Study Finds 'Serious Security Risks' In K-12 School Apps (therecord.media) 16
An anonymous reader quotes a report from The Record: Many apps used by schools contain features that can lead to the "unregulated and out of control" sharing of student data to advertising companies and other security issues, according to a report published Monday by the nonprofit Me2B Alliance. The report follows up on research published by the group in May, which audited 73 apps used by 38 schools to find that 60% of them were sending student data to a variety of third parties. Roughly half of them were sending student data to Google, while 14% were sending data to Facebook.
In the update, Me2B specifically looked at the use of a common feature called "WebView," which allows developers to integrate web pages into apps. Although the feature allows schools to include dynamic details -- like calendars and results of sporting events -- in apps without having to update the app itself, it can lead to the siphoning of student data and, in particularly bad cases, students and parents being targeted by scams. For example, on several occasions the researchers observed the hijacking of web pages linked to by school apps, leading users to malicious sites. An app used by Maryland's largest school district accidentally directed users to a compromised site that once was used for the district's sports teams. The Quinlan, Texas school district had a sports domain integrated into its app that was purchased by an unknown actor for $30 before anyone took action -- a security threat that's sometimes called a "dangling domain." Some of the recommendations to mitigate security risks include "training for app administrators, creating processes at schools for keeping track of expiring URLs, requiring schools to report lost or dangling domains within a specific time, and launching a 'privacy bounty program' at the US Department of Education to audit school apps," reports The Record. "But perhaps the fastest way to reduce these risks is to alter the way the apps work."
"Apple and Google can change rules for in-app WebView links to ensure app developers can't overrule a local device browser preference," said Zach Edwards, who is in charge of data integrity testing for the Me2B Alliance.
In the update, Me2B specifically looked at the use of a common feature called "WebView," which allows developers to integrate web pages into apps. Although the feature allows schools to include dynamic details -- like calendars and results of sporting events -- in apps without having to update the app itself, it can lead to the siphoning of student data and, in particularly bad cases, students and parents being targeted by scams. For example, on several occasions the researchers observed the hijacking of web pages linked to by school apps, leading users to malicious sites. An app used by Maryland's largest school district accidentally directed users to a compromised site that once was used for the district's sports teams. The Quinlan, Texas school district had a sports domain integrated into its app that was purchased by an unknown actor for $30 before anyone took action -- a security threat that's sometimes called a "dangling domain." Some of the recommendations to mitigate security risks include "training for app administrators, creating processes at schools for keeping track of expiring URLs, requiring schools to report lost or dangling domains within a specific time, and launching a 'privacy bounty program' at the US Department of Education to audit school apps," reports The Record. "But perhaps the fastest way to reduce these risks is to alter the way the apps work."
"Apple and Google can change rules for in-app WebView links to ensure app developers can't overrule a local device browser preference," said Zach Edwards, who is in charge of data integrity testing for the Me2B Alliance.
Having used two versions of these nanny programs.. (Score:1)
Re: (Score:2)
and given that there are exploits for the kids
Yea, but those get patched pretty fast. I mean, reverse psychology hasn’t worked in years.
Working as intended (Score:2)
... is what I'd say.
Re: Working as intended (Score:3)
Re: (Score:2)
No lie. (Score:4, Informative)
Wait, so you're saying... (Score:2)
Re: (Score:2)
Not sure at the K-12 level but at the community/junior college level a LOT of software stuff is presented by the sales droid to the instructional faculty. They decide they want it, they get their boss involved, etc. and then only after the contract is signed does anyone having anything to do with IT get involved.
I'm going thru this now, our nursing department signed a contract for some software and so now that company wants what amounts to admin access for our entire online course delivery system even thou
Re: (Score:2)
Amusingly, I have a good friend who is one of those sales drones selling these bundles of software, services, and hardware to school districts that haven't the faintest clue what they're buying or why....they're just told 'we have a state requirement to implement (technological buzzword) and if we don't use budget ($X) we will lose it and probably get fired for no fulfilling the mandated requirement"
He's...fairly ethical, as such people go. :) But he generally tells them when a given product in the bundle
Brought this up to our board and school (Score:5, Interesting)
I've shown this data to the school board, and the school, who assure me it's 100% safe, and the girl's data is NOT being taken, shared or collected. When you block third party cookies, or connect through a VPN, or just block the trackers with Possum / Badger, in all but 1 case, literally 1, the applications / websites stop working!
When I asked the school board / school why, they just fall back to assuring me the applications are safe and don't collect any information. Schools and school boards are willingly, and with full knowledge of their actions, selling the personal data of children. Schools / school boards should take action to stop this, and demand any application which can not run free of any trackers, should be banned.
They know the collection is happening, because you can show them it's happening, yet when the molestation is digital, no one cares. It's comical that we teach kids about consent in one area, but completely ignore it in others, and it's even worse than most kids aren't being taught to question and examine the applications for themselves.
A simple check any board / school can make is to force the use of a VPN, and force all browser to have privacy focused extensions installed, if the application can't load, and if the source isn't made fully available for open audit, then it's banned.
Re: (Score:3)
Re: (Score:2)
cloud only software needs to go in schools adobe? (Score:2)
cloud only software needs to go in schools will adobe and other make builds of there software for that?
Google Classroom (Score:2)
That being said, I have never read the license of GC but hope it was in the spirit of the "don't be evil" sid