Some “unofficial” parental control apps have excessive access to personal data and hide their presence, raising concerns about their potential for unethical surveillance as well as domestic abuse, according to new research from UCL and St. Pölten UAS, Austria.
According to some sources, up to 80% of parents use apps to protect their children’s safety, security and privacy. Once installed on a smartphone, they can offer various functions from restricting how long users can spend online and what content they can see, as well as activity monitoring and location tracking.
The study, published in the Proceedings on Privacy Enhancing Technologies, is the first to compare ‘official’ parental control apps available in the Google Play Store and “sideloaded” or “unofficial” parental control apps available from other sources.
It compared 20 sideloaded parental control apps to 20 apps available on the Google Play Store, looking at privacy policies, Android package kit files (used to distribute and install Android apps), application behavior, network traffic and application functionalities.
The team found that sideloaded apps were more likely to hide their presence from the phone user, a practice that is prohibited on official store apps. They also required excessive permissions (rules governing what apps can and cannot access on the phone), including “dangerous” permissions such as being able to access personal data, like precise user location, at all times.
Additionally, three sideloaded apps transmitted sensitive data unencrypted, half lacked a privacy policy and eight out of 20 were flagged for potential stalkerware indicators of compromise.
Dr. Leonie Tanczer, senior author of the study from UCL Computer Science, said, “Parental control apps are a popular way of helping to keep children safe online and in person, and can be useful tools for parents to help navigate the dangers that children are exposed to in today’s world.
“But the results of our study highlight that many sideloaded apps have serious issues around privacy, consent and even safety. For example, if an app tries to hide its presence on a user’s device, it is no different from stalkerware.
“Once you start removing the safeguards that official store apps are required to have, it is a slippery slope from legitimate use to unethical surveillance or, in extreme cases, domestic abuse.”
Obfuscation of sideloaded apps (upper left to lower right): AnyControl, MoniMaster, Spapp Monitoring, uMobix, FlexiSpy and Hoverwatch. © Proceedings on Privacy Enhancing Technologies (2025). DOI: 10.56553/popets-2025-0052
The researchers observed multiple concerning behaviors of sideloaded parental control apps that they say are inappropriate for apps being marketed as child safety tools. For example, the apps included functionality to intercept messages from dating apps, such as Tinder.
The ability to take screenshots remotely, see call logs, read messages and even to listen in to live calls was also included in many sideloaded apps.
The researchers noted that a backlash against apps being marketed to catch cheating spouses, for example, has seen developers switch to marketing apps as parental control tools instead.
Ms Eva-Maria Maier, first author of the study from St. Pölten UAS, said, “The key issue with the extensive functionality of these unofficial apps is consent. If a parent has an open, transparent relationship with their child, they shouldn’t need to hide them on their child’s phone or have access to so much private information.
“This raises serious questions about whether children are aware how they’re being tracked, and how this impacts their privacy and rights.
“Even if parents think that they have their child’s best interests at heart, there are risks to gathering so much personal information when mass data breaches occur so frequently.”
In 2015, the developer of the mSpy app was hacked and had tens of thousands of customer records leaked online, which included the personal data of children. In 2024, customer service records from mSpy were also leaked online, shedding light on how customers were using the apps, which included spying on partners suspected of cheating. mSpy is a sideloaded app and is currently marketed as parental tracking software.
Dr. Lukas Daniel Klausner, an author of the study from St. Pölten UAS, said, “Children’s rights vary from country to country, but in the European Union children under 16 don’t have to give their consent for a parent to install a parental control app on their device. Even though children over 16 do have to give consent, in reality the parents are often the ones purchasing and setting up devices and apps, so I suspect consent is not always being given. This situation also implies that children frequently lack access to and autonomy over their data collected by monitoring apps, as they are not the owners of the device or account.
“These apps and many aspects of online culture are relatively new, they’re not problems that parents had to navigate a generation ago. I think there’s an urgent need for public discussion about the availability of these apps, how they are being used and how they should be used from an ethical perspective.”
In the UK, children can give consent for their personal data to be processed at age 13 under GDPR rules.
More information:
Eva-Maria Maier et al, Surveillance Disguised as Protection: A Comparative Analysis of Sideloaded and In-Store Parental Control Apps, Proceedings on Privacy Enhancing Technologies (2025). DOI: 10.56553/popets-2025-0052
Provided by
University College London
Citation:
Unofficial parental control apps put children’s safety and privacy at risk (2025, March 13)
