As parents all over the world review back-to-school safety tips with their kids, researchers have revealed serious security vulnerabilities in South Korean child filtering apps that may leave some parents asking: are our kids safer without them?

Researchers from Citizen Lab, Cure53, and OpenNet Korea conducted a series of security audits on Cyber Security Zone and Smart Dream, two parental monitoring apps for mobile devices. Their findings show that the children who use them are at risk of having their messages intercepted, personal data compromised, and even communication records falsified.

In April 2015, South Korea became the first country in the world to mandate that all phones registered to individuals under the age of 19 be equipped with monitoring and filtering apps that block content deemed “harmful”. This legislation was created with the intent of protecting minors from bullying and harassment, but security audits by researchers show these apps possess serious vulnerabilities that actually put minors at risk.

“Especially when an app is mandated by the government, it should be held to the highest security standards to keep the public safe,” explains Cure53 researcher Fabian Faessler. “This, unfortunately, is not the case with these apps.”

New app, same flaws

The apps studied were developed by the Korean Mobile Internet Business Association (MOIBA), an influential consortium of mobile telecommunications providers and phone manufacturers which is funded and promoted by South Korea’s telecommunications regulator, the Korean Communications Commission. In 2015, Citizen Lab and Cure53 conducted a security audit of Smart Sheriff, a child monitoring app produced by MOIBA, and found 26 security vulnerabilities. MOIBA eventually took Smart Sheriff off the market. However, MOIBA still provides child monitoring apps: Cyber Security Zone and Smart Dream, the apps audited in this study.

In fact, Cyber Security Zone appears to simply be a rebranding of Smart Sheriff, replete with many of the same security issues, including possible breaches of sensitive information such as passwords, phone numbers, and other user data. The flaws also allow fake content to be inserted to the app’s servers that could show the child visiting web pages and installing applications that they did not actually visit or install.

Credit: Jason Li

“In all of our security audits, we reported the problems we found to MOIBA so they could fix the issues. Rebranding and releasing an app that is known to be insecure irresponsibly puts users at risk,” explains Masashi Crete-Nishihata, Citizen Lab Research Manager

The security holes in Smart Dream could allow unauthorized access to stored messages and search history. The researchers notified MOIBA of the problems in Smart Dream and updates were made to address them, but due to the track record of MOIBA, the researchers are not confident that they have changed their software development practices to emphasize security.

“There are best practices on how to develop secure software but we understand that no software is completely secure. That’s why secure development is an ongoing investment: developers accept that security issues will appear but they also have processes in place to address and fix these quickly and properly,” says Faessler. “The vendors of these apps seemed to have no experience in this regard.”

Protective or paternalistic?

The introduction of the mandate to install parental monitoring apps sparked debate between the government, who claimed the measure was to protect children from harmful content, and privacy advocates, who saw the controls as an affront to privacy and personal freedoms. An online survey conducted by OpenNet Korea showed that a majority of parents thought the existing law should be abolished or significantly updated because the apps put children at risk.

The Korean government recently proposed a bill to the National Assembly that would allow parents to opt-out of installing a paternal monitoring device. OpenNet Korea sees this bill as a step in the right direction, as it gives parents the right to refuse to use child monitoring apps, but argues that more can be done.

Credit: Jason Li

Kelly Kim, General Counsel at OpenNet Korea explains, “The proposed bill gives parents the option to not use child monitoring apps which shows the government acknowledging its original position was wrong, but it’s not enough. The mandate is unconstitutional and should be abolished. Our institutions should be protecting children, not putting them at greater risk.”

For those who monitor information controls in the region, government interference of this magnitude may not be surprising. As Kim highlights, South Korea exhibits a” highly paternalistic” attitude towards digital protection, including a law that prohibits minors from playing online video games between 12:00 am to 6:00 am.  

Kim believes that parents should be allowed to make their own decisions as to how to protect their children from the perceived dangers of leading digital lives. And to that end, she doesn’t mince words when it comes to advising parents how to avoid the security pitfalls in parental monitoring apps:

“Talk to your children. Say no to insecure apps. Choose sensibly.”