Researchers using an automated testing process have discovered that 3,337 family- and child-oriented Android apps on Google Play were possibly collecting kids’ data in an improper manner, potentially putting them in violation of the U.S.’ Children’s Online Privacy Protection Act (COPPA), according to a study recently published.
This new study comes out just days after Android smartphone manufacturers were criticized by security researchers for misleading users into thinking their devices have the latest security patches.
COPPA regulates how mobile apps, games, and websites are allowed to collect and process personal information from children under the age of 13, in an effort to protect minors from giving away their personal data before they fully understand the implications of it. The study shows, however, that actually enforcing the law can be tricky.
“Based on our automated analysis of 5,855 of the most popular free children’s apps, we found that a majority are potentially in violation of COPPA, mainly due to their use of third-party SDKs (software development kits),” the study said. “While many of these SDKs offer configuration options to respect COPPA by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs.”
This study could monitor when data is first accessed and where it is sent, according to the published report. To conduct the study, researchers modified Android’s permission system to enable the real-time monitoring of apps’ access to protected resources (like location data, address book contacts, etc.) and instrumented all the functions in the Android platform that access these sensitive resources. The framework also included a modified version of Lumen, a network monitoring tool that captures all network traffic generated by the app being tested.
The study shows that of the 5,855 total apps included in the study, 281 of them collected contact or location data without asking for a parent’s permission. Additionally, 1,100 apps shared persistent identifying info with third parties for restricted purposes, while 2,281 of them seemed to violate Google terms of service forbidding apps from sharing those identifiers to the same destination as the Android Advertising ID. About 40 percent of apps transmitted info without using “reasonable security measures,” and 92 percent of the 1,280 apps with Facebook tie-ins weren’t properly using the social network’s code flags to limit under-13 use.
These findings show how protecting children online isn’t as simple as doing an age check or asking for parents’ permission—both can be overridden by a thrifty child— and that Google, third-party apps, and officials have a long way to go in effectively enforcing COPPA.