Study Finds 'Serious Security Risks' In K-12 School Apps

An anonymous reader quotes a report from The Record: Many apps used by schools contain features that can lead to the "unregulated and out of control" sharing of student data to advertising companies and other security issues, according to a report published Monday by the nonprofit Me2B Alliance. The report follows up on research published by the group in May, which audited 73 apps used by 38 schools to find that 60% of them were sending student data to a variety of third parties. Roughly half of them were sending student data to Google, while 14% were sending data to Facebook.

In the update, Me2B specifically looked at the use of a common feature called "WebView," which allows developers to integrate web pages into apps. Although the feature allows schools to include dynamic details -- like calendars and results of sporting events -- in apps without having to update the app itself, it can lead to the siphoning of student data and, in particularly bad cases, students and parents being targeted by scams. For example, on several occasions the researchers observed the hijacking of web pages linked to by school apps, leading users to malicious sites. An app used by Maryland's largest school district accidentally directed users to a compromised site that once was used for the district's sports teams. The Quinlan, Texas school district had a sports domain integrated into its app that was purchased by an unknown actor for $30 before anyone took action -- a security threat that's sometimes called a "dangling domain." Some of the recommendations to mitigate security risks include "training for app administrators, creating processes at schools for keeping track of expiring URLs, requiring schools to report lost or dangling domains within a specific time, and launching a 'privacy bounty program' at the US Department of Education to audit school apps," reports The Record. "But perhaps the fastest way to reduce these risks is to alter the way the apps work."

"Apple and Google can change rules for in-app WebView links to ensure app developers can't overrule a local device browser preference," said Zach Edwards, who is in charge of data integrity testing for the Me2B Alliance.

Having used two versions of these nanny programs..

[RussellTheMuscle]

Teachers often do not know how to use them to focus students on the scholastic task at hand (then why install them?), and administrators are clueless as to how the back-end of the programs function. There are workarounds for the kids that are constantly popping up, and given that there are exploits for the kids, there are certainly exploits for the companies that have sold the packages. Buyer beware.

Re:

[burtosis]

and given that there are exploits for the kids

Yea, but those get patched pretty fast. I mean, reverse psychology hasn’t worked in years.

Working as intended

[evanh]

... is what I'd say.

Re: Working as intended

[rantrantrant]

Yep. Using SDKs made for & by surveillance companies & the distraction & advertising industry to develop apps for compulsory use, kids & parents can't realistically opt out in many cases, in educational contexts where the objectives are thinking hard & learning stuff. What could go wrong?

Re:

[WipeLeftShakeRight]

Yes, this is the entire business model of companies like Naviance. College apps pass through Naviance to CommonApp to all the colleges, and the only reason not to just use CommonApp directly is the extra surveillance suite that Naviance provides for admins. They freely admit that their business model is selling student information, and while this information is legally protected as private, at many schools students must 'willingly' give up this privacy if they desire the assistance of school officials with

No lie.

[Revek]

My kids school has one and they insisted that I use it for something. I asked them who made it and why does it need access to everything and they of course said they didn't know what I was talking about. I refused and told them as soon as they could provide any real reason why it needed access to my microphone and camera I would consider it. The app didn't have any features that used either.

Wait, so you're saying...

[argStyopa]

...that software that was: ... hastily rolled out, ...on generally inadequate or inappropriate hardware, ....was selected by 'lowest bidder' process, ....by a school board/administration that is largely technologically illiterate, ...and/or often corrupt (to varying degrees), ....by massive "educational software systems" bundlers/resellers, ...in a field dominated by only a few competitors that often collude, ...and which has been historically perfectly comfortable with things like $300 textbooks "revised"

Re:

[i.r.id10t]

Not sure at the K-12 level but at the community/junior college level a LOT of software stuff is presented by the sales droid to the instructional faculty. They decide they want it, they get their boss involved, etc. and then only after the contract is signed does anyone having anything to do with IT get involved.

I'm going thru this now, our nursing department signed a contract for some software and so now that company wants what amounts to admin access for our entire online course delivery system even thou

Re:

[argStyopa]

Amusingly, I have a good friend who is one of those sales drones selling these bundles of software, services, and hardware to school districts that haven't the faintest clue what they're buying or why....they're just told 'we have a state requirement to implement (technological buzzword) and if we don't use budget ($X) we will lose it and probably get fired for no fulfilling the mandated requirement"

He's...fairly ethical, as such people go. :) But he generally tells them when a given product in the bundle

Brought this up to our board and school

[Murdoch5]

My daughters both use a number of different computer apps / programs to manage everything from learning Math, through to "checking out" books from the "Library" (which is just a glorified eBook register). Every year I get the list of applications, I load them up in Firefox with Privacy Badger, and Privacy Possum Active, and see where the data is going. Without a single exception you always see: Google, Facebook, Twitter, and Stripe (the payment processor).

I've shown this data to the school board, and the school, who assure me it's 100% safe, and the girl's data is NOT being taken, shared or collected. When you block third party cookies, or connect through a VPN, or just block the trackers with Possum / Badger, in all but 1 case, literally 1, the applications / websites stop working!

When I asked the school board / school why, they just fall back to assuring me the applications are safe and don't collect any information. Schools and school boards are willingly, and with full knowledge of their actions, selling the personal data of children. Schools / school boards should take action to stop this, and demand any application which can not run free of any trackers, should be banned.

They know the collection is happening, because you can show them it's happening, yet when the molestation is digital, no one cares. It's comical that we teach kids about consent in one area, but completely ignore it in others, and it's even worse than most kids aren't being taught to question and examine the applications for themselves.

A simple check any board / school can make is to force the use of a VPN, and force all browser to have privacy focused extensions installed, if the application can't load, and if the source isn't made fully available for open audit, then it's banned.

Re:

[sinij]

What you describe is why engineers have code of ethics and you can actually lose your licensing if you don't attempt to follow it. It is time software development to be treated in the similar way - if you are caught implementing evil shit knowingly you are forced to career-change into custodial services or transportation sectors.

Re:

[Murdoch5]

100% - and I say that as a working engineer (although I don't sign off on anything, any more).

cloud only software needs to go in schools adobe?

[Joe_Dragon]

cloud only software needs to go in schools will adobe and other make builds of there software for that?

Google Classroom

[bjb]

While I am strongly opposed to any computer-based tool used by schools sending data about kids to the "big data companies" (if you want to call them that), I will point out that many school districts are using Google Classroom [wikipedia.org] as a platform. So hopefully the study did account for "legit" data sent to Google in this regard versus just raising hell that a Google IP address was a target at some point.

That being said, I have never read the license of GC but hope it was in the spirit of the "don't be evil" sid