Last year, several parents at EFF enrolled kids into daycare and were instantly told to download an application for managing their children’s care. Daycare and preschool applications frequently include notifications of feedings, diaper changes, pictures, activities, and which guardian picked-up/dropped-off the child—potentially useful features for overcoming separation anxiety of newly enrolled children and their anxious parents. Working at a privacy-oriented organization as we do, we asked questions: Do we have to use these? Are they secure? The answer to the former, unfortunately, was “yes,” partly so that the schools could abide by health guidelines to avoid unnecessary in-person contact. But troublingly, the answer to the second was a resounding “no.”
As is the case with so many of these services, there are a few apps that are more popular than others. While we started with the one we were being asked to use, this prompted us to look closer at the entire industry.
"The (Mostly) Cold Shoulder"
These days, offering two-factor authentication (2FA), where two different methods are used to verify a user’s login, is fairly standard. EFF has frequently asserted that it is one of the easiest ways to increase your security. Therefore, it seemed like a basic first step for daycare apps.
In October 2021, we tried to reach out to one of the most popular daycare services, Brightwheel, about the lack of two-factor authentication on their mobile app. We searched around on the site for an email to report security concerns and issues, but we could not find one.
A few cold emails and a little networking later, we got a meeting. The conversation was productive and we were glad to hear that Brightwheel was rolling out 2FA for all admins and parents. In fact, the company’s announcement claimed they were the “1st partner to offer this level of security” in the industry—an interesting but also potentially worrisome claim.
Was it true? Apparently so. This prompted us to do more outreach to other popular daycare apps. In April 2022, we reached out to the VP of Engineering at another popular app, HiMama (no response). Next we emailed HiMama’s support email about 2FA, and received a prompt but unpromising response that our feature request would be sent to the product team for support. So we dug in further.
Digging Further—And a History of Cold Shoulders
Looking at a number of popular daycare and early education apps, we quickly found more issues than just the lack of 2FA. Through static and dynamic analysis of several apps, we uncovered not just security issues but privacy-compromising features as well. Issues like weak password policies, Facebook tracking, cleartext traffic enabled, and vectors for malicious apps to view sensitive data.
As a note on investigative tools and methodology: we used MobSF and apktool for static analysis of application code and mitmproxy, Frida, and adb (Android Debug Bridge) for dynamic analysis to capture network traffic and app behavior.
Initially, we had inferred that many of these services would be unaware of their issues, and we planned to disclose any vulnerabilities to each company. However, we discovered that not only were we not alone in wondering about the security of these apps, but that we weren’t alone in receiving little to no response from the companies.
In March 2022, a group of academic & security researchers from the AWARE7 agency, Institute for Internet Security, Max Planck Institute for Security and Privacy, and Ruhr University Bochum presented a paper to the PET (Privacy Enhancing Technologies) Symposium in Sydney, Australia. They described the lack of response their own disclosures met:
“Precisely because children's data is at stake and the response in the disclosure process was little (6 out of 42 vendors (±14%) responded to our disclosure), we hope our work will draw attention to this sensitive issue. Daycare center managers, daycare providers, and parents cannot analyze such apps themselves, but they have to help decide which app to introduce."
In fact, the researchers made vulnerability disclosures to many of the same applications we were researching in November 2021. Despite the knowledge that children’s data was at stake, security controls still hadn’t been pushed to the top of the agenda in this industry. Privacy issues remained as well. For example, The Tadpoles Android app (v12.1.5) sends event-based app activity to Facebook's Graph API. As well as very extensive device information to Branch.io.
[Related: How to Disable Ad ID Tracking on iOS and Android, and Why You Should Do It Now]
A Note on Cloud Security
Another common trend in many daycare apps: relying on cloud services to convey their security posture. These apps often state they use “the cloud” to provide top-of-the-line security. HiMama, for example, writes in their Internet Safety statement that Amazon’s AWS “is suited to run sensitive government applications and is used by over 300 U.S. government agencies, as well as the Navy, Treasury and NASA.” This is technically true, but AWS has a particular offering (AWS GovCloud) that is isolated and configured to meet federal standards required for government servers and applications on those servers. In any case, regardless of whether an app uses standard or government level cloud offerings, a significant amount of configuration and application security is left up to the developers and the company. We wish HiMama and other similar apps would just highlight the specific security configurations they use on the cloud services they utilize.
Childcare Needs Conflict with Informed Choice
When a parent has an immediate need for childcare and a daycare near home or work opens up with one spot, they are less inclined to pick a fight over the applications the center chooses. And preschools and daycares aren’t forced to use a specific application. But they are effectively trusting a third party to act ethically and securely with a school’s worth of children’s data. Regulations like COPPA (Children’s Online Privacy Protection Act) likely don’t apply to these applications. Some service providers appear to reference COPPA indirectly with legal language that they do not collect data directly from children under 13 and we found a statement on one app committing to COPPA compliance.
Between vague language that could misguide parents about the reality of data security, fewer options for daycares (especially the first two years of the pandemic), leaky and insecure applications, and lack of account security control options, parents can’t possibly make a fully informed or sound privacy decision.
Call to Action for Daycare and Early Education Apps
It’s crucial that the companies that create these applications do not ignore common and easily-fixed security vulnerabilities. Giving parents and schools proper security controls and hardening application infrastructure should be the top priority for a set of apps handling children’s data, especially the very young children served by the daycare industry. We call on all of these services to prioritize the following basic protections and guidelines:
- 2FA available for all Admins and Staff.
- Address known security vulnerabilities in mobile applications.
- Disclose and list any trackers and analytics and how they are used.
- Use hardened cloud server images. Additionally, a process in place to continuously update out-of-date technology on those servers.
- Lock down any public cloud buckets hosting children’s videos and photos. These should not be publicly available and a child’s daycare and parents/guardians should be the only ones able to access and see such sensitive data.
Those fixes would create a significantly safer and more private environment for data on children too young to speak for themselves. But there is always more that can be done to create apps that create industry benchmarks for child privacy.
Strongly Encouraged Tasks:
E2EE (end-to-end encrypted) Messaging between School and Parents
Consider communication between schools and parents highly sensitive. There’s no need for the service itself to view communication being passed between schools and parents.
Create Security Channels for Reporting Vulnerabilities
Both EFF and the AWARE7 (et al.) researchers had issues finding proper channels when we uncovered problems with different applications. It would be great if they put up a simple security.txt file on their website for researchers to get in touch with the proper people, instead of hoping to get a response from company support emails.
At EFF, we are parents too. And the current landscape isn’t fair to parents. If we want a better digital future, it starts with being better stewards today and not enabling a precedent of data breaches that could lead to extensive profiling—or worse—of kids who have yet to take their first steps.