsWifi

Blocksi Router
FingBox

Dr. Web

Kids Safe Web

Adult Blocker
Life360

ParentalNorton
MMGuardian

Spyrix

Porn Blocker
Roqos

Circle

Kidoz
Circle Home

MobileFence

Blocksi Web
FindMyKids
FamilyTime
Bitdefender

ScreenTime
KidControl

SecureTeen
HomeHalo

Kidswatch
Kaspersky

KidLogger
TinyFilter
KoalaSafe

KidsPlace
Security Flaw

MetaCert

Kurupira
Qustodio

Dr. Web
Norton
Vulnerable client product

Spyrix
Circle
Vulnerable backend
Improper access control - - - - - - - - - -
Security
InsecureFlaw
authentication secret - - - - - - - - - -
SSLStrip attack - - - - - - - - - - - - - - - -
Vulnerable client product
Online password bruteforce - - - - - - - - - - - - - - -
Vulnerable
Weak passwordbackend
policy - - - - - - - - - - - - - - -
Uninformed
Improper suspicious
access activities
control - - - - - - - - - -- -- --
- -- -- - - - -
Insecure PII transmission
Insecure authentication
PII exposure to third-parties secret - - - - - - - - - -
SSLStrip attack - - - - - - - - - - - - - - - -
Online password bruteforce
security issues by performing an automated analysis using Fire-
- 7 - - - - - -
KoalaSafe device. Thus, a local network attacker can easily collect
- - - - - - - -
Weak password
base Scanner [63].policy
Critical misconfigurations can allow attackers -
the information - the
needed for authentication and use - API
- endpoint
- - - - - - - - - - -
to retrieve all the
Uninformed unprotectedactivities
suspicious data stored on the cloud server. We to access sensitive information such as the profile
- - name,
- - email
- - - - - - - - - -
followed PII
Insecure a similar approach to Appthority’s work [9] on scanning
transmission address, and browsing history.
apps for Firebase misconfigurations. We found 8/153 Android apps For Blocksi’s login API endpoint, the device’s serial number (SN)
PIIwith
exposure to third-parties
insecure Firebase configurations. We then evaluated the type and the registered user’s email are required to authenticate the
of sensitive data exposed by each app to determine the impact of device to the server. However, a remote attacker needs to know
the data being leaked. For ethical reasons and to protect other cus- only one of these parameters to authenticate. This is because a
tomers privacy,
security issueswe bycreated a parental account
performing on the eightanalysis
an automated apps. remote attacker
using Fire- can retrieve a user’s email
KoalaSafe using7 their
device. Thus, device SN or network attacker can easily collect
a local
8 By sending both parameters to the7API endpoint in a
security
Then, weissues
updated by performing
the Firebase scanner toanautomatically
automated searchanalysis
for using
vice-versa.Fire- KoalaSafe device. Thus, a local network attacker can easily collect
base Scanner [63]. Critical misconfigurations
our test data in the its response and record the leaked information can allow attackers the information needed for authentication and use the API endpoint
base Scanner [63]. Critical misconfigurations can allowPOST message, any remote attacker can authenticate to the server,
attackers the information needed for authentication and use the API endpoint
to retrieve
from our own all account.
the unprotected
We found three data stored
apps exposingonpersonal
the cloud server.
and accessWe to access
sensitive information aboutsensitive information
the home network, e.g., the such as the profile name, email
to retrieve
information: all1) the unprotected
FamiSafe with 500K+ data stored
exposeson the the cloud WiFi
server. We and MAC toaddresses
accessofsensitive information such as the profile name, email
followed aLocate
similar approach to installs
Appthority’s parent
work password,
[9] on scanning address, and connected devices.
browsing history.
followed
email; 2) a similar approach
with 10K+ to Appthority’s
installs exposes the child name,workphone[9] on scanning
The HomeHalo device address,
uses only and browsing
the device’s SN andhistory.
an HTTP
apps for Firebase
number, and email; misconfigurations.
and 3) My Family OnlineWe withfound 8/153 Android
10K+ installs appssecretTokenFor
header called Blocksi’stologin
to authenticate its APIAPI endpoint,
endpoint. In the device’s serial number (SN)
apps for Firebase misconfigurations. We foundparent 8/153 Android apps Fora fixed
Blocksi’s login API endpoint, the device’s serial number (SN)
with insecure
exposes Firebase
the child name, childconfigurations. We then evaluated
and parent phone numbers, ourthecase,type
the secretToken andhadthe registered
value of 100500.user’s email are required to authenticate the
An on-path
with insecure
email, and appsFirebase
installed onconfigurations.
child phone. FamiSafe We then
fixed evaluated
the Fire- the type
attacker can intercept and and thethese
modify registered
messages, anduser’s email are required to authenticate the
gain access
of sensitive
base security data exposed
issue following ourby each Additionally,
disclosure. app to determine
we found the impact of e.g., reading
deviceor to the server. However,
SSID, pass- a remote attacker needs to know
of sensitive data exposed by each app to determine thetoimpact
admin controls,
of device changing the wireless
to the server. However, a remote attacker needs to know
thethat
data being leaked.
MMGuardian, For ethical
MobileFence, reasons
and SecureTeen andsupport
servers to protectword,other cus-the device’s
or even onlyrootone of these
password. parameters
Other privacy sensitive to authenticate. This is because a
theRC4,
dataandbeing leaked.
SecureTeen Foris ethical reasons and to protectinformation
other cus- onlyincluding:
one of the these parameters to authenticate. This is because a
tomers privacy, webackend
created vulnerable to the POODLE
a parental accountattack. on the eight apps. is also exposed,
remote attackerdevices connectedatouser’s
can retrieve email using their device SN or
tomers
Windows privacy, we created
applications. We foundathatparental account
some Windows on the eight
applica- HomeHalo’sapps. network and remote attacker
the parental 8 controlcan retrieve
profile setup. a user’s email using their device SN or
Then, we
tions’we updated
servers the
also do not Firebase scanner to automatically search
The for
Circle Home Plusvice-versa.
creates a 8
profile By
for sending
each child and both
stores parameters
it to the API endpoint in a
Then, updated theuseFirebase
ideal TLS configurations.
scanner to For instance,
automatically search for vice-versa. By sending both parameters to the API endpoint in a
ourQustodio’s
test data in the
server has anitsintermediate
responsecertificate
and record the SHA1
signed with leaked information POST the
locally on the device, including message, any remote
child age groups, attacker can authenticate to the server,
usage history
ourintest dataof in theQustodio
its response and record the leaked information
and statistics, child photo, POST username
message, any remote attacker can authenticate to the server,
from its chain
our own trust.
account. and KidLogger
We found three servers support the
apps exposing personal andand access (i.e.,
sensitive some parents may
information about the home network, e.g., the
from
RSAour own account.
key exchange We lacks
protocol which found three
forward apps exposingusepersonal
secrecy. and access
child name). We identify sensitiveused
two API endpoints information
to transmit about the home network, e.g., the
information: 1) FamiSafe with 500K+ installs exposes the child parent WiFiover
information in plaintext password, and MAC
the local network. addresses
The first API of connected devices.
information: 1) FamiSafe with 500K+ installs exposes endpoint the parent 9 sends child WiFi password, and MAC addresses of connected devices.
email; 2) Locate with 10K+ installs exposes the child name, phone Theusage
account HomeHalo
history and device uses
statistics, and only the device’s SN and an HTTP
email; 2) Locate with 10K+ installs exposes the child name, phone
profileID. TheonHomeHalo
It insecurely relies the requester’s device
MAC addressusesto only the device’s SN and an HTTP
number, and email;
5.3 Improper and Control
Access 3) My Family Online with 10K+ installs header called secretToken to authenticate to its API endpoint. In
number, and email; and 3) My Family Online with 10K+ installs header called secretToken to authenticate to its API endpoint. In
exposes
Network the childThe
devices. name, child
KoalaSafe andendpoint
API login parentrequires
phone numbers,
three parenttoken and device ourtimecase, the secretToken had a fixed value of 100500. An on-path
exposes the child name, child and parent phone numbers, parent our case, the secretToken had a fixed value of 100500. An on-path
7 Authentication are available at https://device.koalasafe.com/
email, and apps
parameters installed
that are onanyone
available to childonphone.
the localFamiSafe
network: a fixed the
auth.lua, Fire-
and the MAC addressattacker can intercept and modify these messages, and gain access
at https://device.koalasafe.com/status.lua
email, and appsauthentication
device-generated installed on child
token, phone.date
the device’s FamiSafe
and time, fixed the Fire- attacker can intercept and modify these messages, and gain access
8 For SN to email, use https://service.block.si/config_router_v2/router_checkRouters/

base security
andsecurity issue
the device’s following
MAC following our disclosure.
address for successful Additionally,
authentication. These we
null/[SN],found
and for email to toSN, admin controls, e.g., reading or changing the wireless SSID, pass-
https://service.block.si/config_router_v2/router_
base issue our disclosure. Additionally, we found
checkRouters/[email]. to admin controls, e.g., reading or changing the wireless SSID, pass-
thatparameters
MMGuardian, MobileFence,
can be obtained and SecureTeen
by visiting endpoints hosted by theservers support word, or even the device’s root password. Other privacy sensitive
9 http://10.123.234.1/api/USERINFO?host=ios&nocache=1572292313630HTTP/1.1
that MMGuardian, MobileFence, and SecureTeen servers support word, or even the device’s root password. Other privacy sensitive
RC4, and SecureTeen backend is vulnerable to the POODLE attack. information is also exposed, including: the devices connected to
RC4, and SecureTeen backend is vulnerable to the POODLE attack. information is also exposed, including: the devices connected to
Windows applications. We found that some Windows applica- HomeHalo’s network and the parental control profile setup.
Windows applications. We found that some Windows applica- HomeHalo’s network and the parental control profile setup.
tions’ servers also do not use ideal TLS configurations. For instance, The Circle Home Plus creates a profile for each child and stores it
tions’ servers also do not use ideal TLS configurations. For instance, The Circle Home Plus creates a profile for each child and stores it
Qustodio’s server has an intermediate certificate signed with SHA1 locally on the device, including the child age groups, usage history
Qustodio’s server has an intermediate certificate signed with SHA1 locally on the device, including the child age groups, usage history
in its chain of trust. Qustodio and KidLogger servers support the and statistics, child photo, and username (i.e., some parents may
in its chain of trust. Qustodio and KidLogger servers support the and statistics, child photo, and username (i.e., some parents may
RSA key exchange protocol which lacks forward secrecy. use child name). We identify two API endpoints used to transmit
RSA key exchange protocol which lacks forward secrecy. use child name). We identify two API endpoints used to transmit
child information in plaintext over the local network. The first API
child information in plaintext over the local network. The first API
endpoint99 sends child account usage history and statistics, and
endpoint sends child account usage history and statistics, and
profileID. It insecurely relies on the requester’s MAC address to
5.3 Improper Access Control profileID. It insecurely relies on the requester’s MAC address to

Network devices. The KoalaSafe API login endpoint requires three 77Authentication token and device time are available at https://device.koalasafe.com/

parameters that are available to anyone on the local network: a
device-generated authentication token, the device’s date and time,
and the device’s MAC address for successful authentication. These
parameters can be obtained by visiting endpoints hosted by the
auth.lua, and the MAC address at https://device.koalasafe.com/status.lua
88For SN to email, use https://service.block.si/config_router_v2/router_checkRouters/
null/[SN], and for email to SN, https://service.block.si/config_router_v2/router_
checkRouters/[email].
99http://10.123.234.1/api/USERINFO?host=ios&nocache=1572292313630HTTP/1.1
Betrayed by the Guardian
identify the child device and communicate sensitive information.
This API endpoint is called whenever a child device attempts to
access a restricted domain. The second API endpoint10 fetches the
profile photo corresponding to the received profile ID.
Android apps. We found 8/13 Android solutions lack authentica-
tion for accessing PII. Prominent examples include the following.
In FamilyTime, a six-digit parameter childID is generated through
a sequential counter incremented by one per user. An attacker can
retrieve the child name, gender, date of birth, email address, and
child phone number through an API request that requires only
the childID value. Hence, an attacker can remotely exploit this
vulnerability at a large scale, simply by trying all 6-digit values.11
In FamiSafe, an attacker can retrieve all the child social media
messages and YouTube activities labeled as suspicious through
an API request that requires the following parameters: deviceid,
memberid, client_sign, and access token. However, any app
installed on the child device can access these parameters from the
FamiSafe log file on the shared external storage.12
5.4 Insecure Authentication Secret
Network devices. During the setup procedure of KidsWifi, the
device creates an open wireless AP with SSID “set up kidswifi”,
making it temporarily vulnerable to eavesdropping. The parent has
to use this AP’s captive portal to configure the KidsWifi device to
connect to the home network. Consequently, as this AP is open and
the client-device communication happens through HTTP, the home
router’s WAN and KidsWifi’s LAN credentials become available to
local attackers. We deem this a minor risk as the vulnerability is
only present for a limited duration (during device setup), and the
attacker must be within close proximity.
Android apps. In SecureTeen, we found an API endpoint that can
be used to authenticate the user to the parental control account.
This API endpoint enables any adversary to remotely compromise
any parental account by knowing only the parent’s email. When the
API request is invoked by the browser, the adversary is logged in to
the parental dashboard and obtains full access to the parent account,
including the ability to monitor and control the child device.13
Kidoz exposes the user email and password in HTTP when the
“Parental Login” link is clicked from the https://kidoz.net home page.
KidsPlace and Qustodio leak session authentication cookies via
HTTP, with validity periods of one year and two hours respectively.
Even with the 2-hour cookie in Qustodio, the attacker can easily
access sensitive information about the child including the child’s
current location, and history of movements. The attacker can also
access remote control functions on the child phone, such as block
all incoming/outgoing calls. In the case of KidsPlace, the attacker
can access a wide spectrum of remote control functions to the child
phone such as: disable the Internet, silently install a malicious app
10 http://10.123.234.1/api/USERPHOTO?profileID=[profileID].
11 Byusing e.g., a cURL commad (the last parameter is childID): $ curl -v https://mesh.
familytime.io/v2/child/Android/profile/456***.
12 By using e.g., a cURL command: $ curl -v https://u.famisafe.com/load-
page/index?page=suspicious-text/detail&access_from=1&device_id=165***&
member_id=1045***&client_sign={fffff***-be**-19ec-0000-000075b3****}&access_
token=dtwMtFarI********&lang=en.
13 An example call to the API is as follows: https://cp.secureteen.com/auth.php?
&productName=secureteen&resellerId=careteen&page=menu&loginFromApp=
Yes&j_username=parentemail**@gmail.com&gType=monitoring.
ACSAC 2020, December 7–11, 2020, Austin, USA
on the child device, or upload harmful content to the child mobile.
The attacker can also lock the child phone making her unable to
contact the parent or perform an emergency call.
5.5 SSLStrip and Online Account Issues
We found that nine Android solutions, four network devices and
three Windows applications transmitted the parent account creden-
tials via HTTP under an SSLStrip attack. This allows an adversary
to compromise the parent account for a long time, particularly if the
app does not send any notification to the parent when the account
is accessed from a new device. More seriously, in Kidoz, we could
see the parent’s credit card account number and email in HTTP
when using their BlueSnap online payment solution [12], while
connected to our WiFi access point. This was possible because the
online payment server is not configured to use HSTS. In Qusto-
dio, we could extract the child Facebook credentials provided by
the parent during the configuration of the monitoring component.
Following our disclosure, FamilyTime enabled HSTS on their server.
In terms of defense against online password guessing, we found
that two network devices and 10 Android solutions leave their on-
line login interfaces open to password brute-force attacks. Also,
two network devices, five Android solutions, and three Windows
applications enforced a weak password policy (i.e., shorter than four
characters). We also observed that five network devices, 12 Android
solutions and four Windows applications do not report suspicious
activities on the parent’s account such as password changes and
accesses from unrecognized devices. These activities are possible in-
dicators of account compromise and should be reported to the user.
5.6 Insecure PII transmission
Network devices. We found that the KoalaSafe and Blocksi net-
work devices append the child device’s MAC address, firmware ver-
sion number, and serial number into outgoing DNS requests. This
can allow on-path attackers to track the child’s web activities [18].
The HomeHalo device suffers from a similar problem: whenever a
domain is requested by a user device inside its network, HomeHalo
sends an HTTP request, including the child device’s MAC address,
to its backend server to identify the requested domain’s category.
Android apps. Several Android solutions send cleartext PII, see
Table 9 in the Appendix. Examples include: FindMyKids (the child’s
surrounding sounds and photo); KidControl (the parent’s name
and email, geolocation, and SOS requests); and MMGuardian (the
parent’s email and phone number, and child’s geolocation). MM-
Guardian transmits the child visited URL (Base64 encoded) to a
third-party domain classifier Komodia.com [39]) via HTTP. When
we contacted MMGuardian, they informed us that they are working
with Komodia on a resolution. Other products using Komodia are
also apparently affected by this.
Windows application and Chrome extensions. During the in-
stallation phase of Kurupira, the user has to set up an SMTP server
with the assistance of the application to receive activity reports.
However, in case the user uses an SMTP server with an unencrypted
protocol, Kurupira does not warn about transmitting child activ-
ity report in plaintext. Kidswatch sends child activity reports over
HTTP. We also found that three extensions (Blocksi Web Filter,
FamilyFriendly Parental Control, Porn Blocker) send the domain
ACSAC 2020, December 7–11, 2020, Austin, USA
contacted by the user to the extension’s server using HTTP to check
whether or not the website should be blocked.
5.7 Third-party SDKs and Trackers
Some legislations (e.g., US COPPA and EU GDPR) regulate the
use of third-party trackers in the services targeting children (e.g.,
under 13 years of age). We thus evaluate potential use of third-party
tracking SDKs in the parental control tools. We found notable use
of third-party SDKs in parental control tools, except in Windows.
For network devices, we identified the use of third-party SDKs in
the companion apps but not in the firmware.
Trackers. In Android, we found use of trackers in most apps via
static analysis, including: the children apps (targeted for children’s
devices only, 44/51 apps with tracking SDKs), shared apps (the same
app is used by both parents and children, 73/78 apps), and parent
apps (targeted for parents’ devices only, 22/24 apps); see Table 7
in the Appendix. Over 25% of children apps utilize advertising
networks (e.g., Google Ad and Doubleclick SDKs; see Fig. 3 in the
Appendix) which could potentially violate US COPPA. For network
devices, our static analysis for five companion apps reveals the use
of tracking SDKs (2–12 unique trackers) in all those apps except
for KoalaSafe. For Chrome extensions, we found that half of the
Chrome extensions send behavioral information (e.g. web browser
usage) to Google Analytics.
We also identify tracking third-party SDKs from network traf-
fic generated during our dynamic analysis from child device. Ex-
cept SecureTeen, 12/13 Android solutions use tracking SDKs (1–16
unique trackers; see Fig. 4 in the Appendix). Our traffic analysis con-
firms violations of COPPA—over 30% of Android solutions utilize
doubleclick.net without passing the proper COPPA compliant pa-
rameter from child device.14 We also found that one of the network
devices’ companion app, Circle, includes a third-party analytical
SDK from Kochava. Every time the app is launched, or it returns to
the foreground, the following information is shared with Kochava:
Device ID (enables tracking across apps), device data (enables de-
vice fingerprinting for persistent tracking). Kochava provides an
opt-out option (app_limit_tracking=true) that can be used to
comply with COPPA. However, the Circle transmits this flag as
false from the child device.15
For Android solutions that have a safe custom browser, such
as Kidoz, MMGuardian, and KidsPlace, we found that all these
browsers allow visited websites to store persistent tracking HTTP
cookies (or Local Storage) on the child device. These cookies are
not erased when the browser app is closed.
Restricted SDKs from past work. We also study the SDKs iden-
tified in past studies [28, 62] that are restricted by their developers
(e.g., fully prohibited, or use with particular parameters) for use
in children’s apps (as stated in their policies as of June 2020). We
evaluated the privacy policies for the seven prohibited SDKs de-
tected, and concluded that four companies, Crashlytics, Amplitude,
Braze (formerly Appboy), and Appnext, still prohibit the use of
their SDKs in children’s apps; two others (Tapjoy and Branch) now
14 The use of tfcd=1 marks an ad request as child-directed; see https://support.google.
com/admanager/answer/3671211?hl=en.
15 Note that Disney, a former partner of Circle, is the target of a class action lawsuit for
using a similar SDK in children’s apps; see https://unicourt.com/case/pc-db1-rushing-
et-al-v-the-walt-disney-company-et-al-494632.
S. Ali et al.
require developers to set the appropriate parameters; and the last
one (Supersonic/ironSource) removed any restriction.
From static analysis, we found several prohibited SDKs being
used: 25/44 children apps and 8/73 shared apps use Google Crash-
Lytics; unGlueKids children app uses Branch SDK (without the
do-no-track mode); and Limitly uses Appnext SDK. Aside from
Google CrashLytics, we also observed Branch (7 apps), Amplitude
(6 apps), Braze (4 apps), and Tapjoy (1 app) SDKs in the shared apps.
Through analysing traffic generated from child device, we con-
firm that five Android solutions use prohibited SDKs. Also for
Life360, we note that Branch SDK “do-not-track” mode was dis-
abled since the network traffic from child device contains Android
ID, Android Advertising ID (AAID), and local private IP. Addition-
ally, three Android solutions FindMyKids, KidsPlace, and Circle
contact Crashlytics prohibited SDK server (reports.crashlytics.com),
and Qustodio communicates with the Braze prohibited SDK.
PII exposure to third-parties. We found that all Android solu-
tions share personal and unique device information with third-party
domains (see Table 10 in the Appendix). Prominent examples in-
clude: ScreenTime shares the child Android ID with Facebook. Four
extensions send the requested domains to their server to check
whether the website should be blocked, which can also be locally
performed similar to Google Safe Browsing. More concerning 2/10
extensions send the complete URL, possibly leaking personal in-
formation not required for blocking. Another extension, Parental
Control, overrides Chrome setting and replaces the default search
URL by its server domain, which automatically redirects to Google
Safe Search, but exposes the search terms to the extension’s server.
We also found that another Chrome extension, Porn Blocker, redi-
rects the user to https://www.purplestats.com/page/blocked/ when
visiting a blocked website, and leaks the full URL of the previous
webpage through the referer header.
COPPA Safe Harbor providers. We check the behavior of (3/13)
(Kidoz, FamilyTime, FindMyKids) Android solutions certified by the
US FTC’s COPPA Safe Harbor program [74] (by kidSAFE [65]; we
also checked other programs under Safe Harbor, and the parental
control tools websites/descriptions). Our traffic analysis collected
from the child device reveals that FindMyKids use three trackers and
leak Android Advertising ID to at least two trackers graph.facebook.
com and adjust.com. FindMyKids includes two flags when calling
Facebook to enable application tracking and advertiser tracking
(both were enabled) [26]. FindMyKids also shares child Android ID
with Yandex Metrica (appmetrica.yandex.net). Yandex Metrica pro-
vides an option (limit_ad_tracking) that can be used to restrict
tracking. However, the FindMyKids transmits this flag as false
from the child device [80]. We also found that FamilyTime sends
the child’s name, email address and phone # (hashed in SHA256)
to facebook.com. Kidoz uses eight trackers and leaks the Android
Advertising ID to the third-party domain googleapis.com through
the referer header.
6 POTENTIAL PRACTICAL ATTACKS
In this section, we summarize the impact of exploiting some of the
discovered vulnerabilities in the analyzed parental control tools.
Device compromise. Device compromise presents serious secu-
rity and privacy risks, especially if a vulnerability can be exploited
Betrayed by the Guardian
remotely. We found multiple vulnerabilities in the Blocksi network
device that can compromise the device itself. These include an ex-
ploitable command injection vulnerability and a vulnerability in
protecting the device’s serial number, which is used in authentica-
tion. A remote attacker can use these vulnerabilities to take control
over the Blocksi device by simply knowing the parent’s email ad-
dress (see Sec. 5.1 and Sec. 5.3). In particular, using the serial number
and email, an attacker can exploit the command injection vulnera-
bility and spawn a reverse TCP shell on the device. At this stage, the
attacker gains full control of the device, and can read/modify unen-
crypted network traffic, disrupt the router’s operation (cf. DHCP
starvation [71]), or use it in a botnet (cf. Mirai [8]).
Account takeover. Parental accounts can be compromised in mul-
tiple ways. First, none of the parental control tools’ web interface
except Norton enforced HSTS, and most were found vulnerable
to SSLStrip attacks. Therefore, an on-path attacker can possibly
gain access to the parent account using SSLStrip, unless parents
carefully check the HTTPS status. Second, login pages that allow
unlimited number of password trials could allow password guessing
(especially for weak passwords). Note that most parental control
tools’ password policies are apparently weak (cf. NIST [36]); some
products accept passwords as short as one character. Third, prod-
ucts with broken authentication allow access to parental accounts
without credentials. For example, SecureTeen provides an API end-
point (see Sec. 5.4) to access the parental account, by knowing only
the parent email address. If logged-in, the attacker has access to
a large amount of PII, social media/SMS messages, phone history,
child location—even enabling possibilities of physical world attacks.
Data leakage from backends. Failure to protect the parental con-
trol backend databases exposes sensitive child/parent data at a
large scale. Firebase misconfigurations exposed data that belongs
to 500K+ children and parents from three apps. Such leakage may
lead to potential exploitation of children both online and offline.
PII on the network. COPPA mandates reasonable security proce-
dures for protecting children’s information [32]. However, we found
several parental control tools transmit PII insecurely. For example,
FindMyKids leaks surrounding voice, and the child’s picture. This
could put a child in physical danger since the attacker can learn
intimate details from the child’s voice records and her surrounding,
and also recognize the child from her photo. KidControl allows the
child to send SOS messages when she is in a dangerous situation.
However, an attacker can identify and drop the SOS message at will
as it is sent via HTTP. Moreover, KoalaSafe and Blocksi network
devices append the child’s device MAC address to outgoing DNS
requests, enabling persistent tracking.
7 CONCLUSION
Parental control solutions are used by parents to help them protect
their children from online risks. Nevertheless, some of these solu-
tions have made news in the recent years for the wrong reasons.
Our cross-platform comprehensive analysis of popular solutions
shows systematic problems in the design and deployment of all the
analyzed solutions (except Bitdefender, TinyFilter, Anti-porn addon,
Kaspersky, and Norton) from a security and privacy point of view.
Indeed several of these solutions can undermine children’s online
and real-world safety. As these solutions are viewed as an essential
ACSAC 2020, December 7–11, 2020, Austin, USA
instrument to provide children a safer online experience by many
parents, these solutions should be subjected to more rigorous and
systematic evaluation, and more stringent regulations.
ACKNOWLEDGMENTS
This work was partly supported by a grant from the Office of the
Privacy Commissioner of Canada (OPC) Contributions Program.
We thank the anonymous ACSAC 2020 reviewers for their insightful
suggestions and comments.
REFERENCES
[1] ACPM. 2016. SSLUnpinning - Xposed Module. https://github.com/ac-pm/
SSLUnpinning_Xposed/.
[2] David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,
Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel
Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-
Béguelin, and Paul Zimmermann. 2015. Imperfect Forward Secrecy: How Diffie-
Hellman Fails in Practice. In ACM CSS. 5–17.
[3] Kendra Allison. 2018. Online Risks, Sexual Behaviors, And Mobile Technology
Use In Early Adolescent Children: Parental Awareness, Protective Practices, And
Mediation. Ph.D. Dissertation. University of South Carolina.
[4] Collin Anderson, Masashi Crete-Nishihata, Chris Dehghanpoor, Ron Deibert,
Sarah McKune, Davi Ottenheimer, and John Scott-Railton. 2015. Are the Kids
Alright? Digital Risks to Minors from South Korea’s Smart Sheriff Application.
Article.
[5] Android. Last accessed Oct. 2020. Android Device Administration. https:
//developer.android.com/guide/topics/admin/device-admin/.
[6] Android. Last accessed Oct. 2020. UI/Application Exerciser Monkey. https:
//developer.android.com/studio/test/monkey.html.
[7] Anton Skshidlevsky. Last accessed Oct. 2020. Linux Deploy. https://github.com/
meefik/linuxdeploy/.
[8] Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein,
Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis
Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher,
Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding
the Mirai Botnet. In USENIX Security. 1093–1110.
[9] Appthority. 2018. Appthority: ENTERPRISE MOBILE THREAT REPORT - Fire-
base Vulnerability: Exposing Sensitive Data via Thousands of Mobile Apps.
[10] Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable third-party library
detection in android and its security applications. In ACM SIGSAC CCS. 356–367.
[11] Anthony Bellissimo, John Burgess, and Kevin Fu. 2006. Secure Software Updates:
Disappointments and New Challenges. In USENIX HotSec.
[12] Bluesnap.com. Last accessed Oct. 2020. BlueSnap: Online Payment Solutions.
https://home.bluesnap.com/.
[13] C. Marshall and C. Ellis. 2019. The best free parental control software 2019.
https://www.techradar.com/news/the-best-free-parental-control-software/.
[14] Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering information
leakage from browser extensions.. In ACM SIGSAC CCS. 1687–1700.
[15] Chrome. 2017. Remove DHE-based ciphers. https://www.chromestatus.com/
feature/5128908798164992.
[16] CIRT.net. Last accessed Oct. 2020. Nikto Web Server Scanner. https://cirt.net/
Nikto2/.
[17] Common Sense Media and SurveyMonkey. 2017. Think You Know
What Your Kids Are Doing Online? Think Again. Survey re-
port, https://www.commonsensemedia.org/blog/think-you-know-what-your-
kids-are-doing-online-think-again.
[18] Mathieu Cunche. 2014. I know your MAC address: targeted tracking of individual
using Wi-Fi. Journal of Computer Virology and Hacking Techniques (2014).
[19] Xavier de Carné de Carnavalet and Mohammad Mannan. 2016. Killed by proxy:
Analyzing client-end TLS interception software. In NDSS.
[20] DQinstitute.org. 2020. Nearly two-thirds of children surveyed around the world
are exposed to cyber risks, first-ever global Child Online Safety Index reveals.
Online article. https://www.dqinstitute.org/news-post/nearly-two-thirds-of-
children-surveyed-around-the-world-are-exposed-to-cyber-risks-first-ever-
global-child-online-safety-index-reveals/.
[21] EasyList. Last accessed Apr. 24, 2020. https://easylist.to/easylist/easylist.txt.
[22] EasyList. Last accessed Apr. 24, 2020. https://easylist.to/easylist/easyprivacy.txt.
[23] EasyList. Last accessed Apr. 24, 2020. https://easylist.to/easylist/fanboy-social.txt.
[24] Ronald Eikenberg. 2019. Kaspersky script injection. https://www.heise.de/ct/
artikel/Kasper-Spy-Kaspersky-Anti-Virus-puts-users-at-risk-4496138.html.
[25] EPIC.org. 2010. FTC Settles with Company that Failed to Tell Par-
ents that Children’s Information Would be Disclosed to Marketers.
ACSAC 2020, December 7–11, 2020, Austin, USA S. Ali et al.

https://www.ftc.gov/news-events/press-releases/2010/11/ftc-settles-company- [57] Pypi.org. Last accessed Oct. 2020. Python WHOIS Library. https://pypi.org/
failed-tell-parents-childrens-information. project/whois/.
[26] Facebook.com. Last accessed Oct. 2020. App Events API. https://developers. [58] Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth
facebook.com/docs/marketing-api/app-event-api/. Sundaresan, Mark Allman, and Christian Kreibich Phillipa Gill. 2018. Apps,
[27] Facebook.com. Last accessed Oct. 2020. Manually Build a Login Flow. https: trackers, privacy, and regulators. In NDSS.
//developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/. [59] Abbas Razaghpanah, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Christian
[28] Álvaro Feal, Paolo Calciati, Narseo Vallina-Rodriguez, Carmela Troncoso, and Kreibich, Phillipa Gill, Mark Allman, and Vern Paxson. 2015. Haystack: In situ
Alessandra Gorla. 2020. Angel or Devil? A Privacy Study of Mobile Parental mobile traffic analysis in user space. arXiv preprint arXiv:1510.01419 (2015).
Control Apps. In PETS. [60] Bradley Reaves, Jasmine Bowers, Nolen Scaife, Adam Bates, Arnav Bhartiya,
[29] OWASP Foundation. Last accessed Oct. 2020. HTML5 Security Cheat Patrick Traynor, and Kevin RB Butler. 2017. Mo (bile) money, mo (bile) problems:
Sheet. https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_ Analysis of branchless banking applications. ACM TOPS (2017).
Sheet.html#local-storage. [61] Reverse Shell Security. Last accessed Oct. 2020. Routersploit Embedded Devices
[30] OWASP Foundation. Last accessed Oct. 2020. REST Security Cheat Sheet. https: Exploitation framework. https://github.com/threat9/routersploit/.
//cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html. [62] Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Raza-
[31] FTC.gov. 2014. Parental Controls. Online article. https://www.consumer.ftc.gov/ ghpanah, Narseo Vallina-Rodriguez, and Serge Egelman. 2018. “Won’t somebody
articles/0029-parental-controls. think of the children?” examining COPPA compliance at scale. PETS (2018).
[32] FTC.gov. Last accessed Oct. 2020. Children’s Online Privacy Protection Rule: [63] Shiv Sahni. Last accessed Mar. 2020. FireBase Scanner. https://github.com/
A Six-Step Compliance Plan for Your Business. https://www.ftc.gov/tips- shivsahni/FireBaseScanner.
advice/business-center/guidance/childrens-online-privacy-protection-rule- [64] Samet Privacy, LLC. Last accessed Oct. 2020. Official membership page. https:
six-step-compliance. //www.kidsafeseal.com/certifiedproducts/kidoz_sdk_app.html.
[33] Google. 2012. Implementing OAuth 2.0 Authorization. https://developers.google. [65] Samet Privacy, LLC. Last accessed Oct. 2020. Official membership page. https:
com/youtube/v3/guides/authentication. //www.kidsafeseal.com/certifiedproducts/familytime_app.html.
[34] Google. Last accessed June 2020. Multiple Extensions are Compromised in a [66] Sellcell.com. 2019. Kids Cell Phone Use Survey 2019 – Truth About Kids & Phones.
Browser Hijacking Scam. https://support.google.com/chrome/thread/46798301. News article. https://www.sellcell.com/blog/kids-cell-phone-use-survey-2019/.
[35] Google. Last accessed Oct. 2020. Google Firebase. https://firebase.google.com/. [67] Zhiyong Shan, Raina Samuel, and Iulian Neamtiu. 2019. Device Administrator
[36] Paul A Grassi, Ray A Perlner, Elaine M Newton, Andrew R Regenscheid, William E Use and Abuse in Android: Detection and Characterization. In MobiCom.
Burr, Justin P Richer, Naomi B Lefkovitz, Jamie M Danker, and Mary F Theo- [68] Sharon Shasha, Moustafa Mahmoud, Mohammad Mannan, and Amr Youssef.
fanos. 2017. Digital identity guidelines: Authentication and lifecycle management 2019. Playing with danger: A taxonomy and evaluation of threats to smart toys.
[including updates as of 12-01-2017]. Technical Report. IEEE Internet of Things Journal (2019), 2986–3002.
[37] IETF.org. Last accessed Oct. 2020. HTTP Strict Transport Security (HSTS). https: [69] Oleksii Starov and Nick Nikiforakis. 2017. Extended tracking powers: Measuring
//tools.ietf.org/html/rfc6797. the privacy diffusion enabled by browser extensions.. In WWW.
[38] Jon Martindale. 2019. Keep your kids safe online with these great parental control [70] Stiller, Nate. Last accessed Oct. 2020. MAC Address Lookup. https://www.
tools. Article. https://www.digitaltrends.com/computing/best-free-parental- macvendorlookup.com/mac-address-lookup/.
control-software/. [71] Nikhil Tripathi and Neminath Hubballi. 2015. Exploiting dhcp server-side ip
[39] Komodia.com. Last accessed Oct. 2020. Komodia URLs classification SDK. https: address conflict detection: A dhcp starvation attack. In IEEE ANTS. IEEE, 1–3.
//url-classification.io/industry/parental-control/. [72] UK Council for Child Internet Safety (UKCCIS). 2016. Child Safety Online: A
[40] L. Nve. Last accessed Oct. 2020. SSLStrip2. https://github.com/LeonardoNve/ Practical Guide for Providers of Social Media and Interactive Services. On-
sslstrip2/. line article. https://www.gov.uk/government/publications/child-safety-online-a-
[41] Anh Le, Janus Varmarken, Simon Langhoff, Anastasia Shuba, Minas Gjoka, and practical-guide-for-providers-of-social-media-and-interactive-services.
Athina Markopoulou. 2015. AntMonitor: A system for monitoring from mobile [73] Unicef. 2020. Children at increased risk of harm online during global COVID-
devices. In ACM SIGCOMM C2B(I)D. 19 pandemic. Press release. https://www.unicef.org/press-releases/children-
[42] Gaëtan Leurent and Thomas Peyrin. 2019. From collisions to chosen-prefix increased-risk-harm-online-during-global-covid-19-pandemic.
collisions application to full SHA-1. In EUROCRYPT. Springer. [74] U.S. Federal Trade Commission. Last accessed Oct. 2020. COPPA Safe Harbor
[43] Xurong Li, Chunming Wu, Shouling Ji, Qinchen Gu, and Raheem Beyah. 2017. Program. https://www.ftc.gov/safe-harbor-program/.
HSTS Measurement and an Enhanced Stripping Attack Against HTTPS. In Se- [75] Narseo Vallina-Rodriguez, Srikanth Sundaresan, Abbas Razaghpanah, Rishab
cureComm. Springer. Nithyanand, Mark Allman, Christian Kreibich, and Phillipa Gill. 2016. Track-
[44] Meng Luo, Pierre Laperdrix, Nima Honarmand, and Nick Nikiforakis. 2019. Time ing the trackers: Towards understanding the mobile advertising and tracking
Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism ecosystem. arXiv preprint arXiv:1609.07190 (2016).
Support in Mobile Browsers. In NDSS. [76] Verizon. 2019. Verizon 2019 Data Breach Investigation Report. https://enterprise.
[45] Jack Madden and Brian Madden. 2013. Enterprise Mobility Management: Every- verizon.com/resources/reports/2019-data-breach-investigations-report.pdf.
thing you need to know about MDM, MAM, and BYOD. Jack Madden. [77] William Largent. 2017. Vulnerability Spotlight: The Circle of a Bug’s Life. News
[46] Mark Jones, Komando.com. 2018. Parental control app database article. https://blog.talosintelligence.com/2017/10/vulnerability-spotlight-circle.
exposed, leaving kids’ information compromised. News article. html.
https://www.komando.com/happening-now/461381/parental-control-app- [78] Wired.co.uk. 2019. A series of dumb security flaws left millions of EA Origin
database-exposed-leaving-kids-information-compromised. users exposed. News article. https://www.wired.co.uk/article/ea-origin-account-
[47] Abigail Marsh. 2018. An Examination of Parenting Strategies for Children’s Online login-security-flaw.
Safety. Ph.D. Dissertation. Carnegie Mellon University. [79] Pamela Wisniewski, Arup Kumar Ghosh, Heng Xu, Mary Beth Rosson, and
[48] MITMProxy.org. Last accessed Oct. 2020. HTTPS proxy. https://MITMProxy.org/. John M Carroll. 2017. Parental Control vs. Teen Self-Regulation: Is there a middle
[49] MOBSF. Last accessed Oct. 2020. Mobile-Security-Framework-MobSF. https: ground for mobile online safety?. In ACM CSCW. 51–69.
//github.com/MobSF/Mobile-Security-Framework-MobSF. [80] yandex.ru. Last accessed June 2020. AppMetrica tracking URL parame-
[50] Brendan Moran, Hannes Tschofenig, David Brown, and Milosch Meriac. 2019. A ters. https://appmetrica.yandex.ru/docs/mobile-tracking/concepts/postback-
Firmware Update Architecture for Internet of Things. Internet-Draft draft-ietf-suit- specification.html.
architecture-08. Internet Engineering Task Force. https://datatracker.ietf.org/ [81] ZDNet.com. 2019. The latest dark web cyber-criminal trend: Selling children’s
doc/html/draft-ietf-suit-architecture-08 Work in Progress. personal data. News article. https://www.zdnet.com/article/the-latest-dark-web-
[51] OpenWrt Project. Last accessed Oct. 2020. OpenWrt. https://openwrt.org/. cyber-criminal-trend-selling-childrens-personal-data/.
[52] PCMag.com. 2019. The Best Parental Control Software for 2019. https://www.
pcmag.com/article2/0,2817,2346997,00.asp/.
[53] Pew Research Center. 2016. Parents, Teens and Digital Monitoring. Sur- 8 APPENDIX
vey report, http://www.pewinternet.org/2016/01/07/parents-teens-and-digital-
monitoring/. In this appendix, we first provide some recommendations for parental
[54] Pierluigi Paganini. 2018. Parental control spyware app Family Orbit hacked, control solution providers. Then, we present the corpus of parental
pictures of hundreds of monitored children were exposed. News article. https:
//securityaffairs.co/wordpress/75888/data-breach/family-orbit-hacked.html.
control tools that we evaluated. Then, we provide a summary of the
[55] Portswigger.net. Last accessed Mar. 2020. The Burp Suite family. https:// techniques adopted by the analyzed Android solutions to monitor
portswigger.net/burp. child activities. Finally, we report our observations of tracking and
[56] Exodus Privacy. Last accessed Mar. 2020. The privacy audit platform for Android
applications. https://reports.exodus-privacy.eu.org/en/trackers/. PII sharing done by third-party SDKs and libraries embedded in
these parental control tools.
Betrayed by the Guardian ACSAC 2020, December 7–11, 2020, Austin, USA

8.1 Recommendations Table 3: List of parental control Android solutions. * denotes

versions downloaded from vendor websites with extra fea-
In what follows, we list our recommendations for parental control
tures; P, T refer to premium and trial versions, respectively.
solution providers.
Addressing vulnerabilities. Because of the sensitivity of the in- Solution Installs App package name Version
formation manipulated by the parental control tools, companies Circle 10K+ com.meetcircle.circle P2.8.0.2
should conduct regular security audits; the issues we listed in io.familytime.dashboard P2.1.0.210
Sec. 3.3 can serve as a starting point. Moreover, they should have FamilyTime 500K+ io.familytime.parentalcontrol P3.0.5.3196.ps
io.familytime.parentalcontrol(*) P4.0.6.4209.web
a process to address vulnerabilities such as responsible disclosure FamiSafe 500K+ com.wondershare.FamiSafe P3.0.9.107
and bug bounty programs. Currently, none except Kaspersky and FindMyKids 10M+
org.findmykids.app T1.9.9
Bitdefender participates in such programs. org.findmykids.child T1.9.9
com.kidoz P4.0.5.8
Enforcing best practices. Parental control companies should rely Kidoz 1M+
com.kidoz.demo.go(*) P4.0.6.3
on publicly available guidelines and best practices, including proper KidControl 1M+
ru.kidcontrol.gpstracker T4.0.9
app.gpsme Tk5.2.10
API endpoint authentication and web security standards [29, 30]. com.kiddoware.kidsplace P3.5.6
We also strongly encourage companies to adopt a strong password com.kiddoware.kidsafebrowser P1.7.8
policy in their products, because the use of default, weak and stolen KidsPlace 5M+ com.kiddoware.kidsvideoplayer P1.7.8
com.kiddoware.kidsplace.remotecontrol P1.4.5
credentials has been exploited in many known data breaches [76]. com.kiddoware.kidspictureviewer P1.0.9
In the case of network devices, manufacturers should employ a Life360 50M+ com.life360.Android.safetymapd T18.7.1
com.mmguardian.parentapp P3.6.4
secure firmware update architecture (see e.g., IETF [50]). Adopting MMGuardian 1M+ com.mmguardian.childapp P3.7.7
known best practices is critical due to the especially vulnerable com.mmguardian.childapp(*) P10003.9.5
user base of these products. MobileFence 1M+
com.mobilefence.family T2.9.3.1
com.mobilefence.family.plugin(*) T1.4
Monitoring account activities. Parental control tools should re- com.qustodio.qustodioapp T180.14.2.2-family
Qustodio 1M+
port suspicious activities on the parent’s account such as password com.qustodio.qustodioapp(*) T680.14.2.2-family
com.screentime.rc T3.11.23
changes and accesses from unrecognized devices. These activities ScreenTime 1M+
com.screentime T5.3.23
could indicate account compromise. com.infoweise.parentalcontrol.secureteen T8.0.0
SecureTeen 1M+ com.infoweise.parentalcontrol.secureteen.child T1.6000.5
Limiting data collection. Parental control tools should limit the com.infoweise.parentalcontrol.secureteen.child(*) T1.7001.0
collection, storage, and transmission of the children’s data to what
is strictly necessary. For instance, the solution should not store PII
not required for the solution’s functionality. The parental control
tools should also allow the parent to selectively opt-out of the data
collection in certain features. Table 4: List of parental control Windows applications and
their corresponding websites’ popularity (traffic/ranking);
Securing communication. Transmission of PII should happen ex-
we analyzed the lasted versions available.
clusively over secure communication channels. The solution should
utilize MITM mitigation techniques such as host white-listing, cer-
Application # of visits/day Main countries World Alexa rank
tificate pinning, and HSTS [37].
Limiting third-parties and SDKs. Parental control tools should Qustodio 27K US 85,673
Kaspersky 1,400K IN, US, RU 2,114
limit the usage of trackers and tracking SDKs in apps intended for Dr. Web 84K US 40,515
children. For the SDKs that allow special parameter for children’s Norton 6,400K US 431
apps, those parameters must be used appropriately. Spyrix 21K UK 230,966
Kidswatch NA NA 2,175,932
8.2 Parental Control Solutions Corpus KidLogger 4.2K PE 156,645
Kurupira 17K BR 84,918
Tables 2, 3, 4 and 5 provide some information about the corpus of
the parental control solutions analyzed throughout our study.

Table 2: List of parental control devices and their firmware

versions. Table 5: List of parental control Chrome extensions.

Extension Installs ID Version

Device Version
Circle Home Plus 3.10.0.2 Blocksi Web Filter 40K+ pgmjaihnmedpcdkjcgigocogcbffgkbn 1.0.144
Parental control 3K+ bdjgolepmhcchlgncgkmobepknekjbkd 1.0.22
KoalaSafe 1.26825 TinyFilter 20K+ epniipcfpbjliciholgdeipceecgcfmj 2016.11.1.1
KidsWifi 1.165 Porn Blocker 10K+ kmillccnmojidmkhhjngjlalnbhpobcl 1.5. 2
Blocksi Router 2.4 Adult Blocker 80K+ onjjgbgnpbedmhbdoikhknhflbfkecjm 6.2.8
Bitdefender 2.1.66.4 Anti-porn addon 20K+ peocghcbolghcodidjgkndgahnlaecfl 2.20.0
MateCode Blocker 80K+ gppopmmjibhcboobpmfombbkoehgicoh 1.0.5
Roqos 1.30.24
MetaCert 20K+ dpfbddcgbimoafpgmbbjiliegkfcjkmn 0. 10.18
HomeHalo 1.0.0.8 FamilyFriendly 7K+ epdelmeadnnoadlcalkmacoopocdafnp 0.9.0
Fingbox 0.5-2ubuntu4 Kids Safe Web 3K+ lakceedfffnfheaipjadbcndkldlplnd 1.0.7
 ACSAC2020,
ACSAC 2020,December
December7–11,
7–11,2020,
2020,Austin,
Austin,USA
USA S.S.Ali
Alietetal.
al.

8.3 Techniques
8.3 TechniquesAdopted
Adoptedby
byAndroid
Androidsolutions
solutions 100%
100%
Shared
Shared
Table66provides
Table providesaasummary
summaryofofsomesometechniques
techniquesadopted
adoptedbybythe
the Children
Children
analyzed Android solutions. Four Android solutions (MMGuardian, 80%
80% Parents
Parents
analyzed Android solutions. Four Android solutions (MMGuardian,
MobileFence,Qustodio,
MobileFence, Qustodio,and
andSecureTeen),
SecureTeen),distributed
distributedvia
viatheir
theircom-
com-

apps
Percentageofofapps
60%
60%
panywebsites,
pany websites,support
supportadditional
additionalfeatures
featurescompared
comparedtototheir
theirGoogle
Google
Playstore
storeversion.
version.

Percentage
Play
40%
40%

Table6:6:Techniques
Table Techniquesusedusedto
tomonitor
monitorchild
childactivities
activitiesinclud-
includ- 20%
20%
ingweb
ing webfiltering,
filtering,phone
phonecalls,
calls,SMS,
SMS,and
andsocial
socialmedia.
media.
: :refers
refersto
toservice
servicesupported
supportedby byGoogle
GooglePlay
Playversion;
version; 0%
0%

Analytics
CrashLytics
Login
Share
Analytics
Analytics

DoubleClick
Analytics

DoubleClick
Analytics

Analytics
Manager
Places

Analytics
CrashLytics

Analytics
Analytics
Places
DoubleClick
Ads

Manager

Places
CrashLytics
Ads

Login
Share

Login
Share
Ads

Manager
G
#: :refers
refersto
toaafeature
featuresupported
supportedby byaaversion
versiondistributed
distributedvia
via

Analytics
CrashLytics
Login
Share
Analytics
TagAnalytics

DoubleClick
Analytics

DoubleClick
Analytics

Analytics
Manager
Places

Analytics
CrashLytics

CrashLytics

Analytics
Analytics
Places
GoogleDoubleClick
Ads

Manager
GoogleAds

Share
FacebookLogin
FacebookPlaces

Login
Share
Ads

TagManager
Google

Google
thecompany
the companywebsite.
website.

Google

Google

Google
Facebook

Facebook
Facebook

Facebook
Facebook

Facebook

Facebook
Facebook

Facebook

Facebook
Facebook

Facebook

Facebook
Facebook

Facebook

Facebook
Google Tag
Firebase

Google Firebase
Google
Facebook

Google

Facebook

Firebase

Google
Facebook
Tag

Tag

GoogleTag
Firebase

Google
Facebook

Firebase
Google

Facebook

Firebase

Google
Facebook
Google

Google

Google
Google

Google
GoogleGoogle

Google

GoogleGoogle
Google

Google

Google
Google
Google

Google

Google
MobileFence17
MMGuardian

SecureTeen18
FindMyKids
FamilyTime

ScreenTime

Google

Google

Google
KidControl
FamiSafe16

KidsPlace

Qustodio
Life360
Circle

Kidoz

Technique Figure 3:3: Tracking

Figure Tracking SDKs
SDKs present
present inin Android
Android apps
apps found
found
Superuser request
throughstatic
through staticanalysis,
analysis,see
seeSec.
Sec.5.7.
5.7.
Activate device admin
Monitor user actions
Retrieve window content
Observe typed text 100%
100%
Turn on explore by touch Parents
Parents
Enhanced web accessibility Children
Children
80%
80%
App usage statistics
Setup VPN connection
apps
Percentageofofapps

Install custom browser 60%

60%
Run MDM Agent
Percentage

Read history bookmarks

40%
40%
Komodia SDK
Make/manage phone calls
SMS permission 20%
20%
Notification access
Access fine location
0%
0%
Custom SMS app
doubleclick.net
google-analytics.com

googleadservices.com

google-analytics.com
doubleclick.net

googleadservices.com
facebook.com
facebook.net
googletagmanager.com
crashlytics.com
google.com

google.ca
gstatic.com
crashlytics.com
facebook.com

google.com
adjust.com

newrelic.com
google.ca

nr-data.net
doubleclick.net
google-analytics.com

googleadservices.com

google-analytics.com
doubleclick.net

googleadservices.com
facebook.com
facebook.net
googletagmanager.com
crashlytics.com
google.com

google.ca
gstatic.com
crashlytics.com
facebook.com

google.com
adjust.com

newrelic.com
google.ca

nr-data.net
Facebook Login
YouTube OAuth
Custom video player
Take screenshot

8.4 Third-Parties
Third-PartiesAnalysis
AnalysisResults
Results Figure4:4:Tracking
Figure TrackingSDKs
SDKspresent
presentininAndroid
Androidsolutions
solutionsfound
found
8.4 through dynamic analysis, see Sec.
through dynamic analysis, see Sec. 5.7.5.7.
Table77shows
Table showsthe theuse
useofofthird-party
third-partytracking
trackingSDKs
SDKsininthe
theana-
ana-
lyzed 153 Android apps. We used MOBSF [49] to extract the list ofof
lyzed 153 Android apps. We used MOBSF [49] to extract the list
third-partytracking
third-party trackingSDKs
SDKsfrom
fromallallapps
appsbased
basedon
onExodus-Privacy’s
Exodus-Privacy’s
tracker list. On average, we found 4.5 SDKs per
tracker list. On average, we found 4.5 SDKs per app (max app (max1010SDKs)
SDKs) Table7:7:Use
Table Useof
oftracking
trackingSDKs
SDKsin inchildren
childrenapps,
apps,shared
sharedapps
apps
in children apps. The average number of SDKs increases
in children apps. The average number of SDKs increases to about to about (i.e., the same is used by both parents and children), and
(i.e., the same is used by both parents and children), and par-par-
5.3 SDKs per app in shared apps and parent apps.
5.3 SDKs per app in shared apps and parent apps. We also foundWe also found entapps
ent appsfound
foundthrough
throughstatic
staticanalysis.
analysis.
GoogleFirebase
Google FirebaseAnalytics,
Analytics,Google
GoogleCrashLytics
CrashLyticsarearepresent
presentininover
over
50% of all types of apps; see Fig. 3. We also identified tracking
50% of all types of apps; see Fig. 3. We also identified tracking third- third- Children Shared
Shared Parent
partySDKs
SDKsfrom fromnetwork
networktraffic
trafficgenerated
generatedduring
duringourourdynamic
dynamic Children Parent
party apps
apps apps
apps apps
apps
analysis; see Fig.
analysis; see Fig. 4. 4.
## Android
Android apps
apps 51
51 78
78 24
24
1616FamiSafe
FamiSafeAndroid
Androidapp
appgets
getsfull
fullaccess
accesstotothe
thechild’s
child’sYouTube
YouTubeaccount
accountincluding
including ## Unique
Unique tracking
tracking SDKs
SDKs 35
35 41
41 31
31
rightstotoview,
rights view,edit,
edit,delete
deletethe
thechild’s
child’sYouTube
YouTubevideos
videosandandplaylists,
playlists,and
andrate
ratevideos,
videos, ## apps
apps with
with tracking
tracking SDKs
SDKs 44
44 73
73 22
22
post,edit/delete
post, edit/deletecomments
commentsand andcaptions.
captions.
1717MobileFence
MobileFenceinitially
initiallysetup
setupbybydefault
defaulttotomonitor
monitorboth
boththe
thechild
childand
andparent
parentdevices.
devices. Average ## SDKs
Average SDKs perper app
app 4.5
4.5 5.3
5.3 5.4
5.4
1818SecureTeen
SecureTeenAndroid
Androidappappuses
usesaakeylogger
keyloggertotorecord
recordall
allsocial
socialmedia
mediaactivities
activitieson
onthe
the Max ## SDKs
Max SDKs perper app
app 10
10 22
22 12
12
childdevice.
child device.
Betrayed by the Guardian ACSAC 2020, December 7–11, 2020, Austin, USA

8.5 Data Sharing and Privacy Leaks Table 10: Sharing PII with third-parties.
Table 8 lists the personal information used to detect PII data in
network traffic. Tables 9 and 10 show the PII transmitted by Android Solution Shared PII 3rd-parties (number, domains [max. 2]) *

solutions in plaintext through HTTP, and PII shared with third- Circle Child Android ID 1 (kochava.com)
Circle Parent Android ID 2 (kochava.com, mixpanel.com)
parties, respectively. Circle Child/parent AAID 1 (kochava.com)
Circle Child/parent AP BSSID 1 (kochava.com)
Table 8: The list of personal information used to detect PII Circle Child/parent AP SSID 1 (kochava.com)
Circle Child name 1 (intercom.com)
data in network traffic. Circle Parent email 5 (intercom.com, apptentive.com)
Circle Parent name 3 (facebook.com, mixpanel.com)
Circle Child mobile carrier 1 (kochava.com)
PII Description Circle Parent mobile carrier 2 (kochava.com, apptentive.com)
AAID Android Advertising ID FamilyTime Child name 1 (facebook.com)
Android ID Android ID generated on device setup FamilyTime Child email 1 (facebook.com)
GSF ID Google Services Framework ID FamilyTime Child phone # 1 (facebook.com)
Phone Serial Mobile serial number FamilyTime Parent email 11 (doubleclick.net, facebook.com)
IMEI Phone equipment ID FamilyTime Parent name 11 (fastspring.com, google-analytics.com)
SIM ID SIM card ID FamilyTime Parent address 1 (fastspring.com)
AP BSSID MAC addresses of used hotspots FamilyTime Parent AAID 1 (facebook.com)
AP SSID SSIDs of used hotspots FamilyTime Parent mobile carrier 1 (facebook.com)
Nearby AP BSSID MAC addresses of surrounding hotspots FamilyTime Parent phone # 1 (fastspring.com)
Nearby AP SSID SSIDs of surrounding hotspots FamiSafe Child AAID 1 (graph.facebook.com)
MAC Address MAC address of the WiFi interface FamiSafe Child name 1 (facebook.com)
IP address IP address of the WiFi interface FamiSafe Child Geolocation 1 (maps.googleapis.com)
BD ADDR MAC address of the Bluetooth interface FamiSafe Child browsing history 2 (facebook.com, google-analytics.com)
Google Email Google play account email address FamiSafe Child device carrier 1 (graph.facebook.com)
User credentials Account ID and password Kidoz Child AAID 1 (googleapis.com)
Name User’s first and last names FindMyKids Child/parent AAID 3 (yandex.net, facebook.com)
Email User’s email address FindMyKids Child/parent Android ID 1 (yandex.net)
Phone # User’s phone number FindMyKids Child Geolocation 2 (openstreetmap.org, yandex.net)
Geolocation Latitude & Longitude FindMyKids Child Nearby AP BSSID 1 (yandex.net)
Contacts Contact list entries FindMyKids Child Nearby AP SSID 1 (yandex.net)
Browsing history Visited URLs in browser FindMyKids Child/parent mobile carrier 1 (facebook.com)
Used App Apps used on the device KidControl Child Geolocation 1 (openstreetmap.org)
Installed Apps Apps installed on the device KidControl Parent email 1 (firestore.googleapis.com)
Social messages SMS/social media messages KidsPlace Child AAID 2 (google-analytics.com, onesignal.com)
Search history Search strings used on Google or Youtube KidsPlace Child mobile carrier 1 (onesignal.com)
Mobile carrier User’s mobile carrier KidsPlace Child Geolocation 1 (maps.googleapis.com)
Address User’s address (street name, city, country, and postal code) KidsPlace Parent email 1 (sendgrid.com)
Life360 Child Android ID 1 (branch.io)
Life360 Parent Android ID 2 (branch.io, amazonaws.com)
Life360 Child AAID 3 (appsflyer.com, branch.io)
Life360 Parent AAID 4 (appsflyer.com, facebook.com)
Table 9: Android solutions sending sensitive data in plain- Life360 Child/parent name 2 (braze.com, pubnub.com)
text. Life360 Child email 2 (helpshift.com, braze.com)
Life360 Parent email 3 (helpshift.com, braze.com)
Life360 Child/parent local IP 1 (branch.io)
Solution Data Destination Life360 Child/parent Geolocation 3 (locationiq.com, braze.com)
Life360 Parent phone # 1 (amazonaws.com)
Kidoz Account username/password kidoz.net Life360 Parent AP BSSID 1 (amazonaws.com)
Kidoz Child name kidoz.net Life360 Parent AP SSID 1 (amazonaws.com)
KidsPlace Child Android ID kiddoware.com Life360 Child/parent mobile carrier 3 (appsflyer.com, braze.com)
KidsPlace Child phone serial kiddoware.com MMGuardian Child/parent AAID 2 (facebook.com, googleadservices.com)
KidsPlace Parent email kiddoware.com MMGuardian Child browsing history 1 (komodia.com)
MMGuardian Child/parent mobile carrier 1 (facebook.com)
KidControl Child Geolocation kid-control.com
MobileFence Parent email & name 1 (livechatinc.com)
KidControl Parent email kid-control.com MobileFence Parent AAID 1 (googleadservices.com)
KidControl Parent name kid-control.com MobileFence Child Geolocation 2 (googleapis.com, amazonaws.com)
Life360 Child name pubnub.com MobileFence Child browsing history 1 (google.com)
Life360 Parent name pubnub.com Qustodio Child/parent Android ID 2 (amazonaws.com, rollout.io)
Qustodio Child/parent AAID 1 (adjust.com)
MMGuardian Account username/password * mmguardian.com
Qustodio Parent email 3 (adroll.com, braze.eu)
MMGuardian Parent email mmguardian.com Qustodio Parent name 1 (referralcandy.com)
MMGuardian Parent IMEI mmguardian.com Qustodio Child used app 1 (google-analytics.com)
MMGuardian Parent/child phone # mmguardian.com Qustodio Child/parent mobile carrier 1 (braze.eu)
MMGuardian Parent phone serial mmguardian.com ScreenTime Child/parent AAID 1 (graph.facebook.com)
MMGuardian Browsing history komodia.com ScreenTime Child Android ID 4 (facebook.com, googleapis.com)
ScreenTime Parent Android ID 1 (appspot.com)
MMGuardian Parent AAID mmguardian.com ScreenTime Child name 3 (appspot.com, facebook.com)
MMGuardian Child Geolocation mmguardian.com ScreenTime Parent email & name 2 (appspot.com, facebook.com)
MMGuardian Child installed apps mmguardian.com ScreenTime Child Geolocation 4 (google.com, googleapis.com)
SecureTeen Parent email secureteen.com ScreenTime Child installed apps 1 (appspot.com)
SecureTeen Parent name secureteen.com ScreenTime Parent Mobile carrier 1 (facebook.com)
ScreenTime Child/parent mobile carrier 1 (graph.facebook.com)
*: The parent’s password is hashed using SHA1 without salting. SecureTeen Parent email 27 (adroll.com, ads.yahoo.com)
SecureTeen Child browsing history 1 (komodia.com)
SecureTeen Child Geolocation 1 (google.com)
*: Number of domains limited to 2 to fit display; AAID refers to Android Advertising ID;
We use the word “domain” to refer to second-level domains.