Mobile apps and children’s privacy: A traffic analysis of data sharing practices between children’s iOS mobile apps

Despite policy recognition of children’s online vulnerability, children’s apps (or parent’s apps that incorporate children’s data) can share user data with third parties, which can be used to create detailed long-term profiles of children, posing privacy risks.1 2 These risks have attracted policy attention from the Federal Trade Commission; Apple Inc. subsequently determined that apps developed for children should not send personally identifiable information or device information to third parties and should not contain third-party trackers or advertisements.

We conducted a cross-sectional study of mobile apps with the highest user ratings, labeled for children under 12, available from July 2022 on the Apple App Store in Australia, Canada, the UK and the US (https:// kids-apps.healthprivacy.info). Our goal was to (1) characterize their data sharing practices by analyzing their network traffic; (2) Identify the third parties who have received the information sent by these apps. Building on previously reported methods3, we created a parent/child dummy profile and measured network traffic analysis during simulated app usage to identify the transmission of 21 pre-specified user data types and their network destinations. For identified data recipients, we examined their websites to categorize the main activities of the data recipients.

We purposely examined 25 of the 6,264 apps identified by an App Store crawler because they were highly rated by users (84% of 21/25 rated >4.4/5.0), had a privacy policy (96% , 24/25) and a variety of shopping categories, including productivity, lifestyle, utilities and social networking (32%, 8/25), education (28%, 7/25), entertainment (20%, 5/25), and games (20%, 5/25) 25), and Medical, Health and Fitness (12%, 3/25).

All sampled apps (100%, 25/25) shared user data with varying degrees of sensitivity outside the app (Table 1). Nearly half of apps (44%, 25/11) have sent at least one data file to third parties that are considered personal information under the European Union’s General Data Protection Regulation.

The included apps forwarded user data to 165 unique hosts (median 10, IQR 5–17). Forty hosts (24%, 40/165) were associated with the app developer or parent company. One hundred and thirty-eight hosts (84%, 138/165) were third parties, including those who provided infrastructure-related services (19%, 31/165), such as cloud services and analytics services (65%, 108/165), such as advertising or analytics for commercial purposes ( table 2). Amazon.com, Inc., Apple Inc. and Google LLC accounted for more than a third of the unique hosts (58/165, 35%) in our traffic analysis and received data from all apps in the study as either first party or third party (Table 2). Despite Apple Inc.’s guidelines. 18 apps (72%) sent data to analytics-related third parties not affiliated with Apple Inc.

Children’s data is often shared with third parties, suggesting that there are privacy risks associated with the use of children’s apps.4 Thus, an industry’s self-regulatory approach to addressing children’s privacy risks in apps may be limited. The implications of data sharing can manifest in all aspects of childhood, including those related to education, entertainment and health, and extend into adulthood. Privacy regulations should require transparency and accountability about data sharing practices of developers and third parties and promote user control over data sharing.