Abstract
TLDR: Common technical frameworks and app templates used by hundreds of organizations, when combined with technical weaknesses built into devices and operating systems from Google and Apple, are leading to unregulated and out-of-control student and parent data sharing to unexpected online advertising companies.
In our Spotlight Report #1 report from May 2021, the Me2B Alliance Product Testing team audited and analyzed a random sample of 73 mobile applications on Android and iOS used by 38 schools in 14 states across the U.S. — apps used at least a half a million people (students, their families, educators, etc.).
The audit methodology in Spotlight Report #1 primarily consisted of evaluating the 3rd party code packages (also known as software development toolkits or “SDKs”) included in each app, using an external database with historical data on SDKs in apps, combined with a Me2BA risk scoring process.
After publishing Spotlight Report #1, we were contacted by the Student Data Privacy Project to examine apps used by 18 schools/districts for their FERPA Complaint with the Department of Education. Our data supply testers noticed significant network traffic, well beyond the SDK channels, as well as certain legacy development tactics that relied upon in-app browsers opening websites within the apps. The hypothesis was that many of the school utility apps were using in-app WebView methods to display content, and this was, indeed, the culprit. The WebView development technique allows external websites to open within an app, without launching a separate browser (see Appendix A for an example and guidance on how to spot this technique). This process results in all of the vendors integrated into a website receiving user data in the context of the app that opened that webpage within their in-app browser. For school utility apps, this so-called “context” typically includes the name of their school, or school district. We took a closer look at the network traffic to confirm the assumption and to determine the scope and scale of this data sharing.
Within the domains in the sample, we noticed significant amounts of network traffic associated with school sports pages and discovered a vendor providing sports scores for K-12 schools across the U.S. and monetizing their “free service” with extremely aggressive advertising monetization schemes, baked right into these taxpayers funded school utility apps.
The company providing this “free service for sports coaches” monetized with online advertising is MaxPreps.com, a subsidiary of CBS/Viacom, which are also the owner of the popular kids’ television channel, Nickelodeon.
We did not expect that our deep dive into WebView in-app browsers within K-12 school utility apps would end up requiring us to focus significant time researching a data supply chain owned by one of the largest media companies in the U.S., but we followed the data pipelines and the facts. As noted in Spotlight Report #1, in April 2021, Disney, CBS/Viacom, and about a dozen other companies were parties to the largest settlement against brokers of kids’ data in U.S. history. CBS and other parties were required to make changes to some of their products and delete certain data. Yet MaxPreps seems to have never come up in that lawsuit, it’s never come up in any significant public reporting or research, and any changes to other CBS products as a result of the settlement do not appear to have not made their way to MaxPreps products. While MaxPreps was never mentioned in the California settlement and the details seemingly would not have required CBS/Viacom to make changes to their subsidiary MaxPreps, it’s clear that the behavior that the settlement pointed out, which CBS/Viacom agreed to stop, is similar if not worse within this subsidiary that offers free products for schools.
Our research took another unexpected turn in the course of the deep dive into MaxPreps when we came across a handful of “dangling domains.” We wrote about one such dangling domain in particular that Apple quietly purchased for $3,695 in late September 2021. The domain for sale was previously owned by a company that went bankrupt and the domain was integrated into a legacy SDK product across 159 mobile apps, with 155 of them being on Apple’s iOS marketplace, with a potential install base of tens of millions of devices.
In addition to the dangling domains, we also observed several hijacked domains leading to malicious sites. In at least one instance, we observed in dismay when a dangling domain was purchased by an unknown actor over the course of a few days. The following apps/domains fell prey to hijackers before we could intervene:
- The Santa Monica-Malibu USD Android App from Blackboard Inc. had a dangling domain of “Malibuhigh.org” – this domain still to this day hosts a fake legal website, and there could still be risks from Business Email Compromise schemes or other ways to abuse the fact that this was a real domain used by a school district in one of the wealthiest counties in the United States. Here is a Google search result showing files where this legacy domain was referenced as being valid – other government agencies communicated with this domain at different points in the past.
- Maryland’s largest school district’s Android App, also from Blackboard Inc., already lost their sports domain by the time we figured it out, with Magruderathletics (WARNING).org being compromised and still hosting malicious redirects to this very day. After the Me2B Alliance alerted Blackboard Inc., they were able to quickly remove this domain from their active mobile app, reducing some of the risks. This is also an active domain, and Business Email Compromise risks for emails that originate from this domain (i.e. “@Magxxxxathletics.org”) remain a real threat.
- The Quinlan, Texas School District had a domain that went up for sale for $30 that was integrated into their Android app, which was purchased before anyone could take action. After the Me2B Alliance alerted Blackboard Inc., the dangling domain link was removed from the app, and subsequently, the Android app was pulled down from the Google Play Store
The research we are releasing today focuses on an intensive evaluation of 11 school utility apps (from an original pool of 18 apps) made by companies that support thousands of other schools with similar app frameworks.
In short, the use of WebView in school utility apps, and the operational challenges to maintain them, create a significant channel for data sharing and also introduce serious security risks. If people using these mobile apps “can’t choose their own browser” they can’t make informed choices that empower them to block and stop some of these data transfers, which can be downright dangerous when an app for kids integrates dangling domains into WebView interfaces. If Google and Apple merely made a few changes to empower users over developers, these risks for schools, kids, parents, and administrators would nearly completely disappear.
These risks have been compounded by certain companies providing “free software for schools” that purposefully monetizes these free tools for apps and websites via data sharing and online advertising, with the new Me2B Alliance research focusing on the CBS/Viacom subsidiary called MaxPreps.com. Another way to think about this research is that we’ve attempted to point out a technical framework that numerous school utility apps are using, which utilizes a type of “Content Management System” (CMS) that allows school administrators to “add links” into an app, without actually submitting a new version of that app into the app store – and the links being added into the apps are merely web URLs, with the web content rendering within the app’s in-app browser. These websites rendering in the apps contain advertising pixels/javascript code, which then collect data within the apps when opened by users, and are sharing the access and user data with new companies – hundreds of them, sometimes more. Rarely do app privacy labels account for these data transfers, and neither the app makers, the schools, nor the vendors collecting data within those apps and WebView URLs are currently taking accountability for making these kids user data flows safer. We’re surprised and alarmed by this “advertising for kids” architecture happening within school utility apps paid for by taxpayers, with some companies seemingly earning sizable revenues from these data pipelines. As a result, serious questions need to be asked of all the organizations participating in these schemes.
This report includes guidance on how to identify a school utility app with potentially unsafe WebView links in Appendix A, which we hope provides investigative journalists, data auditors, school administrators, parents, students, app developers, and everyone-in-between with a way to recognize when an app is opening web links.
If you’re interested in having the Internet Safety Labs take a closer look at your school’s apps, please contact us at services@internetsafetylabs.org.
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/