Did you just get your child a new tablet over the recent shopping season? Perhaps a not-so-expensive Android one, specifically marketed at children? Of course you did because the little one was so adamant on getting a digital play-toy like her other friends and you couldn’t say no to her cute requests…
Well, you may have done your child a huge disfavour if a new report from Bluebox Laboratories is to be taken seriously. For, the firm, which is in the business of securing mobile data, maintains that the nine most popular children’s Android tablets that it evaluated were low on trust – and high on vulnerabilities.
Bluebox Labs says it analysed the children’s tablet market to identify which tablets were the safest and which to avoid. It then selected the top nine (read: most popular) tablets for kids and examined how ‘secure’ they were based on three primary criteria: Trust Score from Bluebox; device and software security configurations; and analysis of network traffic and privacy violations.
The findings: you won’t like what they found in the backend of your child’s tablet. Lurking in there are malicious codes, Trojans, unencrypted data transfers, enabled USB debugging, riskware and even adult apps like dating applications, making your child’s tablets an open invitation for cyber criminals and child abusers.
“Overall, the Trust Scores for children’s Android tablets were quite low. Trust Scores range from 0 to 10, [with] 0 equalling no trust (more risk) and 10 equalling Trustable (zero or very few security risks),” the Bluebox report states.
“Only one tablet managed to break above a 5, while the average came in just below a 4 and the lowest was a 2.7,” the security firm maintains.
But why just Android tablets specifically marketed as kids’ tablets, we asked. What about iPads and other Android tablets that aren’t specifically marketed as children’s tablets? After all, we often see children using the same device as their patents. How safe is that and what advice would Bluebox give to such parents?
“iPads and Android tablets not strictly marketed towards children lack the safeguards meant specifically for kids, such as creating a separate ‘workspace’ for children and limiting access things like the app stores,” Andrew Blaich, lead security analyst at Bluebox Security, told Emirates 24|7.
“However, both the iPad and other Android tablets (4.3 and up) do have some of these capabilities. For the Apple iPads, there is a special restrictions mode in the system settings that allow a parent to block in-app purchases and even ‘locking’ the tablet from using specific applications, such as email,” he tells us.
“For non-children’s marketed Android tablets, the newer Android versions have an option to create another user account and give it restricted access, which is ideal for parent’s sharing their tablets,” he suggests.
“Some manufacturers like Samsung include a ‘kid’s mode’ in their software that can help limit access to what a kid can do.
The recent version of Android, lollipop 5.0.X, allows users to ‘pin’ or lock a device to use a single app, similar to Apple’s restriction on iPads. It is a good feature to have if you're sharing a device with a child,” Blaich notes.
There are two key players in the tablet world, Apple and Android, the report explains. While there is only one Apple tablet, the ubiquitous iPad, dozens of manufacturers have created hundreds of Android tablets, many of which cater specifically to children, it notes.
Children’s tablets have several features that distinguish them from the average tablet. They typically have a coloured, rubberised case to protect against damage, special management software to separate accounts for children and guardians, and kid-focused media, including apps and games, Bluebox maintains.
Additionally, information stored on children’s tablets is subject to privacy laws like the Children’s Online Privacy Protection Act (COPPA), designed to stop the collection and tracking of children’s data. “It would appear that these tablets are not only physically protected from their young owners, but also fortified to protect against cyber hackers,” the report states.
“However, our research found that this is not always the case.”
The nine popular Android tablets marketed at children that the firm evaluated are: Nabi 2, iDeaPLAY, Kurio 7s, Smartab 7”, ProntoTec 7” WiMo, Contixo Kids 7”, iRulu Kid Pad 7”, Orbo Jr, and Sprout Channel Cubby.
Are these tablets available in the UAE, we asked. “We purchased all of our tablets via online retailers such as Amazon. If those retailers are able to ship to the UAE/Middle East then you should be able to buy them,” Blaich told Emirates 24|7.
In any case, as parents, we should perhaps be aware of what kind of malicious codes and riskware cohabitates with the legitimate stuff – and what should we do to root them out.
“The best way parents can protect their children when using these types of devices is to follow a few best practices,” Blaich says when asked how parents can protect their children from the vulnerabilities nestled in tablets specifically marketed to kids.
“Limit internet access on the device by using the parental controls. We recommend either turning off Wi-Fi completely or only allowing it to connect to known trusted networks, just make sure these networks are password protected to avoid spoofing attacks when traveling,” he lists as the first best practice.
“Disable or limit access to the available app stores on the device,” he notes as the second practice to be followed. “These devices ship with a set of apps that have typically been reviewed, but apps downloaded from the third party stores have not necessarily been reviewed, so you're not sure what you may get,” he explains.
Thirdly, he says, “buy a device [only] from a trusted supplier. While this won’t always protect you, it will maximise your chances of getting software updates to patch known vulnerabilities (as was the case with the Nabi brand of tablets),” he maintains.
At number four, he lists ensuring that the feature that allows apps to be installed from unknown sources is turned off, as well as disabling developer mode.
Finally, says Blaich, “check for recent software updates on the device (sometimes these devices don’t ship with the latest software available and there is an update waiting when the device is connected to the Internet).”
So, the firm evaluated each device using the Trustable by Bluebox app, as well as a combination of three malware scanners to determine the most accurate security of each tablet. “Trustable by Bluebox produces an overall Trust Score, which indicates how trustable each device is compared to other available Android devices, while the other scanners flag riskware, adware and malware,” it notes.
Here are the key findings from Bluebox research, enough to send a shiver down any parent’s spine:
• Almost all of the tablets Bluebox examined shipped with third-party software management solutions to separate the children and parent/guardian (administrator) workspaces. This allows a tablet to be setup and used by a child, but managed by an adult.
• All devices were susceptible to at least three vulnerabilities (Futex, ObjectInputStream and BroadAnywhere) reported by Trustable.
• More than half of the tablets shipped with a security backdoor (access to a program that bypasses security mechanisms), allowing root access to the device. Root access gives privileged control to the Android device's sub-system.
• All but one device came with the Google Play store pre-installed.
• All but two devices had third-party app stores pre-installed. A child-focused third-party app store could be beneficial as it specialises in children’s apps, meaning the apps could potentially be safer.
However, not all third-party app stores are created equal and the apps made available on some of the stores could be at risk for stealing you or your child's information.
• All devices shipped with preloaded media content including apps, books and videos for children.
When evaluating the software on the tablets, Bluebox discovered that for the most part, applications were adhering to COPPA laws.
Most applications were using developer analytics libraries such as Flurry, Google Analytics and Crittercism, which collect device information, but do not reveal personal information about the tablet users.
So far, so good. However, two of the management software vendors, Zoodles and Nabi, were sending personal information and pictures (which were provided when creating user profiles) to the backend.
This information (including photos) was easily accessible and unencrypted without authentication from their cloud storage provider.
Zoodles Account Creation (information is stored and retrieved from the cloud)
Individual Tablet Results
Nabi brands itself as ‘KidSafe’ and COPPA compliant. Out of the box, the Nabi 2 had a very low Trust Score. However, once Bluebox analysts downloaded two major updates from Nabi and Google Play and patched some know vulnerabilities that were scanned by Trustable, they arrived at a Trust Score of 5.3 (out of a possible 10), which was the best score among the 9 tablets tested for the report.
But despite that analysts found issues with the data the tablet sends to its backend and how that data is stored and retrieved. While the Nabi received the highest Trust Score in this study, it still has a low Trust Score in general, the researchers highlight.
The Kurio 7s shipped without Google Play, yet Google Play was made available after a firmware update. Based on Bluebox research, the Kurio was tied for the second highest Trust Score of 4.5.
Sprout Channel Cubby
The Sprout Cubby shipped with a Trust Score of 4.5, tying with Kurio and Smartab.
The iDeaPLAY tablet was the worst in class on Trust Score, managing just 2.7. It shipped with a security backdoor and USB debugging enabled, say Bluebox researchers. “The iDeaPLAY is a good example of what we typically find with cheaper tablets [costs under $50] that ship with test builds of the Android operating system that include the Android Open Source Project (AOSP) signing key,” the report notes. “Despite being on Android 4.2.2, the iDeaPLAY had more vulnerabilities than the Nabi on Android 4.1.1,” it states, adding that “the overall security of the device is questionable”.
Smartab uses Android parental control (restricted profiles) software built into the operating system to create different profiles for user management. Smartab, Sprout Channel Cubby and Kurio all scored a 4.5 Trust Score.
ProntoTec runs management software called Zoodles that looks like it’s still in an engineering test phase, says Bluebox analysts. It came rooted, with USB debugging enabled and with Google Play pre-installed. Zoodles sends the profile name, birthdate and picture to their backend and the data is unencrypted, making it susceptible to man in the middle attacks. The ProntoTec scored a Trust Score of 3.9.
The Contixo runs the same management software as the Prontotec tablet, Zoodles. It came pre-rooted and signed with the AOSP test key. Contixo has a low Trust Score of 4.0.
iRulu came rooted and the iRuluStore was flagged as riskware, meaning the program is legitimate, but has the potential for misuse by cyber criminals. The iRulu received a low Trust Score of 3.9.
The Orbo Jr. scored a 2.9 Trust Score for a number of reasons. The tablet came rooted and with USB debugging enabled. It also came with its own third-party store, the MoboMarket, as well as Google Play.
MoboMarket offers to configure SuperSU (an app that lets other apps request root permissions on a rooted device), enabling the user to easily install apps from their market.
One questionable app that was pushed to the device via a store update was OkCupid, an online dating application.
When Bluebox analysts installed an app from Google Play, the MoboMarket alerted them to an update in the MoboMarket store.
A few malware scanners found issues with some of these apps, flagging them as riskware, adware and malware.
Finally, the device came loaded with an open wireless access network most likely from the factory or environment where the device was tested.
Is your child’s tablet safe here in the UAE?
In the UAE (and other countries in the region), telecom providers and authorities filter out certain content and so some malicious websites may be already blocked. So, how relevant is this ranking in such an environment, we asked. Does it still hold good and do the vulnerabilities remain the same?
“The Internet moves at such a fast pace that there are always new threats (or old threats re-packaged) that can get past filtering, because filtering can only stop what it’s aware of,” Blaich explained to us.
“Filtering will work well as a first line of defence against the known bad, but the unknown bad is always harder to protect against,” he says.
“The vulnerabilities we reported on remain relevant anywhere you are as there are multiple avenues in which a device can be exploited. Whether the user downloads an app from a store included on the device or a website, the device is vulnerable unless it has been patched in its software,” he elaborated.
“If an app gets on the device that attempts to exploit a known vulnerability, it will most likely succeed. Google Play occasionally lets malware and apps that exploit vulnerabilities or steal information in its marketplace. The Trust Score is relevant no matter your location,” he concludes.