Some 'unofficial' parental control apps have excessive access to personal data and hide their presence, raising concerns about their potential for unethical surveillance as well as domestic abuse, according to new research from UCL and St. Pölten UAS, Austria.
According to some sources, up to 80% of parents use apps to protect their children's safety, security and privacy. Once installed on a smartphone, they can offer various functions from restricting how long users can spend online and what content they can see, as well as activity monitoring and location tracking.
The study, published in the Proceedings on Privacy Enhancing Technologies, is the first to compare 'official' parental control apps available in the Google Play Store and 'sideloaded' or 'unofficial' parental control apps available from other sources1.
It compared 20 sideloaded parental control apps to 20 apps available on the Google Play Store, looking at privacy policies, Android package kit files (used to distribute and install Android apps), application behaviour, network traffic and application functionalities.
The team found that sideloaded apps were more likely to hide their presence from the phone user, a practice that is prohibited on official store apps. They also required excessive permissions (rules governing what apps can and cannot access on the phone), including 'dangerous' permissions such as being able to access personal data, like precise user location, at all times2.
Additionally, three sideloaded apps transmitted sensitive data unencrypted, half lacked a privacy policy and eight out of 20 were flagged for potential stalkerware indicators of compromise3.
Dr Leonie Tanczer, senior author of the study from UCL Computer Science, said: "Parental control apps are a popular way of helping to keep children safe online and in person, and can be useful tools for parents to help navigate the dangers that children are exposed to in today's world.
"But the results of our study highlight that many sideloaded apps have serious issues around privacy, consent and even safety. For example, if an app tries to hide its presence on a user's device, it is no different from stalkerware.
"Once you start removing the safeguards that official store apps are required to have, it is a slippery slope from legitimate use to unethical surveillance or, in extreme cases, domestic abuse."
The researchers observed multiple concerning behaviours of sideloaded parental control apps that they say are inappropriate for apps being marketed as child safety tools. For example, the apps included functionality to intercept messages from dating apps, such as Tinder.
The ability to take screenshots remotely, see call logs, read messages and even to listen in to live calls was also included in many sideloaded apps.
The researchers noted that a backlash against apps being marketed to catch cheating spouses, for example, has seen developers switch to marketing apps as parental control tools instead.
Ms Eva-Maria Maier, first author of the study from St. Pölten UAS, said: "The key issue with the extensive functionality of these unofficial apps is consent. If a parent has an open, transparent relationship with their child, they shouldn't need to hide them on their child's phone or have access to so much private information.
"This raises serious questions about whether children are aware how they're being tracked, and how this impacts their privacy and rights.
"Even if parents think that they have their child's best interests at heart, there are risks to gathering so much personal information when mass data breaches occur so frequently."
In 2015, the developer of the mSpy app was hacked and had tens of thousands of customer records leaked online, which included the personal data of children. In 2024, customer service records from mSpy were also leaked online, shedding light on how customers were using the apps, which included spying on partners suspected of cheating. mSpy is a sideloaded app and is currently marketed as parental tracking software.
Dr Lukas Daniel Klausner, an author of the study from St. Pölten UAS, said: "Children's rights vary from country to country, but in the European Union children under 16 don't have to give their consent for a parent to install a parental control app on their device. Even though children over 16 do have to give consent, in reality the parents are often the ones purchasing and setting up devices and apps, so I suspect consent is not always being given. This situation also implies that children frequently lack access to and autonomy over their data collected by monitoring apps, as they are not the owners of the device or account.
"These apps and many aspects of online culture are relatively new, they're not problems that parents had to navigate a generation ago. I think there's an urgent need for public discussion about the availability of these apps, how they are being used and how they should be used from an ethical perspective."
In the UK, children can give consent for their personal data to be processed at age 13 under GDPR rules.
1 Official stores, such as Google Play and Apple's App Store, have certain security and privacy requirements for software available through them, whereas other sources often have fewer restrictions. Apps available from these other sources are described as 'sideloaded'.
2 Google classifies permissions as 'dangerous' when they grant an app access to personal user data or control over a user's device. While these permissions can only be granted after explicit consent from the user, in the case of parental control apps the person providing consent is often not the user e.g. a parent.
3 Stalkerware refers to software that can be used to spy on or monitor someone without their knowledge or permission. Indicators of compromise refer to functions that would allow someone to use the apps in this manner.
