The study, which comes from researchers at the International Computer Science Institute in Berkeley, CA, analyzed 5,855 of the most popular free Android apps targeted at kids and families. The team found its results with an automatic test that detects how data is handled in Android apps.
Shockingly, a total of 57 percent of the apps studied appeared to be in potential violation of COPPA, the Children’s Online Privacy Protection Act (COPPA), a 1998 law that looks to safeguard the privacy of users under the age of 13.
Part of the potential violations at hand include the nugget that 92 percent of the 1,280 apps that plug into Facebook’s API may be using it for activities prohibited by COPPA.
Further, 19 percent of children’s apps collect some kind of identifier “or other personally identifiable information” using software development kits (SDKs) whose terms of service say these programs shouldn’t be used in children’s apps.
And when it comes to collecting and sending user data, the study found that 2,344 of the 5,855 apps — that’s 40 percent of them — did not use Transport Layer Security (TLS) for every transmission containing “identifiers or other sensitive information.” Further, the amount of at-risk data is likely higher, as the study notes that it didn’t examine if TLS was used correctly, only checking if it was there or not.
The study also discovered that 1,100 of these apps (that’s 18.8 percent) send data using a software development kit that is not meant to be used with kids apps, and whose terms of service forbid it. Popular examples include the language learning app Duolingo, the infinite running game Minion Rush and the Disney puzzle game Where’s My Water?.