We tested apps for children. Half failed to protect their data.

Coverage Type: 

[Commentary] More than 50 percent of Google Play apps targeted at children under 13—we examined more than 5,000 of the most popular (many of which have been downloaded millions of times)—appear to be failing to protect data. In fact, the apps we examined appear to regularly send potentially sensitive information—including device serial numbers, which are often paired with location data, email addresses, and other personally identifiable information—to third-party advertisers. Over 90 percent of these cases involve apps transmitting identifiers that cannot be changed or deleted, like hardware serial numbers—thereby enabling long-term tracking.

We suspect that most of the developers whose apps fail to protect data do not have nefarious intent, but rather fail to configure their software properly or neglect to scrutinize practices of the third-party advertisers they rely upon to generate revenue. When building an app, developers import ready-to-use code from many different third-parties, including advertising companies. While this code “reuse” results in time savings and fewer errors, app developers likely do not realize that they are liable for all code included in their apps, regardless of whether or not they were the ones who wrote it.

[Serge Egelman is research director of the Usable Security & Privacy group at the International Computer Science Institute and an affiliated researcher at the University of California, Berkeley Center for Long-Term Cybersecurity]


We tested apps for children. Half failed to protect their data.