Parental control apps are designed to protect children from Internet content that is not age-appropriate. But smart kids could easily bypass the restrictions completely or even attack their parents’ devices.
As stated in one post, security researchers from SEC Consult have found several vulnerabilities in eight Android apps from Google’s Play Store. These include Find My Kids (10 million installs) and Kids Place Parental Controls (5 million installs). Since the providers have not yet closed all the vulnerabilities, the researchers are not yet publishing any further details on possible attacks.
Apps examined
In order to track down security problems, the researchers unleashed the MobSF pentesting framework on the apps, among other things. They also looked around at devices via the Android Debug Bridge (ADB). According to their own statements, they installed the apps on a rooted Pixel 4a with Android 11 for the analysis on a device.
In their investigations, they encountered security issues on several fronts. For example, attackers could access unsecured backups via ADB and use them to read children’s personal data. Using a universal SSL pinning bypass script, the researchers were able to bypass the SSL pinning protection mechanism and hook into connections as a man-in-the-middle.
disable protection
Kids don’t have to be hackers to bypass browsing restrictions. The security researchers state that revoking the permissions of the apps will result in the restrictions falling. Alternatively, children could boot their device in Safe Mode for unrestricted surfing.
With some apps, parents can make settings via a web interface. Due to CSRF and XSS vulnerabilities, young people with some scripting experience could attack parents’ devices in order to obtain the login data of the legal guardians, for example.
The researchers state that they informed the developers about the vulnerabilities. Security patches are to follow at an unspecified time.
Personal data potentially visible
An analysis of the data transmission has shown that, unlike in the network, the transmission to the servers of the app providers is unencrypted, the researchers explain. This means that the providers could read the personal data in plain text.
(of)