Security and privacy analysis of android family locator apps

Abstract

Families are increasingly using Family Locator (FL) apps for convenience and safety purposes. Such FL apps often collect a lot of sensitive information, such as user location and contacts, to improve their usability and functionality. However, it is not clear if they provide strong protections to the collected sensitive information or not. This paper presents the findings on the first security and privacy analysis of FL apps. We select 41 FL apps from the Google Play store. We first analyze the permissions requested by the FL apps to understand the types of sensitive information they would collect. Then, we analyze the network traffic and local storage of these apps to identify potentially sensitive information leakage. Our analysis demonstrates that significant security and privacy vulnerabilities exist among FL apps. Specifically, 80.4% of the 41 FL apps leak sensitive information or join codes in plaintext. A join code would allow an attacker to join a family's group to perform a wide range of malicious activities. Meanwhile, we found that 15.1% of the 33 apps leak sensitive information from their back-end servers due to authentication and authorization vulnerabilities. We provide suggestions to users and developers of FL apps to improve security and privacy. We responsibly disclosed our findings to the developers of the 33 vulnerable apps. Nine of the developers confirmed our findings and showed interest in addressing them in their next updates. The feedback from our responsible disclosures shows that our analysis makes an impact on the security and privacy of FL apps.