Angel or Devil? A Privacy Study of Mobile Parental Control Apps

Abstract

Android parental control applications are used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps use, Internet browsing, calls, and text messages). In order to offer this service, parental control apps require access to sensitive data and system resources which may significantly reduce the dangers associated with kids’ online activities, but it also raises important privacy concerns which are overlooked by European security centers providing recommendations to the public. We conduct the first in-depth study of the Android parental control applications ecosystem from a privacy and regulatory point of view. We exhaustively study 46 apps which have a combined 20M installs in the Google Play Store. Using a combination of static and dynamic analysis we find that, among others: these apps are on average more permission-hungry than the top 150 apps in the Google Play Store, and tend to request more dangerous permissions with new releases; 11% of the apps transmit personal data in the clear; 34% of the apps gather and send personal information without appropriate consent; and 72% of the apps share data with third parties (including online advertising and analytics services) without mentioning their presence in the apps’ privacy policies. In summary, parental control applications lack of transparency and lack of compliance with regulatory requirements can have severe implications for children’s privacy. Therefore, it is necessary to develop stricter auditing tools that incorporate transparency and privacy risk analysis before recommending their use to concerned parents.