In South Korea, a child-monitoring app is raising security concerns. Why?

A government-backed app called Smart Sheriff, which is now required on all smartphones sold to minors, is highly vulnerable to hacking, two new reports say.

|
Ahn Young-joon/AP
Lee Kyung-hwa, a mother of two who is head of Cyber Parents Union On Net, a South Korean activist group which supports the use of government-backed child-monitoring apps such as Smart Sheriff, is interviewed in her office on Friday. Ms. Lee says the app, which outside researchers say is highly vulnerable to hacking, only needs an upgrade.

In many countries, apps that let parents track how their children use smartphones are regarded as a parenting tool that can prevent bullying or a method of tracking what kids do online.

But in South Korea, a leading platform endorsed by the government called Smart Sheriff has critical security weaknesses, leaving personal information about parents and children vulnerable to hacking, researchers said in two reports released on Sunday. 

Child-monitoring apps let parents watch over their children’s shoulders online, blocking websites they don’t want their children to see and even receiving automatic alerts when messages sent from phones with the software installed contain words like “bully” or “pregnancy.”

Korean parents and children have little choice about whether to use such software. In April, the government began requiring all smartphones sold to people 18 and under to include child-monitoring apps, as well as aggressively promoting Smart Sheriff in collaboration with local schools, the Associated Press reports.

The mandate, required by the Korean Communications Corporation and backed by a large group of mobile phone operators, who developed Smart Sheriff, can be avoided by continuing to use an older phone. 

But the app’s security flaws, first identified by researchers at the University of Toronto’s Citizen Lab and German software auditing company Cure53 this summer, have raised concerns for families about  how their information may be used.

Phone numbers, emails, children’s birthdates, and their web browsing history were not properly encrypted, the researchers found, meaning they could be used by a third party. Other vulnerabilities could allow an malicious actor to inject their own code into the app, the researchers noted.

There were also several design problems, which permitted children to easily bypass limits their parents had set on particular websites and transmitted improperly secured web browsing histories – which could be used a third party – to MOIBA, the phone operators’ group which developed the app.

“Smart Sheriff is the kind of babysitter that leaves the doors unlocked and throws a party where everyone is invited," Collin Anderson, an independent researcher who collaborated with Citizen Lab on its report, told The Associated Press (AP).

MOIBA told the wire service they have responded to several of the bugs identified by researchers at Citizens Lab and Cure 53. But, the researchers say, few of the issues raised by the report have actually been remedied, noting that one of the developers’ fixes may have actually created a new issue with the Smart Sheriff software.

One parent who began using the app became increasingly concerned after it repeatedly sent her misleading alerts saying her sons were being bullied. After she began questioning them about each chat and text message they sent, they became angry and mistrustful, the parent, Yoon Jiwoon, told the AP.

"It's just not right for a mom to snoop on everything,” Ms. Yoon said, adding that after learning about the security concerns around the app, she plans to uninstall it.

But others say they feel the app's benefits for parents are most important. Lee Kyung-hwa, a mother of two whose Cyber Parents Union On Net endorses child surveillance, told the AP. Smart Sheriff is simply in need of an upgrade.

"If mothers feel happy thanks to the app, it is still helpful," she says.

The government’s mandate that all new smartphones carry the software has also drawn concern from watchdog groups in South Korea.

“The Decree is unconstitutional as it infringes on children’s privacy and parental rights, increases the risk of data breach, and overburdens both the business and the parents,” Open Net Korea, an activist group focused on Internet policy said in a statement in April. 

Because apps like Smart Sheriff repeatedly pass information from a minor’s phone to the app developer and then to a mobile phone company before reaching the parent, there are several points where that data can be stolen, the group says.

Beyond Korea’s child monitoring mandate, smartphone monitoring apps required by employers and used by suspicious spouses to catch their significant others cheating have also drawn concerns internationally, with some skeptics calling them “stalker apps,”  the BBC reports.

In the US, the FBI has successfully prosecuted one man, fining him $500,000 for selling an app called StealthGenie which could intercept emails and texts and record phone calls, the broadcaster notes. In court, prosecutors noted that it had been marked as “undetectable” and could be used by “stalkers and domestic abusers.”

Phone-monitoring apps have also been used in more unusual ways in South Korea, such as tracking illness, reports NPR.

This summer, the government quarantined 105 people in Jangduk village in the country's south after a woman in the village was diagnosed with the MERS virus, using smartphones to track the movements of the village's residents.

The government’s health ministry told NPR it obtained the villagers consent before beginning to track their movements to ensure they didn’t leave the village. But under South Korean law, the government can obtain the data directly from telecommunications companies without a person’s consent in an emergency situation such as a large scale health risk, the station reports.

Besides more Orwellian concerns about how information collecting by monitoring apps can be used, the researchers argued that security failures in a government-mandated program that focused on observing children were particularly alarming.

“This is not just a fitness tracker," Ronald Deibert, Citizen Lab’s director, told the AP. "It's an application meant to satiate parents' concerns about their children's use of mobile or social media, which is in fact putting them at more risk.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to In South Korea, a child-monitoring app is raising security concerns. Why?
Read this article in
https://www.csmonitor.com/Technology/2015/0921/In-South-Korea-a-child-monitoring-app-is-raising-security-concerns.-Why
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe