Researchers Find Korean Monitoring and Filtering Apps are putting Children at Risk
A new report released by the Citizen Lab at the Munk School of Global Affairs in collaboration with OpenNet Korea and Cure53 reveals that Korean child monitoring apps have serious privacy and security issues.
In April 2015, South Korea became the first country in the world to mandate that all phones registered to individuals under the age of 19 be equipped with monitoring and filtering apps that
block content deemed “harmful”. This legislation was created with the intent of protecting minors from harmful content, but security audits by researchers show these apps have serious vulnerabilities that actually put minors at risk.
The apps studied in this report were developed by the Korean Mobile Internet Business Association (MOIBA), an influential consortium of mobile telecommunications providers and phone manufacturers, and funded and promoted by South Korea’s telecommunications regulator, the Korean Communications Commission. In 2015, Citizen Lab and Cure53 conducted a security audit of Smart Sheriff, a child monitoring app produced by MOIBA, and found 26 security vulnerabilities that could be used to collect sensitive information from users, take control of user accounts, and disrupt service operations.
MOIBA eventually took Smart Sheriff off the market. However, MOIBA still provides child monitoring apps: Smart Dream and Cyber Security Zone. In this latest report, the researchers analyzed these apps and found concerning security flaws that show they were not developed with privacy or security in mind.
Cyber Security Zone allows parents to remotely block content and monitor and administer mobile applications used by their children. An analysis of Cyber Security Zone found that it is, in fact, a rebranded version of Smart Sheriff, using the same code, and including many of the security vulnerabilities revealed in the security audit published in 2015. The flaws in the apps open the door to possible breaches of sensitive information including passwords, phone numbers, and other user data.
“In all of our security audits, we reported the problems we found to MOIBA so they could fix the issues. Rebranding and releasing an app that is known to be insecure irresponsibly puts users at risk.” explains Masashi Crete-Nishihata, Citizen Lab Research Manager
Smart Dream allows parents to monitor their children’s messaging applications and online search history for indications of bullying and to understand their child’s concerns and worries. The researchers found significant security holes in Smart Dream that could permit unauthorized access to stored messages and search history. The researchers reported the vulnerabilities in Smart Dream to MOIBA, which released updates to the app that addressed the majority of issues identified.
Overall, the researchers are not confident that MOIBA has significantly changed their software development practices to emphasize security, which highlights issues with the mandatory use of child monitoring apps.
“Especially when an app is mandated by the government, it should be held to the highest security standards to keep the public safe,” explains Cure53 researcher Fabian Faessler who led analysis of the apps. “This, unfortunately, is not the case with these apps.”
The introduction of the mandate to install parental monitoring apps sparked debate between the government, who claimed the measure was to protect children from harmful content, and advocates, who saw the controls as an affront to privacy and personal freedoms. An online survey conducted by OpenNet Korea showed that a majority of parents thought the existing law should be abolished or significantly updated because the apps put children at risk.
The Korean government recently proposed a bill to the National Assembly that would allow parents to opt-out of installing a paternal monitoring device. OpenNet Korea sees this bill as a step in the right direction, as it gives parents the right to refuse to use child monitoring apps, but argue that more can be done.
Kelly Kim, General Counsel at OpenNet Korea explains, “The proposed bill gives parents the option to not use child monitoring apps which shows the government acknowledging its original position was wrong, but it’s not enough. The mandate is unconstitutional and should be abolished. Our institutions should be protecting children not putting them at greater risk.”