Google Play is full of Android apps that track kids’ online activity, thus violating the U.S. privacy laws such as COPPA, claims a survey from a team of university researchers and computer scientists, according to Gizmodo. The latest finding could be another big revelation related to user privacy following Facebook’s Cambridge Analytica scandal.
The team, in its research paper, concluded that out of the 5,855 apps in the Play Store which claim to be designed for families, 28% “accessed sensitive data protected by Android permissions” and 73% of the Android apps “transmitted sensitive data over the internet.”
Although the survey revealed that merely collecting the data does not amount to breaking any law under the COPPA (Children’s Online Privacy Protection Act), there is a federal law requiring developers to limit tracking kids’ online activity for kids under the age of 13. Also, none of these Android apps attained verifiable parental consent as required under the law since their automated tool was enough to activate them.
Further, the survey revealed that there were approximately 256 apps that collected sensitive geolocation data, 107 shared the device owner’s email address and 10 of them shared phone numbers. About 1100 apps shared persistent identifiers that could be utilized in behavioral advertising techniques, something that is debarred for use on kids by COPPA. Then, there were 2,281 apps transmitting Android Advertising IDs that Google directs the developers and SDKs to use as the sole persistent method of ad tracking. So some apps were even in violation of Google’s privacy policy.
Though the study reveals the upsetting situation in the app market, unfortunately, there is no legal action that can be initiated under the current terms of COPPA. While the Android apps tracking kids’ online activity are unethical in their own way, the bigger problem might be with COPPA, which is not stringent enough to check on these possible violations. And, apps are taking advantage of these ambiguities present in these laws.
For instance, language app Duolingo, which is also in the list of violators, notes that since it is marketed at the general audience, it thus does not fall under COPPA. Duolingo sends information to third parties, but claims that those parties are merely using it for bug fixing and app crashes, notes SlashGear.
The reputation of Android apps has always been questioned when it comes to security. A recent analysis of free Android apps revealed that the developers are leaving behind the keys embedded in applications in some cases because the software developer kits install them by default. Will Dormann, software vulnerability analyst at the CERT Coordination Center, told the BSides conference in San Francisco that he tested around 1.8 million Android apps only to discover gaffes in operational security such as PGP Keys, VPN codes and hardcoded admin passwords, which were readily available.
Suggesting that he only scanned free apps, Dormann said, “Paid apps have similar issues I’m sure but the problem is I’ve downloaded 1.8 million apps and even if they are only 99 cents apiece I’m not paying that much.”
Overall, Dorrmann found some 20,000 apps with insecure keys that were built in and were available along with the popular code such as Samsung’s smart home app. The researcher suggested that leaving passwords in the apps is lax behavior on the part of the developer, but some are better than others in muddying the practice.
App permission has not been such a hot topic of discussion until now. After the Facebook fiasco, people have become cagey about the apps that want them to reveal a little too much about themselves. During Mark Zuckerberg’s Congressional testimony last week, two representatives asked if Facebook might be using the microphones in the smartphones to listen to conversations and use that information to target users with specific ads.
To this Zuckerberg replied that his company does not access the audio. However, he quickly said that they have access to the audio when people record video on their phone for Facebook. “I think that is pretty clear. But I just wanted to make sure I was exhaustive there,” Zuckerberg added.
It is obvious that the mobile apps, irrespective of the platform, hog a substantial amount of data with every interaction by accessing the microphone, cameras, camera roll, location services, contacts, calendars, motion sensors, social media accounts and speech recognition. While some apps need certain information to provide the service, such as ride-hailing apps cannot provide the service without location information, many apps just track data for the sake of doing so.
Ish Shabazz, an independent iOS developer, says that while there are legitimate and non-invasive ways to collect and use data, one who is nefarious could use the info in a lot of non-helpful ways, according to Wired.