Popular daycare and childcare communication applications are “dangerously insecure”, according to a recent analysis, and may put kids and parents at risk for data breaches.
According to a report by the non-profit group, Electronic Frontier Foundation (EFF), popular apps including Brightwheel and HiMama lacked two-factor authentication (2FA), making it possible for any malicious actor with access to a user’s password to log in remotely.
Meanwhile, in a reply to the organisation, Brightwheel said that it was rolling out 2FA for all admins and parents and claimed that they were the “1st partner to offer this level of security” in the industry.
“Looking at a number of popular daycare and early education apps, we quickly found more issues than just the lack of 2FA,” the organisation said in a report.
“Through static and dynamic analysis of several apps, we uncovered not just security issues but privacy-compromising features as well. Issues like weak password policies, Facebook tracking, cleartext traffic enabled, and vectors for malicious apps to view sensitive data,” it added.
As per the organisation, another common trend in many daycare apps is relying on cloud services to convey their security posture. These apps often state they use “the cloud” to provide top-of-the-line security.
“It is crucial that the companies that create these applications do not ignore common and easily-fixed security vulnerabilities,” the organisation said.
“Giving parents and schools proper security controls and hardening application infrastructure should be the top priority for a set of apps handling children’s data, especially the very young children served by the daycare industry,” it added.
The organisation said it calls on all of these services to prioritise the basic protections and guidelines that include making 2FA available for all Admins and Staff, and addressing known security vulnerabilities in mobile applications, among others.
“Those fixes would create a significantly safer and more private environment for data on children too young to speak for themselves. But there is always more that can be done to create apps that create industry benchmarks for child privacy,” the organisation said.