Photo by Amelia Holowaty Krales / The Verge

According to a new research, popular daycare and childcare communications apps are dangerous and expose children and parents to the risk of a data breach.

On Tuesday, the results of a months-long research project were published by the EFF.

According to the research conducted by EFF, popular apps like Brightwheel, HiMama, and Tadpoles lack two-factor authentication, meaning that any malicious actor who was able to get a user's password could log in. Data sharing with Facebook and other third parties, as well as other privacy-compromising features, were not disclosed in privacy policies.

Brightwheel claimed to be the first in the early education industry to add 2FA after being contacted by the EFF. The additional security feature has not yet been implemented, despite the fact that HiMama promised to pass on the feature request to the design team. It's not known if Tadpoles wants to implement 2FA.

Network traffic analysis shows the Tadpoles app sending user event data to Facebook.
Image: EFF

When she decided to enroll her two-year-old daughter in daycare for the first time, she began researching the privacy and security settings of various daycare apps. She told The Verge that she initially enjoyed using the app to get updates about her daughter, but became concerned about a lack of security given the potentially sensitive nature of the information.

It was comforting to see my daughter during the day with the images they were sending me. I didn't see security controls that I would normally see in most services like this.

She was surprised to find a number of easily fixable errors after using a range of tools to analyze the application code and investigate network calls being made by each of the childcare apps.

There are a few apps that have tracker in them. The vulnerabilities that I found were very easy to fix. Low hanging fruit.

“I found vulnerabilities that were very easy to fix as I went through some of the applications. Really just low hanging fruit.”

There are serious flaws in applications that are used to keep children safe. For years, researchers have raised concerns over security weaknesses in baby monitor apps and associated hardware, with some of these weaknesses being used by hackers to send messages to children. More than two-thirds of the apps that will be used by children send personal information to the advertising industry, according to a survey.

She hopes that reporting on these privacy and security flaws will lead to better regulation of child-focused apps.

She said it made her more afraid for her child. I don't want her to have a data breech before she's five. I am doing everything I can to prevent that from happening.