A TRUE CYBERSECURITY REPORT (Q1-2019) Cyber …...02 Why Free Apps for Kids are a Cyber Crime Risk...
Transcript of A TRUE CYBERSECURITY REPORT (Q1-2019) Cyber …...02 Why Free Apps for Kids are a Cyber Crime Risk...
Cyber Crime and Privacy Risks in Free Mobile Apps for Kids
A TRUE CYBERSECURIT Y ™ REPORT (Q1-2019)
INTRODUCTION
01
Why Kids are at Risk on Our Phones and Tablets
Traditionally, the cybersecurity industry has not taken into account kids’ usage of Internet-connected
devices in the design of cybersecurity products. Products like identity theft protection and antivirus
software do not address the unique vulnerabilities associated with kids’ increasing online presence.
Kids’ naivete and susceptibility to influence makes them a weak link for their families and a prime target
for cybercriminals. When kids are downloading and playing games on their parent’s phone or tablet,
this opens up another layer of risk for cyber threats.
Kids offer an enticing 2-in-1 target for cybercriminals
Cybercriminals are interested in the behavioral patterns and the browsing data of children themselves
for the same reasons advertisers are (but for more corrupt uses). Furthermore, cybercriminals target
children as an entry point into their parents’ data, devices, and accounts by infecting devices shared
between family members.
On average, children are 10 years or older when they receive their first mobile device, but for the
majority of them this is not the first device they’ve used.1 In households with children, 70 percent
of children under 12 years old have shared a tablet device with another family member.2 Although
more than 50 percent of parents use some sort of parental controls for their kid’s online activity, 77
percent of children in households with tablets have downloaded games to play. 3 4 These games can be
an entry point for cybercriminals to access the data and devices of both children and their parents,
and that is exactly what our study focused on. This white paper outlines our opinion of the safety of
these popular kids apps based on our analysis of the prompts, permissions, and behavior within them.
This White Paper:
Ranks the 20 most popular free kids’ apps from “unsafe”
to “safe”
Exposes distinctive cybersecurity and privacy threats
associated with some of the most popular free mobile
apps for kids
Provides easy-to-understand guidelines that parents,
guardians, and educators can use when screening
mobile apps for suitability
Recommends a personal cybersecurity solution to
safeguard kids’ and adults’ privacy
02
Why Free Apps for Kids are a Cyber Crime Risk
Free apps almost always contain advertisements and in-app purchase or upgrade options. An adult
consumer expects to be advertised to when using an otherwise free service. Using advertising or in-app
purchasing as a revenue method is a socially accepted practice.
The problem with free apps targeting children is that studies have proven that children are often unaware
that what they are watching or interacting with is an advertisement.5 Additionally, app stores do not
contain safety ratings that factor in advertising practices or guidelines for parents, guardians or educators.
More concerning in a game or app made for young children is the prevalence of deceptive and
inappropriate tactics. It is not uncommon for kids’ apps to contain aggressive prompts to download other
apps that may be age inappropriate or unlock gates for cybercriminals to access everything from emails
to banking apps. Free apps will use deceptive tactics such as offering a “prize” or enticement like “click
here for a free life” to prompt the child to click and unknowingly allow the app to take an action. Often
this action gives the app additional permissions on the device, or authorizes the download of another
program, which can secretly gain access to information on the device and the child’s or parent’s sensitive
information.
In Rubica’s study of the 20 most popular free kids’ apps on the iTunes and Google Play Store, we observed
many of these deceptive practices. We also saw evidence of privacy invasion, and even indicators of
potential malware (software that cybercriminals use to access your device or steal your information).
There’s a whole world out there that parents need to be aware of.— CEO AND CO-FOUNDER OF RUBICA™, FRANCES DEWING
“
The majority of free games have ads. Many free
mobile apps require the child to watch ads in order
to continue playing, access certain content or to
gain other incentives (free life, special power, extra
coins, etc.).
Advertising ranges from ad “banners” along the
top or bottom of the screen to center-of-the-
screen pop-ups. Some use enticements like “Get a
free life!” “Double your coins!” or “Collect your free
prize!” and images or buttons that move or flash to
attract attention.
Keep in mind that these dangers typically aren’t in the
original app you download for your child (the iTunes
and Google Play Stores screen for that). They turn up
in secondary apps advertised by the first app.
Common App Characteristics that Signal Privacy Risks in Free Mobile Apps for Kids:
Ability to download secondary apps
and files without notifying you
Ability to retrieve a list of all the apps
on your device and position prompts
over the top of them
Access to contacts, phone calls, or email
Access to sensitive device logs,
browsing and app history
Access to precise GPS location,
microphone or camera, where
these permissions served no
legitimate function for the game
App Characteristics that Signal Privacy Risks in Free Mobile Apps for Kids
03
Rubica’s Approach to Assessing Apps for Kids
As part of Rubica’s ongoing mission to detect, protect,
and inform all people, we focused this major study
on free mobile apps that expose kids and adults to
permission, privacy, and security vulnerabilities. Rubica
created a dedicated kids privacy team to review the
most popular free kids’ games in the iTunes and Google
Play Stores.
Rubica protects individuals and families using the first enterprise tools and government-grade
intelligence methods translated into a mainstream cybersecurity platform that finds threats
before they affect you. Through Rubica’s proprietary next-generation algorithms, human
intelligence, and 24/7 monitoring, we protect individuals and families anywhere they use their
Internet-connected devices.
The Rubica team specifically examined games listed
as appropriate for all ages (not games for teens). The
Rubica team members played each game multiple times,
on both Android and iOS devices, with parental controls
on, and with them off. In addition to recording behavior
by the app and ads during gameplay, the Rubica team
also tracked the background details of the app (whether
it was active when not in play, what permissions and
data it had access to) and monitored for security threat
indicators during the entire period of gameplay.04
Hackers look for the weakest, or most vulnerable link, which in this case are kids.
“— CEO AND CO-FOUNDER OF RUBICA, FRANCES DEWING
The Most Unsafe and Least Recommended Kids’ Apps
Unsafe apps contain excessive ads, aggressive prompts to download other apps or games, and
invasive permissions in the secondary apps that gain access to contacts, camera, microphones,
sensitive device logs, browsing history, and location. Avoid these apps and the secondary apps
they insistently encourage your kids to download.
05
130
95
75
45
62
UNSAFE
GAME DANGER RATING PRIVACY + ADVERTISING SAFE T Y RISKS
UNSAFE
UNSAFE
UNSAFE
NOT RECOMMENDED
DA
NG
ER
OU
S
PRIVACY: Privacy concerns from invasive permissions in either the primary or secondary app
ADVERTISMENTS: Excessive, deceptive or inappropriate advertising within the primary game
To find out more detail about why each app received their score, visit the Appendix.
Apps That Require Parental Supervision
This designation is due to the apps (or the secondary apps they prompt you to download)
having the ability to view contacts, get access to the camera or microphone, display age
inappropriate ads and send email on your behalf. If your goal is to enable kids to play apps
alone, these are not recommended.
06
43
43
27
GAME DANGER RATING PRIVACY + ADVERTISING SAFE T Y RISKS
NOT RECOMMENDED
NOT RECOMMENDED
PARENT SUPERVISION
16
15
PARENT SUPERVISION
PARENT SUPERVISION
15
15
PARENT SUPERVISION
PARENT SUPERVISION
PRIVACY: Privacy concerns from invasive permissions in either the primary or secondary app
ADVERTISMENTS: Excessive, deceptive or inappropriate advertising within the primary game
To find out more detail about why each app received their score, visit the Appendix.
The Safest Kids’ Apps
The safest apps for kids all have one thing in common: no privacy concerns. Most do not ask for
permissions beyond what the app needs to function, and in-app purchases are clear to the user. None
have advertising. These are the apps we recommend, and these are the apps we let our kids play.
07
10
5
0
SAFE
SAFE
SAFE
GAME DANGER RATING
0SAFE
0SAFE
0
0
0
0
SAFE
SAFE
SAFE
SAFE
PRIVACY + ADVERTISING SAFE T Y RISKS
SA
FE
PRIVACY: Privacy concerns from invasive permissions in either the primary or secondary app
ADVERTISMENTS: Excessive, deceptive or inappropriate advertising within the primary game
To find out more detail about why each app received their score, visit the Appendix.
08
Cybercrime is a huge business and it’s easy. Sadly, children represent the next digital weak-link attackers are only too happy to exploit. The kids’ free app safety index can help parents make good decisions about which apps are safe for their kids to play.
“
— FORMER SCOTLAND YARD DETECTIVE, PRESIDENT AND CO-FOUNDER OF RUBICA, RODERICK JONES
09
How to Keep Children Safe While Playing Free AppsThese are the top 2 things you can do to keep your kids safe on free apps (and your data safe too):
Use parental controls
Although parental controls don’t block everything inappropriate, they do block some
things. More importantly, by requiring a parent’s password, parental controls prevent kids
from downloading any other apps without your knowledge during gameplay. However, to
make this control effective, it’s important that you use a password that your child doesn’t
know (i.e. not the same one as you use to unlock the device, or for your home Wi-Fi). Also
make sure you are actually reviewing the app permissions prior to allowing the download.
01
10
Check app permissions
Before downloading an app, check the “developer notes” or “permissions” listed
for that app in the Google Play Store. For iOS users, Apple requires developers to
prompt for specific access and permission during the installation process (via pop-up
prompts). Don’t hand the device back to our child until you install the app and open
it to review all the permission prompts first. If the app prompts for a permission you
are not comfortable granting, click “don’t allow” and check the device settings to make
sure the app doesn’t have any inappropriate permissions.
Although there are harmless uses for permission requests (and some can help apps
function in an optimal manner), liberal permission can also be used to surreptitiously
download malware. Use judgment and be cautious when allowing apps permission to
your digital life, as well as your child’s digital life.
Ask yourself if it makes sense for the app to request this information in order to properly be played.
If it doesn’t make sense, move on to a safer app on our list.
?
02
About Rubica: Next-Generation Personal Cybersecurity Built Specifically to Protect Families
By adding Rubica True CyberSecurity protection on all devices, families can protect their devices,
network, accounts, and most importantly their online identities. Rubica provides the first and only
time that enterprise tools and government-grade intelligence methods have been translated into
a mainstream proactive tool that finds threats way before they affect you.
Rubica’s mission is to democratize cybersecurity and make available the enterprise tools and
government-grade intelligence methods it uses to protect heads of state, billionaires, and celebrities
across the globe. Now everyone can be protected and control their digital lives.
Rubica’s three-pronged platform proactively detects and stops threats by using advanced technology,
algorithms, and senior cybersecurity experts to analyze big data patterns round the clock and stop
digital anomalies and exploits before they occur.
Now Rubica is:
This means people may now be protected from sophisticated threats like:
Available in an easy-to-use, proactive cybersecurity platform compatible
with iOS, Mac, Windows, and Android
Downloadable to any laptop, computer, tablet, or device
Supported by U.S.-based customer service and cybersecurity experts
Malicious pop-ups and downloads
Malware and device infection
Privacy threats
Phishing
Identity theft
And more
11
For more information on Rubica True CyberSecurity, visit www.rubica.com to
learn more about our cutting-edge cybersecurity system that makes tomorrow’s
digital protection tools available today.
Rubica finds threats before they affect you.
In our modern digital world, cyber “street smarts”
are a must-have for families. As more children use
more Internet-connected devices, we must train
them about the associated permissions, privacy, and
dangers that lurk as they engage online.
Today, there are no standards in place that tell us
if a site we visit or a free app we download is safe.
Parents need a comprehensive and convenient
solution to enable them to select safe apps and
proactively monitor the cybersecurity of their own
and children’s Internet-connected devices. That’s
the genesis behind this paper and Rubica’s business.
Rubica Believes There’s a Better Way
12
As the popularity of free apps changes over time, Rubica has committed to analyzing free apps and publishing this report on a quarterly basis.
Visit www.rubica.com/cyber-safety-for-kids to learn
more about protecting your family online and sign-
up for our family cybersecurity newsletter. You’ll
be the first to know when we publish our follow-on
white paper about the indicators of malware and
cybercrime activity within certain apps.
APPENDIX
Rubica Ranked the Top 20 Most Popular Kids’ Mobile Free AppsThe top 20 apps are ranked from unsafe to safest for kids
A score of 46 or above is
considered unsafe
A score of 30-45 is not
recommended for kids
A score of 15-29 is only
recommended for kids with
parent supervisionScores
14 and under are deemed safe
130UNSAFE
GAME + DANGER RATING + SCORE WHY
DA
NG
ER
OU
S
Downloading the app gives it the ability to download other files without notifying you, retrieve a list of all the apps on your device, and position prompts over the top your other apps. Excessive ads (every 1-2 minutes) aggressively prompt downloads of other games. These secondary games have invasive permissions like access to your contacts, sensitive device logs, browsing and app history, and capture precise GPS location.
Excessive advertising for other apps. The secondary apps have invasive permissions like the ability to read sensitive device data, browsing history, data about the other apps on your device, precise GPS location, and gain access to your camera and microphone. Several sketchy secondary apps prompted from this game are under investigation.
The app has access to your microphone (always on), phone ID and call information. Aggressive advertising, deceptive prompts, and enticements to download other apps which have additional invasive permissions.
95UNSAFE
75UNSAFE
13
14
WHY
Aggressive advertising and prompts to download other games with equal or more invasive permissions. Access to sensitive device history, programs, and data on Android. iOS mitigates some of the privacy issues.
Access to GPS location (without justified purpose). Results in testing varied from almost no ads or concerning behavior to flash ads (appearing automatically) advertising teen and adult content games (ex: semi-sexual avatar role playing games, with access to make phone calls).
Has access to device ID and call information. Frequent advertising/prompts to download other programs.
Some privacy concerns only apply to Android, not iOS, but both experience excessive prompts and redirects.
Although made by the same developer, Frisbee Forever2 has less invasive permissions than Subway Surfers. Fewer ads, though the amount and content of ads varied. One test session resulted in prompts for other games which gain access to “send email without owner’s knowledge,” create and edit “calendar events plus confidential information,” read home screen settings and access sensitive log data. Other testing showed no concerns, but given the egregiousness of one test session we cannot in good faith recommend this app.
Ability for in-app purchase and pay-for-upgrades, but no pop-up ads. Permission to record audio and see your contacts (there is an in-app chat feature), so parent supervision is recommended.
62UNSAFE
45NOT
RECOMMENDED
43NOT
RECOMMENDED
43NOT
RECOMMENDED
27PARENT
SUPERVISION
GAME + DANGER RATING + SCORE
WHYGAME + DANGER RATING + SCORE
15
Can access the list of all apps, device history and app history (which may include browsing history). No aggressive pop-up ads or prompts, only a more passive option in the toolbar to watch ads for free upgrades.
Ability for in-app purchase and pay-for-upgrades, but no pop-up ads.
Has access to camera, microphone, recording, as well as potentially sensitive device and app history.
No excessive permissions.
Use of parental controls successfully blocked inappropriate content in this game.
Without parental controls, advertising could contain adult content, like ads for gambling apps.
Frequent ads and download prompts, some deceptive and hard to exit.
Access to read and modify files and storage on the device, but no excessive permissions.content, like ads for gambling apps.
Ability to buy capabilities and in-app purchases, but no ads.
Access to device ID and call information was the only reason for ranking this above 0.
16
16
PARENT SUPERVISION
PARENT SUPERVISION
15
15
PARENT SUPERVISION
PARENT SUPERVISION
10SAFE
16
Ability to buy capabilities and in-app purchases, but no ads.
No privacy concerns.
Ability to buy capabilities and in-app purchases, but no ads.
No privacy concerns.
Ability to buy capabilities and in-app purchases, but no ads.
No privacy concerns.
0
0
0
SAFE
SAFE
SAFE
No ads or prompts.
Camera access was the only reason for this ranking (legit purpose/need for this within game, and clear request for permission).
5SAFE
Ability to buy capabilities and in-app purchases, but no ads.
No privacy concerns. 0SAFE
WHYGAME + DANGER RATING + SCORE
17
Ability to buy capabilities and in-app purchases, but no ads.
No privacy concerns. 0SAFE
Ability to buy capabilities and in-app purchases, but no ads.
No privacy concerns. 0SAFE
Scoring Protocol and Methodology
WHYGAME + DANGER RATING + SCORE
FREQUENCY AND AGGRESSIVENESS OF ADS SECURIT Y CONCERNS
SECONDARY APP CONCERNS
POTENTIAL SECURIT Y THREATS: DEVICE TRAFFIC ANALY TICS
AGE INAPPROPRIATE CONTENT IN THE ADS
PRIVACY CONCERNS
DECEP TIVE TACTICS IN ADS/PROMP TS
Rubica’s team ranked each app based on the following observed characteristics:
Ads appearing occasionally vs. every few minutes, or
every time the player dies or completes a level
App installs unknown or suspicious programs without
your knowledge; evidence of malware or data exfiltration;
access to highly sensitive device controls or information
and evidence of potential misuse of this access; other
indicators of security compromise
Advertised apps (prompted for download while playing the
primary games) may have contained inappropriate content,
privacy violations, or security concerns
Rubica logged more than 5,000 potential indicators of
compromise (cybersecurity threat indicators) in the device
traffic and app behavior during the study
Gambling, sexual, dating, excessive violence
App has permission to device settings and information
that is excessive, intrusive, or age inappropriate for a
kid’s game
Offers rewards or enticements, difficult to exit from
the ad, ads pop-up unexpectedly when about to click
something else, hard to close, unexpected ad when
doing something the app asks for, seems to be part of
the game, etc.
SA
FE
18
Methodology Used
First, Rubica wiped all devices to factory settings to ensure they were clean. Second, Rubica
created distinct profiles for each device and player and played the game as that profile. The
profiles consisted of a mix of boys and girls (ages 9-12,) iOS and Android devices, and devices
with and without parental controls.
Then, Rubica downloaded our protection software and enabled it on devices while in-use,
specifically to collect network traffic event logs and threat indicators related to device activity
during the study period.
The test members played each game for 15-20
minutes on each device/profile.
The members were instructed to click on
everything, follow all prompts, allow all requests/
prompts, provide any information requested by the
app or download other apps if prompted
After playing a game, the members were told to not
uninstall any apps or programs before playing the
secondary game downloaded (run dirty)
The team supervisor recorded detailed notes of the
team’s observations, prompts, behavior, requests,
timestamps, developer name and notes (if provided
on app store), permission details (if provided in app
store) and resulting app permissions on devices
after game installation.
Finally, a score was assigned to each app, deeming
it safe, unsafe, not recommended or only with
supervision.
For devices with parental controls enabled,
password is required to download apps, but the
team assumed the child has memorized the parent’s
password or that parents often give permission to
download apps without fully reviewing the app first.
The assumption is that parental controls may help
control or block inappropriate ad content, but the
child is still able to download secondary apps as
prompted.
19
Caveats Other Findings
Ads and upselling are expected with any free app, but some
of these apps go beyond what’s reasonable or appropriate
given that these apps are listed as for kids as young as 4-10
years old, or for “everyone” (any age).
Because apps use third-party ad-content providers, and
we aren’t privy to their algorithms, each time a child plays
the frequency, content, and nature of the ads could be
different. There’s no guarantee that they will be prompted
with the ads and apps that we were, and even in our testing
there were some broad ranges in observation in a few of the
apps. Our weighted scoring system takes this variance into
account.
The biggest factor is the device type: iOS devices received
fewer ads on average than Android devices and were safer
from a privacy and app permissions standpoint. However, we
observed very concerning behavior and indicators of privacy
and security compromise on both iOS and Android.
Through the course of testing, we were prompted to (and did) download 61 other applications:
1. 100! Puzzle
2. Acorns
3. Badland Brawl
4. Billiard City (Mountain Game)
5. Booster Raiders (Halfbrick Studios)
6. BounceBang
7. BowMasters
8. Bricks and Balls (Cheetah Games)
9. Bubble Island 2 (Wooga)
10. Bunny Blast-Puzzle Game
11. Color Pump 3D
12. CSR Racing 2
13. Dancing Line
14. Era of Celestials (GTarcade)
15. Fair
16. Fastlane: Road Revenge (SpaceApe)
17. Final Fantasy XV
18. GardenScapes (Playrix Games)
19. Guns of Glory
20. Gymnastic Superstar
21. Happy Color
22. Happy Glass (Lion Studios)
23. Helix Jump
24. Huuge Casino - Slot Machines & Free Vegas Games
25. Idle Heros (DHGAMES)
26. JetPack Joyride (Halfbrick Studios)
27. Jetpack vs Colors (Crazy Labs)
28. Kick the Buddy
29. LEGO Life: safe social media for Kids
30. Love Balls (Lion Studios)
31. Magic Tiles 3
32. Merge Dragons! (Gram Games)
33. Merge Farm! (Gram Games)
34. Merge Plane-Click & Idle Tycoon
35. Monster Legends
36. Motocraft
37. My Café
38. Paper.io
39. Peel Remote
40. Piano Tiles 2 (Cheetah Games)
41. Popular Wars (Lion Studios)
42. Puzzle Game
43. Relaxing Bounce
44. Rise Up
45. Robinhood
46. Run Sausage Run (Crazy Labs by TabTale)
47. School of Dragons
48. Snake vs Colors (Crazy Labs)
49. Sudoku
50. Sweet Candy Story
51. Swing Star (Good job Games)
52. TikTok
53. Tile Hops
54. Township
55. US Army Shooter
56. Wish
57. Woody Puzzle
58. Word Cookies (BitMango)
59. WordScapes (PeopleFun Inc.)
60. WordStacks
61. World War Rising
PAGE 01
1 Influence Central. (2016). Kids & Tech: The Evolu-
tion of Today’s Digital Natives (Digital Report)
2 Roger Fidler. (2015). RJI Mobile Media Research
Project (RJI Reynolds Journalism Institute, Universi-
ty of Missouri)
3 Asurion. (2018). Most Parents Use Technology to
Help Keep an Eye on Their Children (Digital Report)
4 Nielsen. (2012). American Families See Tablets as
Playmate, Teacher, and Babysitter (Digital Report)
PAGE 02
5 Dr. Jenny Radesky. (2019). Advertising in Young
Children’s Apps (Journal of Developmental &
Behavioral Pediatrics: January 2019 - Volume 40 -
Issue 1 - p 32–39).