In April of this year, South Korea began mandating that government-approved monitoring software be installed on smartphones used by anyone 19 years of age or younger. Unfortunately, one of the most widely-used, government-approved versions of this "monitoring software" actually left children's data wide open to prying eyes.Earlier this year, I participated in the Citizen Lab Summer Institute - a series of research workshops hosted in Toronto by Citizen Lab - and had the chance to collaborate with several researchers on this project that took a closer look at parental monitoring software used in South Korea.
When the mandate was passed, the government approved a handful of applications for this purpose, but our research focused specifically on "Smart Sheriff", an Android application developed by a group of telecom companies known as the Korean Mobile Internet Business Association (MOIBA). We chose this particular application because it was one of the more heavily promoted monitoring solutions and we wanted to ensure that it was handling the sensitive data it captured in a secure manner. For our research, we were able to obtain the latest publically available version at the time (1.7.5) from the official listing on the Google Play Store.
Smart Sheriff offers multiple monitoring capabilities, including the ability to view the overall amount of time the device or individual applications have been used and, more concerningly, any URLs visited or web searches made from the device. Parents also have the option of blocking apps from running or only allowing their use during set times, as well as preventing access to specific websites based on the URL or the website's classification (e.g., blocking websites classified as 'adult content').
We installed the application, began monitoring network traffic, and started the the initial account setup process. Immediately we noticed that none of communications between the application and its back-end API were encrypted. All account setup information (including our chosen password), websites visited and search queries were being transmitted back to MOIBA's servers in plain-text, meaning this activity would be plainly viewable by any interested (and potentially malicious) parties that happen to be on the same network as a device running Smart Sheriff.
Unfortunately the problems were not limited to just data transmission, as we were able to uncover server-side flaws as well. A Smart Sheriff administrative console (accessed via a desktop web browser) that allowed parents to set application usage limits on a child's device required no authentication and was accessible simply by knowing (or guessing) the phone number of a device that had Smart Sheriff installed. With access to this portion of the console, an attacker could set arbitrarily restrictive usage limits on applications, which could render them unusable until the usage limits were reverted in the console.
Many of the flaws discovered should have been immediately apparent during a security audit prior to release. However, it’s clear that the Korean Communications Commission decided to forego even a cursory security evaluation before recommending the product for use. This is particularly troublesome, given a government recommendation carries a significant amount of weight, and may leave users with a false sense of security.
The researchers who evaluated the application followed responsible disclosure practices before discussing the flaws publicly, and MOIBA has stated that all of the reported issues have been fixed, though this has yet to be independently verified. For the full report, visit this link: https://citizenlab.org/2015/09/digital-risks-south-korea-smart-sheriff/