Child Protection Apps Infringe on Privacy

Many parents use apps in order to protect the safety and privacy of their children. If they rely on cheap and fast options, however, these may have the opposite effect: Many so-called “sideloaded” or unofficial apps have disproportionate access to personal data but conceal their own presence. This raises concerns regarding their potential for unethical surveillance and domestic violence, a study by the University College London (UCL) and the St. Pölten UAS has shown.

Frequently used apps

Up to 80 percent of parents use apps in order to protect the safety and privacy of their children. These apps offer diverse functions: from the limitation of children’s screentime and the content that they can view to activity monitoring and location tracking.

A study has now compared “official” child protection apps available in the Google Play Store to “sideloaded” or “unofficial” apps of this kind that are available from other sources.

The study compared 20 sideloaded apps for child protection to 20 apps from the Google Play Store and examined them in terms of the following factors: compliance with data privacy guidelines, Android package kit files (which are used for disseminating and installing Android apps), behaviour, network traffic, and functions.

Concealed Spyware

The team found out that sideloaded apps tend to conceal their presence from phone users – a course of action that is forbidden for official store-bought apps. Moreover, the apps turned out to require an excessive number of authorisations – rules that determine what the app can access on the phone, including “risky” authorisations such as access to personal data including the person’s exact location at all times.

In addition, three sideloaded apps transmitted confidential data in unencoded form, half of the apps had no data privacy policy, and eight out of 20 apps were identified as potential stalkerware.

The Fine Line between Protection and Surveillance

Leonie Tanczer, lead author of the study from the UCL: “Child protection apps are a popular means of ensuring children’s safety both online and personally. As such, they can be useful tools for parents to manage the dangers that children are exposed to today. The results of our study, however, show that many sideloaded apps pose serious risks in terms of data protection, authorisation, and even safety. For example, if an app attempts to conceal its presence on the device, this is nothing other than stalkerware. And once you start removing security precautions that official app stores are required to have, you walk a fine line between legitimate use and unethical surveillance or, in extreme cases, domestic violence.”

Covert Screenshots and Interception of Calls

The researchers observed several alarming behaviours of sideloaded child protection apps that they believe are inappropriate for apps marketed as enhancing child safety. For instance, the apps entailed functions for intercepting messages from dating apps such as Tinder.

Many sideloaded apps also contained the possibility to make screenshots remotely, show call protocols, read messages, or even eavesdrop on telephone calls.

The researchers found that developers – due to a counter-reaction against apps marketed, for example, as allowing to expose unfaithful spouses – have now opted to market these apps as child protection tools instead.

Lack of Children’s Consent

Eva-Maria Maier, lead author of the study, who wrote the paper within the framework of her final thesis in the St. Pölten UAS’ study programme IT Security, says: “The main problem in connection with the many functions of these unofficial apps is consent. When parents have an open, transparent relationship with their child, they should not have to hide these apps on their child’s phone, or even access such a large amount of private information. This raises serious questions as to whether the children know how they are being monitored, and what consequences this has for their privacy and rights. Even if parents believe that they have their children’s best interest at heart, collecting so much private information harbours risks because mass data leaks do occur quite frequently.”

Data Leak of Surveillance App

Back in 2015, the developer of the app mSpy was hacked, and tens of thousands of customer datasets were leaked online, among them the personal data of children. In 2024, customer service documents of mSpy were leaked online again, revealing how customers were using the app, for example to spy on partners suspected of being unfaithful. mSpy is a sideloaded app and is currently being marketed as a surveillance software for parents.

Lukas Daniel Klausner, a researcher at the St. Pölten UAS’ Institute of IT Security Research, explains: “Children’s rights differ from country to country but in the European Union at least, children under 16 are not required to give their consent when a parent installs a child protection app on their device. And although adolescents above 16 would theoretically have to consent, it is often the parents who purchase and set up the devices. So, I assume that the adolescents’ consent is not always obtained. This situation also means that children frequently have no access to or autonomy concerning the data collected by the surveillance apps. These apps and many aspects of the online culture are relatively new – these are problems that parents did not struggle with a generation ago. I believe that there is an urgent need for public discussion regarding the availability of these apps and how they are used, and what an ethical approach could look like.”

Study on the topic

Eva-Maria Maier et al. “Surveillance Disguised as Protection: A Comparative Analysis of Sideloaded and In-Store Parental Control Apps”, Proceedings on Privacy-Enhancing Technologies.

• Link to the study