The study finds thousands of apps targeted to children were sending data to advertisers, some including Global Positioning System location.
"Each of the 5,855 apps under review was installed more than 750,000 times, on average, according to the study, which was called "'Won't Somebody Think of the Children?' Examining COPPA Compliance at Scale.'" Some of the apps in question included Disney's "Where's My Water?", Gameloft's "Minion Rush" and Duolingo, a language learning app.
"One particularly egregious example is app developer TinyLab". Additionally, 1,100 apps shared persistent identifying info with third parties for restricted purposes, while 2,281 of them seemed to violate Google terms of service forbidding apps from sharing those identifiers to the same destination as the Android Advertising ID. Furthermore, the users are asked to enter the player's age, and the app does not collect any data if it is under 13. After testing 1.8 million apps, he found nearly 20,000 featured built-in passwords and keys, and even when a separate password store was used, user data was still open to attack from simple password crackers.
"Based on our automated analysis of 5,855 of the most popular free children's apps, we found that a majority are potentially in violation of COPPA, mainly due to their use of third-party SDKs (software development kits)", the study said. While the Android apps tracking kids' online activity are unethical in their own way, the bigger problem might be with COPPA, which is not stringent enough to check on these possible violations.
As ZDNet notes, the fact that these apps were downloadable from the Google Play store made them more credible than they should have been, which is why they were downloaded as many times as they were before detection. Some of the apps named in the report include KidzInMind, TabTale's "Pop Girls-High School Band", and Fun Kid Racing.
This will help ensure that your children aren't heading anywhere they shouldn't be.
We contacted Google for comment but the search giant has yet to respond. "We also observed that 73% of the tested applications transmitted sensitive data over the internet", the study found.
Thousands of child-directed Android apps and games are potentially violating U.S. law on the collection and sharing of data on those under 13, research has revealed. However, the paper's co-author, Serge Egelman denied his claims and stated, "Even if his claims are true, they are irrelevant as the study was performed using machine algorithm by randomly pressing buttons". The security measure is the "standard method for securely transmitting information", the researchers said.