South Korea pulls plug on child surveillance app after security concerns

Government officials pulled Smart Sheriff, an app that lets parents track how their children use social media, from the Google Play store over the weekend.

Ahn Young-joon/AP/File
Ryu Jong-myeong, chief executive of security firm SoTIS, watches a monitor during an interview at his office in Seoul, South Korea on Sept. 18. Over the weekend, the Korean government pulled a controversial child monitoring app called Smart Sheriff from the market after security researchers identified a number of issues with the app, saying it could put the personal information of children and parents who use it to monitor their childrens' social media use at risk.

A child monitoring app that has caused controversy in South Korea was quietly pulled from the market after security researchers raised a number of concerns about its safety, calling it “hopelessly vulnerable” to hacking.

The Korean Communications Commission told the Associated Press over the weekend that government officials had removed the Smart Sheriff app from the Google Play store, suggesting existing users find alternate software platforms.

In April, South Korean officials began requiring all smartphones sold within the country to people 18 or younger to come with child monitoring software, which allows parents to spy on how their children used social media.

Smart Sheriff, one of the most popular child-monitoring apps with about 380,000 users, was intended to keep children safe from bullying and other threats by allowing parents to receive alerts when their kids used words such as “bully” or “pregnancy” in text messages or social media posts.

But researchers from Citizens Lab, a research group based at the University of Toronto, and Cure53, a German software company, released two reports in September finding that Smart Sheriff had a variety of security issues that it made it vulnerable to hackers and put children and parents’ personal information at risk.

“There was literally no security at all,” Cure53 director Mario Heiderich told the AP when the reports were first released. “We've never seen anything that fundamentally broken.” The report focused on Smart Sheriff, not the other apps that satisfy the South Korean phone law.

The researchers’ findings sparked a back and forth with MOIBA, the mobile phone developers’ group that created the app. The developer said it had fixed the bugs identified by the researchers six weeks before their original reports were published.

But in an updated report last month, Cure53 and Citizens Lab said those fixes were mostly about the software's design, not its underlying security issues.

“This second audit raised several very concerning findings, which overall suggest that serious problems remain with the Smart Sheriff application and call into question MOIBA’s efforts to address the vulnerabilities,” Citizens Lab says on its website.

It was unclear exactly why the government decided to remove the app over the weekend, but the researchers praised the move. It was “long overdue,” independent researcher Collin Anderson, who worked with Citizens Lab over several months to sort through the app’s code, told the AP.

But Citizens Lab says that while Korean officials have removed the app, the underlying application components are still available, along with what may be another version that has the same vulnerabilities as Smart Sheriff.

MOIBA appears to have republished the app under another name which translates as “Cyber Safety Zone,” Citizen Lab says. Though there are some cosmetic changes, the new app appears to have the same security issues as the previous version, the researchers say.

As they applauded the Korean government’s decision to pull the plug on Smart Sheriff, the researchers noted that their goal was to draw attention to security risks in particular apps, not necessarily criticize the government's decision to require child surveillance software, which has generated a mixed response among parents in South Korea.

Smart Sheriff, for example, could put kids and parents further at risk by making information such as phone numbers and passwords available while allowing hackers to disable access to the app.

“If you are going to do it at all, you have to do it right," Mr. Heiderich of Cure53 told the AP.  “And this was not done right at all.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.