Android parental control applications are used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps usage, web browsing, calling, and texting). In order to offer this service, parental control apps require privileged access to system resources and access to sensitive data. This may significantly reduce the dangers associated with kids’ online activities, but it raises important privacy concerns. These concerns have so far been overlooked by organizations providing recommendations regarding the use of parental control applications to the public.

We conduct the first in-depth study of the Android parental control app’s ecosystem from privacy and regulatory point of view. We exhaustively study 46 apps from 43 developers which have a combined 20M installs in the Google Play Store. Using a combination of static and dynamic analysis we find that: these apps are on average more permissions-hungry than the top 150 apps in the Google Play Store, and tend to request more dangerous permissions with new releases; 11% of the apps transmit personal data in the clear; 34% of the apps gather and send personal information without appropriate consent; and 72% of the apps share data with third parties (including online advertising and analytics services) without mentioning their presence in their privacy policies.

In summary, parental control applications lack transparency and lack compliance with regulatory requirements. This holds even for those applications recommended by European and other national security centers.

About Álvaro Feal

Álvaro Feal received his Bachelor’s in Computer Engineering from Universidade da Coruña and his Master’s in Software and Systems from Universidad Politécnica de Madrid. He is now a PhD student working at IMDEA Networks Institute under Prof. Narseo Vallina-Rodriguez’s advice. He works in analyzing privacy threats in the mobile and web ecosystem using static and dynamic analysis techniques as well as network measurements. He has published in different venues such as ConPro, CPDP, IMC, PETS, S&P, and USENIX Security, receiving a Distinguished Paper Award in the latter.

This event will be conducted in English