A mom discovered that popular daycare and childcare communication apps are "dangerously insecure," exposing children and parents to the risk of data breaches with lax security settings and permissive or outright misleading privacy policies after using them.
Her findings are now included in the details of the research published by the Electronic Frontier Foundation (EFF). According to Alexis Hancock, EFF's director of engineering, popular apps like Brightwheel, HiMama, and Tadpoles lack two-factor authentication (2FA), warning that if a malicious actor gets hold of a user's password, they could easily log in remotely. She added that the apps had privacy-compromising features such as data sharing with Facebook and other third parties, which the app did not disclose in privacy policies.
Some easy-to-fix vulnerabilities
Hancock said that they studied the privacy and security setting of various daycare apps when she enrolled her two-year-old daughter in daycare for the first time.
As per Verge, she initially enjoyed using the app as she regularly received updates on how her daughter was doing during the day. Eventually, however, she realized that the app does not have security control which is common in most app services. The lack of security is concerning, given that the app is storing a potentially sensitive nature of the formation.
Hancock used tools like Apktool and mitmproxy to analyze the application code and investigate network calls made by childcare apps. To her surprise, she found some errors "easily fixable."
She noted trackers in a few apps, weak security policy, and weak password policies. She went through the applications and found some "really just low hanging fruit" vulnerabilities that were easy to fix.
Security concerns over baby monitor apps
It is not the first time that concerns have been raised over serious flaws in applications that are supposedly meant to keep children safe. Researchers have raised concerns about security weaknesses in monitoring apps associated with the hardware. Hackers often exploit these weaknesses to send messages to children. A survey of 1,000 apps children uses found that more than two-thirds were sending personal information to the advertising industry.
Hancock hopes that reporting the privacy and security lapses could lead to better regulation of child-focused apps.
The findings made the mom more afraid of her child's safety. She does not want her daughter to have a data breach before age five. Hence, she is doing her best to prevent it from happening.
Little steps forward
The report prompted the EFF to contact Brightwheel to address the issues. According to Brightwheel, they implemented the 2FA feature already, claiming that they are "the first in the early education industry to add this extra layer of security."
Another daycare app, HiMama, reportedly said that it referred the feature request to its design team. However, no additional security feature has been implemented since. Tadpoles app has not commented if it has an intention to implement the 2FA feature yet.