Study Finds ‘Serious Security Risks’ In K-12 School Apps

An anonymous reader quotes a report from The Record: Many apps used by schools contain features that can lead to the “unregulated and out of control” sharing of student data to advertising companies and other security issues, according to a report published Monday by the nonprofit Me2B Alliance. The report follows up on research published by the group in May, which audited 73 apps used by 38 schools to find that 60% of them were sending student data to a variety of third parties. Roughly half of them were sending student data to Google, while 14% were sending data to Facebook.

In the update, Me2B specifically looked at the use of a common feature called “WebView,” which allows developers to integrate web pages into apps. Although the feature allows schools to include dynamic details — like calendars and results of sporting events — in apps without having to update the app itself, it can lead to the siphoning of student data and, in particularly bad cases, students and parents being targeted by scams. For example, on several occasions the researchers observed the hijacking of web pages linked to by school apps, leading users to malicious sites. An app used by Maryland’s largest school district accidentally directed users to a compromised site that once was used for the district’s sports teams. The Quinlan, Texas school district had a sports domain integrated into its app that was purchased by an unknown actor for $30 before anyone took action — a security threat that’s sometimes called a “dangling domain.”

Some of the recommendations to mitigate security risks include “training for app administrators, creating processes at schools for keeping track of expiring URLs, requiring schools to report lost or dangling domains within a specific time, and launching a ‘privacy bounty program’ at the US Department of Education to audit school apps,” reports The Record. “But perhaps the fastest way to reduce these risks is to alter the way the apps work.”

“Apple and Google can change rules for in-app WebView links to ensure app developers can’t overrule a local device browser preference,” said Zach Edwards, who is in charge of data integrity testing for the Me2B Alliance.