“Is Our Children’s Apps Learning?” Automatically Detecting COPPA Violations

In recent years, a market of games and learning apps for children has flourished in the mobile world. Many of these often “free” mobile apps have access to a variety of sensitive personal information about the user, which app developers can monetize via advertising or other means. In the United States, the Children’s Online Privacy Protection Act (COPPA) protects children’s privacy, requiring parental consent to the use of personal information and prohibiting behavioral advertising and online tracking. In this work, we present our ongoing effort to develop a method to automatically evaluate mobile apps’ COPPA compliance. Our method combines dynamic execution analysis (to track sensitive resource access at runtime) with traffic monitoring (to reveal private information leaving the device and recording with whom it gets shared, even if encrypted). We complement empirical technical observations with legal analysis of the apps’ corresponding privacy policies. As a proof of concept, we scraped the Google Play store for apps distributed in categories specifically targeting users under than 13 years of age, which subjects these products to COPPA’s regulations. We automated app execution on an instrumented version of the Android OS, recording the apps’ access to and transmission of sensitive information. To contextualize third parties (e.g., advertising networks) with whom the apps share information, we leveraged a crowdsourced dataset collected by the Lumen Privacy Tool (formerly Haystack) [27], an Androidbased device-local traffic inspection platform. Our effort seeks to illuminate apps’ compliance with COPPA and catalog the organizations that collect sensitive user information. In our preliminary results, we find several likely COPPA violations, including omission of prior consent and active sharing of persistent identifiers with third-party services for tracking and profiling of children. These results demonstrate our testbed’s capability to detect different types of possible violations in the market for children’s apps.