Unofficial parental control apps can threaten the safety of children
Many parents use apps to protect the safety and privacy of their children. However, accessing cheap and quick offers could have the opposite effect: some so-called ‘sideloaded’ or unofficial apps tend to have excessive access to personal data and hide their presence. This raises concerns about their potential for unethical surveillance and domestic violence, according to a study by University College London (UCL) and the St. Pölten University of Applied Sciences.
Up to 80 per cent of parents use apps to protect their children’s safety and privacy. The apps offer various functions, from limiting the time children spend online and the content they can view, to monitoring their activity and tracking their location.
A study has now compared ‘official’ parental control apps available from the Google Play store with ‘sideloaded’ or ‘unofficial’ parental control apps available from other sources.
The study compared 20 sideloaded parental control apps with 20 from the Google Play store, examining privacy policies, Android Package Kit files (used to distribute and install Android apps), application behaviour, network traffic and features.
Secret spying
The team found that sideloaded apps were more likely to hide their presence from phone users – a practice prohibited by official store apps. They also required excessive permissions – rules that determine what apps can access on the phone, including ‘dangerous’ permissions such as access to personal data, such as exact location, at any time.
In addition, three sideloaded apps transmitted sensitive data unencrypted, half had no privacy policy, and eight out of 20 apps were identified as potential stalkerware.
A fine line between protection and surveillance
Leonie Tanczer, lead author of the study from UCL: ‘Parental control apps are a popular way to keep children safe online and in person, and can be useful tools for parents to help navigate the dangers children face in today’s world. But the results of our study show that many sideloaded apps have serious privacy, consent, and even security issues. For example, if an app tries to hide its presence on the device, that’s nothing more than stalkerware. Once you start removing the safeguards that official store apps are required to have, it’s a fine line between legitimate use and unethical surveillance or, in extreme cases, domestic violence.’
Secret screenshots and call tapping
The researchers observed several concerning behaviours of sideloaded parental control apps that they believe are inappropriate for apps marketed as parental control tools. For example, the apps included features to intercept messages from dating apps like Tinder.
Many sideloaded apps also included the ability to take screenshots remotely, view call logs, read messages, and even listen in on calls.
The researchers found that due to a backlash against apps marketed to catch unfaithful spouses, for example, developers have instead started marketing apps as parental control tools.
Lack of consent from children
Eva-Maria Maier, first author of the study, who wrote the paper as part of her thesis in the IT Security programme at the St. Pölten University of Applied Sciences, says: ‘The main problem with the extensive functionality of these unofficial apps is consent. If parents have an open, transparent relationship with their child, they shouldn’t need to hide these apps on their child’s phone or access so much private information. This raises serious questions about whether children know how they are being tracked and how this affects their privacy and rights. Even if parents believe that they have the best interests of their child at heart, collecting so much personal information carries risks because of the prevalence of mass data leaks.’
Data leak from monitoring app
In 2015, the developer of the mSpy app was hacked and tens of thousands of customer records were leaked online, including the personal data of children. In 2024, mSpy customer service documents were leaked online, revealing how customers used the apps, including spying on partners suspected of cheating. mSpy is a sideloaded app and is currently marketed as parental monitoring software.
Lukas Daniel Klausner, researcher at the Institute for IT Security Research at the St. Pölten University of Applied Sciences: ‘Children’s rights differ from country to country, but in the European Union, children under the age of 16 do not need to give their consent if a parent installs a parental control app on their device. Although children over the age of 16 must give their consent, in reality it is often the parents who buy and set up devices and apps. So I suspect consent is not always given. This situation also means that children often have no access to or autonomy over their data collected by surveillance apps. These apps and many aspects of online culture are relatively new – they are not issues that parents had to deal with a generation ago. I think there is an urgent need for public discussion about the availability of these apps, how they are used and how they should be used from an ethical point of view.’
Related research:
Eva-Maria Maier et al. ‘Surveillance Disguised as Protection: A Comparative Analysis of Sideloaded and In-Store Parental Control Apps’, Proceedings on Privacy Enhancing Technologies.