The hidden costs of parental control apps

Why parental control apps aren’t the answer to protecting your kids online

Fabian Densborn and Bernhard Gründling of the SEC Consult Vulnerability Lab recently discovered several security vulnerabilities in popular parental control apps for the Android platform. During their analysis, they found out that the parent web dashboards were susceptible to cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks.

These vulnerabilities allowed the attacker to bypass the restrictions set by the parents, or even attack the parents themselves. Additionally, the Android apps’ restrictions imposed by the parents could be easily bypassed by the children by removing the necessary permissions in the settings app or by using the safe mode feature of Android. Since many of these apps collect a lot of private data of children, and some may even store the data in the cloud beyond the reach of GDPR, the privacy of the surveilled children may be at risk.

The SEC Consult Vulnerability Lab is already in contact with some of the vendors mentioned below through our responsible disclosure process. The identified security vulnerabilities should be fixed in the near future, according to the vendors. We are going to release further technical details through security advisories after those patches are publicly available.

Introduction

Nowadays, children have access to smartphones or tablets at an early age or already possess their own devices. To block and control access to potentially harmful or non-child-friendly content or restrict usage times, parents often install parental control apps on the children's devices. The goal of this infosec research was to find out whether the apps' users are properly separated from each other in order to prevent unauthorized third parties accessing their data or devices. Moreover, we wanted to find out which and how much data is being collected and stored by these apps in general.

We examined the information stored on the device and at the app provider (e.g. cloud storage) and paid close attention to the features that enable parental management of the child device. We investigated if it was possible to circumvent authorization checks so that remote or local attackers could access features of the child devices or gain access to personal information of other users of those applications.

This blog post describes which apps were looked at, the methodology used to analyze the apps and the identified vulnerability classes. As mentioned above, we currently won’t provide detailed technical information, because some applications are still vulnerable to those attacks and some issues might not be easily resolved.

We wanted to perform this research to assess the security of those tools, because we are using some of them privately as well.
Johannes Greil, Head of SEC Consult Vulnerability Lab

Overview of analyzed apps

The following table lists the apps which have been briefly analyzed, based on the methodology mentioned below. The scope of this research is restricted to parental control apps for the Android mobile platform and no full security review has been performed for any of these apps. The download and version information from the table below has been taken from the Google Play store. The information regarding available privacy policy, imprint and the location of the vendors' headquarters have been found on their respective websites. 

App Package name Downloads Version Web dashboard available Privacy policy / imprint available Vendor HQ location
familytime.io Parent: io.familytime.dashboard
Kids: io.familytime.parentalcontrol
1M+  Parent: 3.2.1.367
Kids: 3.1.0.3279.ps
Yes Yes / Yes Japan
Boomerang  com.nationaledtech.Boomerang  100K+  13.53 & 13.61 
Yes Yes / Yes  Canada 
Quostodio  Parent: com.qustodio.family.parental.control.app.screentime 
Kids: com.qustodio.qustodioapp
1M+  Parent: 180.10.2 
Kids: 180.60.0.2 
Yes Yes / Yes  Spain 
Wondershare FamiSafe  com.wondershare.famisafe  1M+  5.7.4.209  Yes Yes / Yes 
Hongkong 
Find My Kids  Parent: org.findmykids.app 
Kids: org.findmykids.child 
10M+  02.04.85 Yes Yes / Yes  USA 
Parental Control Kroha  ua.com.tim_berners.parental_control  1M+  03.06.02 Yes / Yes 
Ukraine 
Kids Place Parental Controls  com.kiddoware.kidsplace 5M+  3.8.45 & 3.8.49  Yes Yes / Yes 
USA 
Parental Control App  Parent: kz.sirius.kidssecurity 
Child: kz.sirius.siriuschat
1M+  1282 Yes / Yes 
Kazahstan 

Methodology

This section covers the analysis of the Android apps and which tools we used for this purpose.

Static Analysis

We started our analysis with the MobSF framework to get an overview of the different apps in scope, the related permissions and potentially low-hanging fruits regarding security issues.

Some apps allow to be backed up using the Android Debug Bridge (ADB) as the corresponding flag to prevent this (android:allowBackup="false") was not set in the manifest by the developers. ADB is a command-line tool that allows developers to communicate with an Android device. Besides creating backups of Android apps, it can be used to issue a variety of commands to an Android device, such as installing and debugging apps, changing various device settings, and more. If attackers were to gain access to such a backup, they would be able to extract potentially sensitive configuration files or locally stored private data of the children.

We also noticed that many of these apps have a flag set for allowing plain text connections (android:usesCleartextTraffic="true"). This flag enables the application to use unencrypted communication, which an attacker on the same network can easily gain access to. For example, a simple man-in-the-middle attack could be used to sniff user credentials or other PII data. But since all of the tested apps have employed transport layer encryption (TLS), it is unclear why this flag was set, as this gives developers the option to send unencrypted requests.

Next, we checked if there are any hard-coded credentials to be found in the source code which might allow an attacker to perform further attacks. All identified API keys were checked against the possibility of misuse due to a lack of API key restrictions.

Dynamic Analysis

For the dynamic analysis, we installed the apps on physical, rooted test devices: Google Pixel 4a with Android 11

After registering and playing around with the respective apps, we manually checked the internal memory using ADB. After determining which data is stored on the device, we tried intercepting the traffic to see where data is being sent and which data is being collected in the first place.

Some of the analyzed apps had security measures like certificate pinning in place (a measure against man-in-the-middle sniffing attacks), but all of them could easily be circumvented by using the Universal SSL Pinning Bypass script for Frida. This enabled us to further analyze the API calls of the applications to their cloud servers using proxy tools such as Burp Suite and to check whether attackers could access data of other users/children (in this case our own test devices), e.g. through insecure direct object references.

Web Dashboard

Most apps even had a web dashboard for parents that could be used to place restrictions on the child's device or even perform actions on it. In most cases, the functionality of the web dashboard was the same as the parental app. But some apps offered additional functions in the web dashboard, such as geofencing features or even more available restrictions and notification settings.

Again, the network requests were intercepted and analyzed through proxy tools. We looked at which data is being stored and paid special attention to the functions that enable controlling the child's device. It was interesting to see whether it was possible to bypass authorizations, if devices could be controlled by other users or if children were able to attack their parents via those dashboards.

Vulnerability Classes Overview

During testing, we looked at many different test classes of the OWASP Mobile Application Security Testing Guide (MASTG) and Web Security Testing Guide (WSTG) frameworks although the focus of this research was particularly on authorization vulnerabilities. The aim was to check if users have access to other users' data and if they can control or read out other children's (or parents’) smartphones or tablets this way. None of the tested apps allowed to control other devices. 

However, in one of the tested apps, some data like a list of installed apps or other usage metadata (e.g. total SMS, app usage time, contacts count, etc.) could be read out from another device via the API.

Apps providing a web dashboard for the parents are often vulnerable to typical web-based attacks such as cross-site request forgery (CSRF), clickjacking and cross-site scripting (XSS).

Two of the tested apps allowed an attack against their own parent device using a cross-site scripting (XSS) JavaScript payload. If a parent used the web dashboard of the app, the children’s device could perform arbitrary actions on behalf of the parents and potentially bypass current restrictions or gain access to the parents' user credentials.

Another one of the tested parental control apps allowed the child's app to extend its own rights via the API due to a lack of proper session management. Possible actions on behalf of the parents included deactivation of all restrictions!

On all tested apps, the set restrictions could be bypassed by revoking the app's permissions via the Android settings. As a result, children were able to use their smartphone without any restrictions imposed.

All the tested applications rely on a few special Android permissions like „Device administration", „Usage access", „Accessibility" and "Draw over other apps" permissions. Due to the nature of the Android platform security model and its multi-party consent mechanism, the device owner will always have the option to remove permissions from an app.

Some reviewed applications try to prevent this by e.g. drawing overlays on top of system settings.

However, when booting into Android Safe Mode (long-press the "Power off" or "Reboot" button on the phone), all third-party applications are disabled and therefore the app can be uninstalled, or its permissions can be revoked. Hence it was possible to remove the mentioned permissions of the child app and bypass imposed restrictions. By disabling Internet access during this procedure (during safe mode), parents would also not get notified of these changes.

One effective way to prevent the bypass would be to provide a fully managed device controlled by a Device Policy Controller which acts as the device owner. None of the assessed apps make use of this special Android feature. It would take some extra steps to set up, requiring a computer and ADB access to the child's device, making this an unfeasible solution for most parents.

 

Vulnerability count

Boomerang Familytime Find my Kids Kidssecurity Parental Control Kids Place Parental Control Parental Control Kroha Qustodio Wondershare
4 2 1 2 5 2 1 1

The table above shows the amount of identified vulnerabilities for each app. As mentioned, we won't publish any further details as long as the vulnerabilities have not been fixed by the vendors. Please keep in mind, that the security checks were timely limited for each app and no detailed security review was performed. An app having only one (currently known) security issue does not render that app more secure than an app with two issues.

Samsung KNOX remarks

During our research, we briefly had the opportunity to check out a Samsung Galaxy S9 device of a child and a Samsung Galaxy S22 Ultra as the parent device. Thanks to Samsung KNOX, one of the tested parental control apps (Boomerang), that was installed on this device, allowed an even more fine-grained approach to set security restrictions. It could be verified that if Samsung KNOX is available on the phone, a parent could disable shutting down the phone or booting into safe mode. Further research was not performed regarding other available Samsung KNOX features, nor was Samsung KNOX in scope of this review but it could be verified that the “Safe mode” bypass mentioned above could not be exploited on this device.

Screenshot of the Web Dashboard of the Boomerang app: further Samsung KNOX restriction features available in web dashboard

Privacy Concerns

Parental control apps store and transmit a lot of private and highly sensitive information, including the list of installed apps, the usage behavior of children on their devices, stored contacts, photos, GPS location, phone call metadata, and incoming notifications or even full contents of text messages. This could also break the assumed confidentiality of messages sent via end-to-end encrypted messaging apps.

Here is a list of identified vendor website locations (used by the vendors for their online presence, documentation or download of the apps) which were verified based on the IP addresses and domains. Please keep in mind that this information might change in the future and could be dependent on your geolocation as well.

Vendor location information

App Website IP address Country Hosting provider
Familytime familytime.io 52.41.209.2 United States AWS
Boomerang useboomerang.com 52.6.209.77 United States MS
Qustodio qustodio.com 18.66.15.17 Austria Cloudfront
Wondershare famisafe.wondershare.com 104.83.4.209 Austria Akamai
Find my Kids findmykids.org 81.163.16.10 Russian Federation Selectel Network
Parental Control Kroha parental-control.net 116.203.4.110 Germany Hetzner
Kids Place Parental Control kiddoware.com 52.26.248.67 United States AWS
Kidssecurity Parental Control kidsecurity.org 185.98.5.225 Kazakhstan Hoster.KZ

When using parental control apps, parents should be aware that this information ends up on the servers of the app vendors and a lot of trust is put in the provider of the software. Unfortunately, all of the examined app servers have access to the stored data since it is not end-to-end encrypted before it leaves the child’s device (transmission over the network is secured via TLS though). In the event of a data leak, all that sensitive information would be accessible to attackers in plain text.

We also found several third-party servers which were contacted while using the respective applications. These are mainly used to track the user's usage behavior inside the application or web dashboard. Some of them perform very detailed tracking of mouse movement and clicks. For example, the web dashboard of Find My Kids sends varying amounts of data – depending on the mouse movement – to a Russian tracking domain (mc.yandex.ru). A compilation of such servers can be seen in the table further below.

Since you have to trust the software provider and have little control over the child's data, picking the right parental control app is not an easy task.

The following table lists all identified 3rd party domains or servers that are being contacted upon using the web dashboards or websites of the vendor. This list is not necessarily complete and also may change in the future. It is noticeable that nearly all use some sort of tracking services.

List of contacted hosts per app

App Hosts
Familytime dashboard.familytime.io, familytime.io, www.google-analytics.com, region1.google-analytics.com, widget-mediator.zopim.com, stats.g.doubleclick.net, googleads.g.doubleclick.net, familytime.zendesk.com, www.google.com, www.facebook.com
   
Boomerang app.useboomerang.com, netdna.bootstrapcdn.com, maps.googleapis.com, ajax.googleapis.com, google-anlytics.com, static.zdassets.com, ekr.zdassets.com, khms1.googleapis.com, boomerangsupport.zendesk.com, widget-mediator.zopim.com
   
Qustodio *.rollout.io, api.hermes.qustodio.com, *.qustodio.com, bam.nr-data.net, browser.sentry-cdn.com, cdn.segment,com, cookiebot.com, d.impactradius-event.com, doubleclick.net, js-agent.newrelic.com, maps.googleapis.com, qustodio.sjv.io, google-analytics.com, braze.eu, static.hotjar.com, googletagmanager.com, gstatic.com
   
Wondershare Famisafe famisafe.wondershare.com, analytics.300624.com, app-api-pro.famisafe.com, www.facebook.com, region1.analytics.google.com
   
Find my Kids my.findmykids.org, api.findmykids.org, mc.yandex.ru, fonts.gstatic.com, www.googletagmanager.com, c.tile.openstreetmap.org, region1.analytics.google.com
   
Parental Control Kroha api.parentalcontrolkroha.net
   
Kidsplace onesignal.com, facebook.net, stripe.com, kiddoware.com, doubleclick.net, weareoutman.github.io, google-analytics.com googletagmanager.com
   
Kidssecurity Parental Control report.appmetrica.yandex.net, geocode-maps.yandex.ru, svc.kidsecurity.tech, *.googleapis.com

Tips for parents on how to choose parental control apps

Parental control applications all seem to have various flaws, so it sadly comes down to your own risk assessment. When choosing third-party apps, we recommend reviewing the vendors' reputation carefully. This includes online reviews, imprint, terms and conditions and privacy policy information of the vendor.

Here are a few more questions to get you started:

  •     Are you willing to trust the provider?
  •     Are you aware of and okay with where they are storing the PII data?
  •     Is the vendor support communicative and do they provide relevant information to end users?
  •     Can this information be verified? 
  •     Is the vendor located in a country which adheres to GDPR data protection governance?

For example, a recently published blog post by the SEC Consult Vulnerability Lab showed that eufyCam / Anker was marketing “local storage only” as a feature for their surveillance cameras, but transmitted sensitive data to the cloud nevertheless.

The following servers are being used by the vendors for the backend communication (API). All of the kids' usage data is being stored unencrypted there, as mentioned in the "privacy concers" chapter above.

Where does your kids' data go

API servers of tested parental control apps
App Domain IP Address Country Hosting provider
Familytime mesh2.familytime.io 54.214.103.107 United States AWS
Boomerang app.useboomerang.com 23.96.102.165 United States MS
Quostodio api.qustodio.com 34.193.42.147 US AWS
Wondershare us-west-data-api.famisafe.com 47.88.22.34 US Alicloud
Find my Kids api.findmykids.org 159.69.174.250 Germany Hetzner
Parental Control Kroha api.parentalcontrolkroha.net 116.203.4.110 Germany Hetzner
Kids Place Parental Control kidsplace.kiddoware.com 54.148.41.244 United States AWS
Kidssecurity Parental Control api.kidsecurity.tech 167.99.251.182 Germany DigitalOcean

Also try to verify how the vendor reacts upon security vulnerabilities. In our case, some of the vendors started working on a fix as soon as they were contacted by us, some did not even answer properly until today. We always add information about the communication in the timeline of our security advisories. This might help you to determine if they seem to have mature vulnerability handling processes (such as described in ISO/IEC 30111:2019) or (ideally) an information security management system (ISMS) in place.

We also recommend looking at parental control features native to the operating system (OS), like Google's Family Link for Android or Apple's Family Sharing for iOS. These are tightly integrated into the operating system and do not allow simple bypasses via safe mode like described above. From our short look at Google's Family link, it seems that a lot of thorough thought went into designing these features, especially regarding children's consent and the right to privacy.

However, we did not perform a detailed analysis of these native OS features during this research, but it is on our to-do list for the future. 

Most importantly, parents should always inform their children about the use of any software on their devices and explain why those tools are implemented and which surveillance features are being used by the parents.

Conclusion

Child safety apps may not be that safe after all. Children may consent to their parents having a look at their activities on their smartphones, but their privacy remains at risk as long as it is uncertain how software vendors store the data or who else might gain access at a later date. Security vulnerabilities raise even more privacy concerns. Eventually, creative children might even be able to bypass the restrictions and escape the surveillance nanny by themselves.

It's crucial not only for parents to feel safe about their children's smartphone usage, but also for children to feel comfortable with their parents' safety measures.
Bernhard Gründling, researcher

Christmas is right around the corner and many children are likely to receive mobile phones or tablets as a gift. Therefore, it is important for parents to carefully consider their choice of the parental control app from a security, privacy or legal point of view and have a conversation with their child about its use.

Timeline

This research project has been conducted by Fabian Densborn and Bernhard Gründling from August to November 2022. The vendors of certain apps have been contacted through our responsible disclosure process and informed about the identified vulnerabilities. Some have already started to work on a patch. After the responsible disclosure phase is completed and the vulnerabilities have been fixed, SEC Consult will publish the respective security advisories with more technical details.

 

This research has been conducted by Fabian Densborn and Bernhard Gründling and published on behalf of the SEC Consult Vulnerability Lab.
SEC Consult is always searching for talented security professionals to work in our team. More information can be found at: https://www.sec-consult.com/career