Android Kids' Tablets Full of Dangerous Security Flaws

Credit: Goran Bogicevic/ShutterstockCredit: Goran Bogicevic/Shutterstock

Several top-selling Android tablets made for children have serious security flaws that could expose kids to malware and identity theft, a new report from a mobile security provider finds. Unpatched software vulnerabilities and hidden "backdoors" appear to be common, and some tablets even transmit childrens' names, birthdates and photos across the Internet in plain text, exposing youngsters to greater risk of identity theft.

The report, released today (Feb. 24) by San Francisco-based Bluebox, ranks the Fuhu Nabi 2 best in class out of nine tablets evaluated, yet notes that the Nabi barely scored above a 5 on Bluebox's 10-point trustworthiness scale. Two other devices, iDeaUSA's iDeaPLAY and Chromo Inc.'s Orbo Jr., each scored below 3. (Amazon's Fire HD Kids Edition was not evaluated.)

"You get what you pay for in terms of data privacy and security," the Bluebox report said, noting that some of the cheaper devices came with development builds of Android that were insecure by design. But even the more expensive models had well-known Android security vulnerabilities, and all but two used third-party app stores unauthorized by Google.

MORE: Best Android Antivirus and Security Apps

In addition to the Nabi 2, iDeaPLAY and Orbo Jr., the devices tested were the Contixo Kids 7, the iRulu Kid Pad, the Kurio 7s, the ProntoTec 7-inch WiMo, the Southern Telecom Smartab and the Sprout Channel Cubby. All were the latest models available in early 2015; all complied with the 1998 Children's Online Privacy Protection Act (COPPA), which requires parental authorization for online activities.

On each device, Bluebox researchers ran the company's own Trustable app, which scans devices for known system vulnerabilities, insecure configurations and "excessive device population" — too many apps with dangerous permissions, such as root access or the ability to send text messages.

Bluebox gave the Fuhu Nabi 2, which retails for about $140, a Trustable score of 5.3 out of 10 — and that was only after installing two system updates once  the device came of the box. (By comparison, in a November study of regular Android tablets, Bluebox gave the HTC Nexus 9 a perfect 10 and the Samsung Galaxy Tab 3 Lite an 8.6.)

Like many kids' tablets, the Nabi 2 lets parents set up multiple accounts. It becomes COPPA compliant when parents provide an email address or pay a token 50 cents, but the Bluebox researchers "noticed some odd behavior regarding the child account setup and retrieval."

For each child's account, the child's name, date of birth, gender and photo are transmitted to Fuhu's servers, which are hosted by Amazon's enterprise services, yet "the photos are stored on Amazon S3 and are not protected by any authentication or encryption," Bluebox's report says. "Basically, if you had the URL (acquired directly via network traffic analysis), you can easily grab the images."

In contrast, the iDeaPLAY tablet, which sells for about $90, got only 2.7 out of 10, less than half the Nabi 2's Trustable score, due to engineering backdoors and USB debugging being enabled, either of which could give root or administrative access to unauthorized persons. (The Contixo Kids 7 had the same issue.) On the bright side, the iDeaPLAY didn't transmit any personally identifiable information.

"The iDeaPLAY is a good example of what we typically find with cheaper tablets that ship with test builds of the Android operating system that include the Android Open Source Project (AOSP) signing key," the report said.

All nine devices were vulnerable to three well-documented Android flaws: the Futex bug, the ObjectInputStream flaw and the BroadAnywhere vulnerability. Except for the Nabi 2, each device was also vulnerable to the FakeID flaw, and the Kurio 7s and the iDeaPLAY were also vulnerable to the MasterKey flaw. All these vulnerabilities were patched by Google months ago.

The overall Trustable score for each device was: Contixo Kids 7, 4.0; iDeaPLAY, 2.7; iRulu Kid Pad, 3.9; Kurio 7s, 4.5; Orbo Jr., 2.9; Nabi 2, 5.3; ProntoTec 7 -inch WiMo, 3.9; Smartab, 4.5; Sprout Channel Cubby, 4.5.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Create a new thread in the Android Tablets forum about this subject
This thread is closed for comments
2 comments
    Your comment
  • lester424
    take a look at NABIs china made apks. It has more holes than swiss cheese. They even expose their own server keys from the log output. cmon.
    0
  • Newberrygurl
    As a Parent if you are allowing your child to sign into anything using their real name and DOB you are a Complete IDIOT! As far as the photos go.... I wouldn't allow them to take photos on a device like this. I would get them a simple Digi Camera. I don't believe tech is bad. But safety needs to be taught, tons of adults get hacked all the time Phishing emails and crap! I thought I was smart one year. Got my son walkie talkies. The Good ones 5 mi radius. Dumbest thing I could have ever done. Strangers were chatting it up with him! Never realized this would happen. Figured he and the neighbor kid would have some fun. Be careful what you let into your home.
    0