No child’s play: Over 3,300 Android apps violating kids’ privacy
More than 3,300 children-oriented Android apps on Google Play are possibly gathering kids’ data in an improper manner, which could put the apps in violation of US child privacy legislation, a recent paper has found.
The study, called Won’t Somebody Think of the Children?, examining Coppa Compliance at Scale, examined 5,855 of the most popular children-focused Android apps. It found that “roughly 57 per cent” of the apps — which makes out to 3,337 in number — are potentially violating the US’ Children’s Online Privacy Protection Act (Coppa).
The Coppa protects children under 13 from invasive collection of personally identifiable information. The law regulates how apps, games or websites are allowed to gather and process sensitive data from children. In so doing, it prohibits some data collection practices outright while requiring a parent’s consent for others.
The 5,855 apps tested were made by 1,889 developers and have racked up 4.5 billion installs between them. They are listed in 63 different Google Play categories, obviously most of them in various ‘games’ categories. So what exactly are the apps up to? The team of 7 researchers hailing mainly from US and Canadian universities used an automatic testing process to detect how the apps handled data.
They found that the potential violations came in several forms. For example, 28 per cent of the apps accessed sensitive data protected by Android permissions. Perhaps most worryingly, nearly 5 per cent of all apps collected children’s geolocation or contact information, notably the device owner’s email address or phone number, without the permission of a parent.
Nearly three-fourths (73 per cent) transmitted sensitive data over the internet, but 40 per cent of them didn’t apply reasonable security measures by failing to use transport layer security, the standard for securing data in transit.
The study also identified potential non-compliance in almost 19 per cent of the apps that collected so-called persistent identifiers (such as the device’s unique IMEI number or WiFi MAC address) with third parties for prohibited purposes, notably user profiling and ad targeting. According to the Coppa, these identifiers are considered personal information if they can be used to recognise a user over time and across different websites or online services.
In addition, 39 per cent of the apps transmitted Google’s advertising identifier known as AAID together with another (and immutable) identifier to the same destination, thus apparently acting in breach of the terms of service of the Google Play’s Designed for Families programme.
The researchers pinned the bulk of the blame for the data slurping on the apps’ inclusion and use of third-party software development kits (SDKs). “While many of these SDKs offer configuration options to respect the Coppa by disabling tracking and behavioral advertising, our data suggest that a majority of apps either do not make use of these options or incorrectly propagate them across mediation SDKs,” reads the paper.
Bearing this in mind, the researchers surmise that “many privacy violations are unintentional and caused by misunderstandings of third-party SDKs.”
Over to Google
The researchers acknowledged Google’s steps to ensure compliance with the Coppa, but added that “there appears to not be any (or only limited) enforcement”. As a result, they urged the company to be more active in its vetting process.
Meanwhile, Tom’s Guide quoted a Google spokesperson as saying in response to the findings: “We’re taking the researchers’ report very seriously and looking into their findings. Protecting kids and families is a top priority, and our Designed for Families program requires developers to abide by specific requirements above and beyond our standard Google Play policies. If we determine that an app violates our policies, we will take action.”
Many privacy violations are unintentional and caused by misunderstandings of third-party SDKs