South Korea pulls plug on child surveillance app after security concerns

Government officials pulled Smart Sheriff, an app that lets parents track how their children use social media, from the Google Play store over the weekend.

Ahn Young-joon/AP/File
Ryu Jong-myeong, chief executive of security firm SoTIS, watches a monitor during an interview at his office in Seoul, South Korea on Sept. 18. Over the weekend, the Korean government pulled a controversial child monitoring app called Smart Sheriff from the market after security researchers identified a number of issues with the app, saying it could put the personal information of children and parents who use it to monitor their childrens' social media use at risk.

A child monitoring app that has caused controversy in South Korea was quietly pulled from the market after security researchers raised a number of concerns about its safety, calling it “hopelessly vulnerable” to hacking.

The Korean Communications Commission told the Associated Press over the weekend that government officials had removed the Smart Sheriff app from the Google Play store, suggesting existing users find alternate software platforms.

In April, South Korean officials began requiring all smartphones sold within the country to people 18 or younger to come with child monitoring software, which allows parents to spy on how their children used social media.

Smart Sheriff, one of the most popular child-monitoring apps with about 380,000 users, was intended to keep children safe from bullying and other threats by allowing parents to receive alerts when their kids used words such as “bully” or “pregnancy” in text messages or social media posts.

But researchers from Citizens Lab, a research group based at the University of Toronto, and Cure53, a German software company, released two reports in September finding that Smart Sheriff had a variety of security issues that it made it vulnerable to hackers and put children and parents’ personal information at risk.

“There was literally no security at all,” Cure53 director Mario Heiderich told the AP when the reports were first released. “We've never seen anything that fundamentally broken.” The report focused on Smart Sheriff, not the other apps that satisfy the South Korean phone law.

The researchers’ findings sparked a back and forth with MOIBA, the mobile phone developers’ group that created the app. The developer said it had fixed the bugs identified by the researchers six weeks before their original reports were published.

But in an updated report last month, Cure53 and Citizens Lab said those fixes were mostly about the software's design, not its underlying security issues.

“This second audit raised several very concerning findings, which overall suggest that serious problems remain with the Smart Sheriff application and call into question MOIBA’s efforts to address the vulnerabilities,” Citizens Lab says on its website.

It was unclear exactly why the government decided to remove the app over the weekend, but the researchers praised the move. It was “long overdue,” independent researcher Collin Anderson, who worked with Citizens Lab over several months to sort through the app’s code, told the AP.

But Citizens Lab says that while Korean officials have removed the app, the underlying application components are still available, along with what may be another version that has the same vulnerabilities as Smart Sheriff.

MOIBA appears to have republished the app under another name which translates as “Cyber Safety Zone,” Citizen Lab says. Though there are some cosmetic changes, the new app appears to have the same security issues as the previous version, the researchers say.

As they applauded the Korean government’s decision to pull the plug on Smart Sheriff, the researchers noted that their goal was to draw attention to security risks in particular apps, not necessarily criticize the government's decision to require child surveillance software, which has generated a mixed response among parents in South Korea.

Smart Sheriff, for example, could put kids and parents further at risk by making information such as phone numbers and passwords available while allowing hackers to disable access to the app.

“If you are going to do it at all, you have to do it right," Mr. Heiderich of Cure53 told the AP.  “And this was not done right at all.”

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.