Cyber Crime and Privacy Risks in Free Mobile Apps for Kids - A TRUE CYBERSECURIT Y REPORT (Q1-2019) - Rubica
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
A TRUE CYBERSECURIT Y ™ REP ORT (Q1 -2019) Cyber Crime and Privacy Risks in Free Mobile Apps for Kids
IN T RODU C T ION
Why Kids are at Risk on
Our Phones and Tablets
Traditionally, the cybersecurity industry has not taken into account kids’ usage of Internet-connected
devices in the design of cybersecurity products. Products like identity theft protection and antivirus
software do not address the unique vulnerabilities associated with kids’ increasing online presence.
Kids’ naivete and susceptibility to influence makes them a weak link for their families and a prime target
for cybercriminals. When kids are downloading and playing games on their parent’s phone or tablet,
this opens up another layer of risk for cyber threats.
Kids offer an enticing 2-in-1 target for cybercriminals
Cybercriminals are interested in the behavioral patterns and the browsing data of children themselves
for the same reasons advertisers are (but for more corrupt uses). Furthermore, cybercriminals target
children as an entry point into their parents’ data, devices, and accounts by infecting devices shared
between family members.
On average, children are 10 years or older when they receive their first mobile device, but for the
majority of them this is not the first device they’ve used.1 In households with children, 70 percent
of children under 12 years old have shared a tablet device with another family member.2 Although
more than 50 percent of parents use some sort of parental controls for their kid’s online activity, 77
percent of children in households with tablets have downloaded games to play. 3 4 These games can be
an entry point for cybercriminals to access the data and devices of both children and their parents,
and that is exactly what our study focused on. This white paper outlines our opinion of the safety of
these popular kids apps based on our analysis of the prompts, permissions, and behavior within them.
This White Paper:
Ranks the 20 most popular free kids’ apps from “unsafe” Provides easy-to-understand guidelines that parents,
to “safe” guardians, and educators can use when screening
mobile apps for suitability
Exposes distinctive cybersecurity and privacy threats
associated with some of the most popular free mobile Recommends a personal cybersecurity solution to
apps for kids safeguard kids’ and adults’ privacy
01
Why Free Apps for Kids are a Cyber Crime Risk
Free apps almost always contain advertisements and in-app purchase or upgrade options. An adult
consumer expects to be advertised to when using an otherwise free service. Using advertising or in-app
purchasing as a revenue method is a socially accepted practice.
The problem with free apps targeting children is that studies have proven that children are often unaware
that what they are watching or interacting with is an advertisement.5 Additionally, app stores do not
contain safety ratings that factor in advertising practices or guidelines for parents, guardians or educators.
More concerning in a game or app made for young children is the prevalence of deceptive and
inappropriate tactics. It is not uncommon for kids’ apps to contain aggressive prompts to download other
apps that may be age inappropriate or unlock gates for cybercriminals to access everything from emails
to banking apps. Free apps will use deceptive tactics such as offering a “prize” or enticement like “click
here for a free life” to prompt the child to click and unknowingly allow the app to take an action. Often
this action gives the app additional permissions on the device, or authorizes the download of another
program, which can secretly gain access to information on the device and the child’s or parent’s sensitive
information.
“ There’s a whole world out there
that parents need to be aware of.
— CEO AND CO-FOUNDER OF RUBICA™, FRANCES DEWING
In Rubica’s study of the 20 most popular free kids’ apps on the iTunes and Google Play Store, we observed
many of these deceptive practices. We also saw evidence of privacy invasion, and even indicators of
potential malware (software that cybercriminals use to access your device or steal your information).
02
App Characteristics that
Signal Privacy Risks in Free
Mobile Apps for Kids
The majority of free games have ads. Many free
mobile apps require the child to watch ads in order
to continue playing, access certain content or to
gain other incentives (free life, special power, extra
coins, etc.).
Advertising ranges from ad “banners” along the
top or bottom of the screen to center-of-the-
screen pop-ups. Some use enticements like “Get a
free life!” “Double your coins!” or “Collect your free
prize!” and images or buttons that move or flash to
attract attention.
Common App Ability to download secondary apps Access to sensitive device logs,
and files without notifying you browsing and app history
Characteristics that
Signal Privacy Risks Ability to retrieve a list of all the apps Access to precise GPS location,
in Free Mobile Apps on your device and position prompts microphone or camera, where
over the top of them these permissions served no
for Kids:
legitimate function for the game
Access to contacts, phone calls, or email
Keep in mind that these dangers typically aren’t in the
original app you download for your child (the iTunes
and Google Play Stores screen for that). They turn up
in secondary apps advertised by the first app.
03
Rubica’s Approach to Assessing Apps for Kids
Rubica protects individuals and families using the first enterprise tools and government-grade
intelligence methods translated into a mainstream cybersecurity platform that finds threats
before they affect you. Through Rubica’s proprietary next-generation algorithms, human
intelligence, and 24/7 monitoring, we protect individuals and families anywhere they use their
Internet-connected devices.
As part of Rubica’s ongoing mission to detect, protect,
and inform all people, we focused this major study
on free mobile apps that expose kids and adults to
permission, privacy, and security vulnerabilities. Rubica
created a dedicated kids privacy team to review the
most popular free kids’ games in the iTunes and Google
Play Stores.
“ Hackers look for the weakest, or most
vulnerable link, which in this case are kids.
— CEO AND CO-FOUNDER OF RUBICA, FRANCES DEWING
The Rubica team specifically examined games listed
as appropriate for all ages (not games for teens). The
Rubica team members played each game multiple times,
on both Android and iOS devices, with parental controls
on, and with them off. In addition to recording behavior
by the app and ads during gameplay, the Rubica team
also tracked the background details of the app (whether
it was active when not in play, what permissions and
data it had access to) and monitored for security threat
indicators during the entire period of gameplay.
04
The Most Unsafe and Least
Recommended Kids’ Apps
Unsafe apps contain excessive ads, aggressive prompts to download other apps or games, and
invasive permissions in the secondary apps that gain access to contacts, camera, microphones,
sensitive device logs, browsing history, and location. Avoid these apps and the secondary apps
they insistently encourage your kids to download.
G AME DANGER R AT ING P RIVACY + ADVERT ISING S AFE T Y RISK S
DANGEROUS
UNS AFE
130
UNS AFE
95
UNS AFE
75
UNS AFE
62
NOT
REC OMMENDED
45
PRIVACY: Privacy concerns from invasive permissions in either the primary or secondary app
ADVERTISMENTS: Excessive, deceptive or inappropriate advertising within the primary game 05
To find out more detail about why each app received their score, visit the Appendix.
Apps That Require Parental Supervision
This designation is due to the apps (or the secondary apps they prompt you to download)
having the ability to view contacts, get access to the camera or microphone, display age
inappropriate ads and send email on your behalf. If your goal is to enable kids to play apps
alone, these are not recommended.
G AME DANGER R AT ING P RIVACY + ADVERT ISING S AFE T Y RISK S
NOT
REC OMMENDED
43
NOT
REC OMMENDED
43
PAREN T
SUP ERVISION
27
PAREN T
SUP ERVISION
16
PAREN T
SUP ERVISION
15
PAREN T
SUP ERVISION
15
PAREN T
SUP ERVISION
15
PRIVACY: Privacy concerns from invasive permissions in either the primary or secondary app
ADVERTISMENTS: Excessive, deceptive or inappropriate advertising within the primary game
To find out more detail about why each app received their score, visit the Appendix.
06The Safest Kids’ Apps
The safest apps for kids all have one thing in common: no privacy concerns. Most do not ask for
permissions beyond what the app needs to function, and in-app purchases are clear to the user. None
have advertising. These are the apps we recommend, and these are the apps we let our kids play.
G AME DANGER R AT ING P RIVACY + ADVERT ISING S AFE T Y RISK S
S AFE
10
S AFE
5
S AFE
0
S AFE
0
S AFE
0
S AFE
0
S AFE
0
S AFE
0
S AFE
PRIVACY: Privacy concerns from invasive permissions in either the primary or secondary app
ADVERTISMENTS: Excessive, deceptive or inappropriate advertising within the primary game 07
To find out more detail about why each app received their score, visit the Appendix.“ Cybercrime is a huge business and
it’s easy. Sadly, children represent
the next digital weak-link attackers
are only too happy to exploit. The
kids’ free app safety index can
help parents make good decisions
about which apps are safe for
their kids to play.
— FORMER SCOTLAND YARD DETECTIVE, PRESIDENT
AND CO-FOUNDER OF RUBICA, RODERICK JONES
08How to Keep Children Safe
While Playing Free Apps
These are the top 2 things you can do to keep your
kids safe on free apps (and your data safe too):
01 Use parental controls
Although parental controls don’t block everything inappropriate, they do block some
things. More importantly, by requiring a parent’s password, parental controls prevent kids
from downloading any other apps without your knowledge during gameplay. However, to
make this control effective, it’s important that you use a password that your child doesn’t
know (i.e. not the same one as you use to unlock the device, or for your home Wi-Fi). Also
make sure you are actually reviewing the app permissions prior to allowing the download.
0902 Check app permissions
Before downloading an app, check the “developer notes” or “permissions” listed
for that app in the Google Play Store. For iOS users, Apple requires developers to
prompt for specific access and permission during the installation process (via pop-up
prompts). Don’t hand the device back to our child until you install the app and open
it to review all the permission prompts first. If the app prompts for a permission you
are not comfortable granting, click “don’t allow” and check the device settings to make
sure the app doesn’t have any inappropriate permissions.
Although there are harmless uses for permission requests (and some can help apps
function in an optimal manner), liberal permission can also be used to surreptitiously
download malware. Use judgment and be cautious when allowing apps permission to
your digital life, as well as your child’s digital life.
? Ask yourself if it makes sense for the app to request
this information in order to properly be played.
If it doesn’t make sense, move on to a safer app on our list.
10About Rubica: Next-Generation Personal
Cybersecurity Built Specifically to Protect Families
By adding Rubica True CyberSecurity protection on all devices, families can protect their devices,
network, accounts, and most importantly their online identities. Rubica provides the first and only
time that enterprise tools and government-grade intelligence methods have been translated into
a mainstream proactive tool that finds threats way before they affect you.
Rubica’s mission is to democratize cybersecurity and make available the enterprise tools and
government-grade intelligence methods it uses to protect heads of state, billionaires, and celebrities
across the globe. Now everyone can be protected and control their digital lives.
Now Rubica is: Available in an easy-to-use, proactive cybersecurity platform compatible
with iOS, Mac, Windows, and Android
Downloadable to any laptop, computer, tablet, or device
Supported by U.S.-based customer service and cybersecurity experts
Rubica’s three-pronged platform proactively detects and stops threats by using advanced technology,
algorithms, and senior cybersecurity experts to analyze big data patterns round the clock and stop
digital anomalies and exploits before they occur.
This means people may Malicious pop-ups and downloads Phishing
now be protected from Malware and device infection Identity theft
sophisticated threats like:
Privacy threats And more
Rubica finds threats before they affect you.
For more information on Rubica True CyberSecurity, visit www.rubica.com to
learn more about our cutting-edge cybersecurity system that makes tomorrow’s
digital protection tools available today.
11Rubica Believes
There’s a Better Way
In our modern digital world, cyber “street smarts”
are a must-have for families. As more children use
more Internet-connected devices, we must train
them about the associated permissions, privacy, and
dangers that lurk as they engage online.
Today, there are no standards in place that tell us
if a site we visit or a free app we download is safe.
Parents need a comprehensive and convenient
solution to enable them to select safe apps and
proactively monitor the cybersecurity of their own
and children’s Internet-connected devices. That’s
the genesis behind this paper and Rubica’s business.
As the popularity of free apps changes over
time, Rubica has committed to analyzing
free apps and publishing this report on a
quarterly basis.
Visit www.rubica.com/cyber-safety-for-kids to learn
more about protecting your family online and sign-
up for our family cybersecurity newsletter. You’ll
be the first to know when we publish our follow-on
white paper about the indicators of malware and
cybercrime activity within certain apps.
12AP P ENDIX
Rubica Ranked the Top 20 Most
Popular Kids’ Mobile Free Apps
The top 20 apps are A score of 46 or above is A score of 15-29 is only
ranked from unsafe to considered unsafe recommended for kids with
safest for kids A score of 30-45 is not parent supervisionScores
recommended for kids 14 and under are deemed safe
G AME + DANGER R AT ING + S C ORE WHY
DANGEROUS
UNS AFE Downloading the app gives it the ability to download other
130
files without notifying you, retrieve a list of all the apps on
your device, and position prompts over the top your other
apps.
Excessive ads (every 1-2 minutes) aggressively prompt
downloads of other games. These secondary games have
invasive permissions like access to your contacts, sensitive
device logs, browsing and app history, and capture precise
GPS location.
UNS AFE Excessive advertising for other apps. The secondary apps
95
have invasive permissions like the ability to read sensitive
device data, browsing history, data about the other apps
on your device, precise GPS location, and gain access to
your camera and microphone. Several sketchy secondary
apps prompted from this game are under investigation.
UNS AFE The app has access to your microphone (always on),
75
phone ID and call information.
Aggressive advertising, deceptive prompts, and
enticements to download other apps which have
additional invasive permissions.
13G AME + DANGER R AT ING + S C ORE WHY
UNS AFE Aggressive advertising and prompts to download other
62
games with equal or more invasive permissions.
Access to sensitive device history, programs, and data on
Android. iOS mitigates some of the privacy issues.
NOT Access to GPS location (without justified purpose).
REC OMMENDED
45
Results in testing varied from almost no ads or concerning
behavior to flash ads (appearing automatically) advertising
teen and adult content games (ex: semi-sexual avatar role
playing games, with access to make phone calls).
NOT Has access to device ID and call information.
REC OMMENDED
43
Frequent advertising /prompts to download other
programs.
Some privacy concerns only apply to Android, not iOS, but
both experience excessive prompts and redirects.
NOT Although made by the same developer, Frisbee Forever2
REC OMMENDED has less invasive permissions than Subway Surfers.
43 Fewer ads, though the amount and content of ads
varied. One test session resulted in prompts for other
games which gain access to “send email without owner’s
knowledge,” create and edit “calendar events plus
confidential information,” read home screen settings
and access sensitive log data. Other testing showed no
concerns, but given the egregiousness of one test session
we cannot in good faith recommend this app.
PAREN T Ability for in-app purchase and pay-for-upgrades, but no
SUP ERVISION pop-up ads.
27 Permission to record audio and see your contacts (there
is an in-app chat feature), so parent supervision is
recommended.
14G AME + DANGER R AT ING + S C ORE WHY
PAREN T Can access the list of all apps, device history and app
SUP ERVISION history (which may include browsing history).
16 No aggressive pop-up ads or prompts, only a more passive
option in the toolbar to watch ads for free upgrades.
PAREN T Ability for in-app purchase and pay-for-upgrades, but no
SUP ERVISION pop-up ads.
16 Has access to camera, microphone, recording, as well as
potentially sensitive device and app history.
PAREN T No excessive permissions.
SUP ERVISION
15
Use of parental controls successfully blocked inappropriate
content in this game.
Without parental controls, advertising could contain adult
content, like ads for gambling apps.
PAREN T Frequent ads and download prompts, some deceptive and
SUP ERVISION hard to exit.
15 Access to read and modify files and storage on the device,
but no excessive permissions.content, like ads for gambling
apps.
S AFE Ability to buy capabilities and in-app purchases, but no ads.
10 Access to device ID and call information was the only
reason for ranking this above 0.
15G AME + DANGER R AT ING + S C ORE WHY
S AFE No ads or prompts.
5 Camera access was the only reason for this ranking (legit
purpose/need for this within game, and clear request for
permission).
S AFE Ability to buy capabilities and in-app purchases, but
0
no ads.
No privacy concerns.
S AFE Ability to buy capabilities and in-app purchases, but
0
no ads.
No privacy concerns.
S AFE Ability to buy capabilities and in-app purchases, but
0
no ads.
No privacy concerns.
S AFE Ability to buy capabilities and in-app purchases, but
0
no ads.
No privacy concerns.
16G AME + DANGER R AT ING + S C ORE WHY
S AFE Ability to buy capabilities and in-app purchases, but
0
no ads.
No privacy concerns.
S AFE Ability to buy capabilities and in-app purchases, but
0
no ads.
No privacy concerns.
SAFE
Scoring Protocol
Rubica’s team ranked each app based on
and Methodology the following observed characteristics:
FREQUENCY AND AG GRE S SIVENE S S OF ADS SEC URI T Y C ONCERNS
Ads appearing occasionally vs. every few minutes, or App installs unknown or suspicious programs without
every time the player dies or completes a level your knowledge; evidence of malware or data exfiltration;
access to highly sensitive device controls or information
AGE INAP P ROP RIAT E C ON T EN T IN T HE ADS and evidence of potential misuse of this access; other
indicators of security compromise
Gambling, sexual, dating, excessive violence
SEC ONDARY AP P C ONCERNS
DECEP T IVE TAC T IC S IN ADS /P RO MP T S
Advertised apps (prompted for download while playing the
Offers rewards or enticements, difficult to exit from
primary games) may have contained inappropriate content,
the ad, ads pop-up unexpectedly when about to click
privacy violations, or security concerns
something else, hard to close, unexpected ad when
doing something the app asks for, seems to be part of
the game, etc. P OT EN T IAL SECURI T Y T HRE AT S : DE VICE
T R AFFIC AN ALY T IC S
Rubica logged more than 5,000 potential indicators of
P RIVACY C ONCERNS
compromise (cybersecurity threat indicators) in the device
App has permission to device settings and information traffic and app behavior during the study
that is excessive, intrusive, or age inappropriate for a
kid’s game
17Methodology Used
First, Rubica wiped all devices to factory settings to ensure they were clean. Second, Rubica
created distinct profiles for each device and player and played the game as that profile. The
profiles consisted of a mix of boys and girls (ages 9-12,) iOS and Android devices, and devices
with and without parental controls.
For devices with parental controls enabled, The assumption is that parental controls may help
password is required to download apps, but the control or block inappropriate ad content, but the
team assumed the child has memorized the parent’s child is still able to download secondary apps as
password or that parents often give permission to prompted.
download apps without fully reviewing the app first.
Then, Rubica downloaded our protection software and enabled it on devices while in-use,
specifically to collect network traffic event logs and threat indicators related to device activity
during the study period.
The test members played each game for 15-20 The team supervisor recorded detailed notes of the
minutes on each device/profile. team’s observations, prompts, behavior, requests,
timestamps, developer name and notes (if provided
The members were instructed to click on on app store), permission details (if provided in app
everything, follow all prompts, allow all requests/ store) and resulting app permissions on devices
prompts, provide any information requested by the after game installation.
app or download other apps if prompted
Finally, a score was assigned to each app, deeming
After playing a game, the members were told to not it safe, unsafe, not recommended or only with
uninstall any apps or programs before playing the supervision.
secondary game downloaded (run dirty)
18Caveats Other Findings
Ads and upselling are expected with any free app, but some Through the course of testing, we were
of these apps go beyond what’s reasonable or appropriate prompted to (and did) download 61 other
given that these apps are listed as for kids as young as 4-10 applications:
years old, or for “everyone” (any age).
1. 100! Puzzle
2. Acorns
Because apps use third-party ad-content providers, and
3. Badland Brawl
we aren’t privy to their algorithms, each time a child plays 4. Billiard City (Mountain Game)
5. Booster Raiders (Halfbrick Studios)
the frequency, content, and nature of the ads could be 6. BounceBang
different. There’s no guarantee that they will be prompted 7. BowMasters
8. Bricks and Balls (Cheetah Games)
with the ads and apps that we were, and even in our testing 9. Bubble Island 2 (Wooga)
there were some broad ranges in observation in a few of the 10. Bunny Blast-Puzzle Game
11. Color Pump 3D
apps. Our weighted scoring system takes this variance into 12. CSR Racing 2
13. Dancing Line
account.
14. Era of Celestials (GTarcade)
15. Fair
16. Fastlane: Road Revenge (SpaceApe)
The biggest factor is the device type: iOS devices received
17. Final Fantasy XV
fewer ads on average than Android devices and were safer 18. GardenScapes (Playrix Games)
19. Guns of Glory
from a privacy and app permissions standpoint. However, we 20. Gymnastic Superstar
observed very concerning behavior and indicators of privacy 21. Happy Color
22. Happy Glass (Lion Studios)
and security compromise on both iOS and Android. 23. Helix Jump
24. Huuge Casino - Slot Machines & Free Vegas Games
25. Idle Heros (DHGAMES)
26. JetPack Joyride (Halfbrick Studios)
27. Jetpack vs Colors (Crazy Labs)
28. Kick the Buddy
PAGE 01 29. LEGO Life: safe social media for Kids
30. Love Balls (Lion Studios)
31. Magic Tiles 3
1
Influence Central. (2016). Kids & Tech: The Evolu- 32. Merge Dragons! (Gram Games)
tion of Today’s Digital Natives (Digital Report) 33. Merge Farm! (Gram Games)
34. Merge Plane-Click & Idle Tycoon
35. Monster Legends
2
Roger Fidler. (2015). RJI Mobile Media Research 36. Motocraft
Project (RJI Reynolds Journalism Institute, Universi- 37. My Café
38. Paper.io
ty of Missouri) 39. Peel Remote
40. Piano Tiles 2 (Cheetah Games)
3
Asurion. (2018). Most Parents Use Technology to 41. Popular Wars (Lion Studios)
42. Puzzle Game
Help Keep an Eye on Their Children (Digital Report) 43. Relaxing Bounce
44. Rise Up
4
Nielsen. (2012). American Families See Tablets as 45. Robinhood
46. Run Sausage Run (Crazy Labs by TabTale)
Playmate, Teacher, and Babysitter (Digital Report) 47. School of Dragons
48. Snake vs Colors (Crazy Labs)
49. Sudoku
PAGE 02 50. Sweet Candy Story
51. Swing Star (Good job Games)
5
Dr. Jenny Radesky. (2019). Advertising in Young 52. TikTok
53. Tile Hops
Children’s Apps (Journal of Developmental &
54. Township
Behavioral Pediatrics: January 2019 - Volume 40 - 55. US Army Shooter
Issue 1 - p 32–39). 56. Wish
57. Woody Puzzle
58. Word Cookies (BitMango)
59. WordScapes (PeopleFun Inc.)
60. WordStacks
61. World War Rising
19You can also read
