SEOUL, South Korea – The most widely used child surveillance app in South Korea has been pulled from the market after security specialists raised serious concerns about the program’s safety.
Moon Hyun-seok, a senior official at the Korea Communications Commission, told The Associated Press that “Smart Sheriff” has been removed from the Play store, Google’s software marketplace, and that existing users are being asked to switch to other programs.
The government plans to shut down the service to existing users “as soon as possible,” he said.
Smart Sheriff’s maker, an association of South Korean mobile operators called MOIBA, declined comment.
Smart Sheriff’s disappearance is a blow to South Korea’s contentious effort to keep closer tabs on the online lives of its youngest citizens. Less than a year ago, the government and schools sent letters to students and parents to encourage them to download Smart Sheriff.
While security was one of the reasons that led to the removal of Smart Sheriff, the KCC official said the regulator had decided earlier this year to suspend the app at the end of December. The faster-than-expected availability of free monitoring apps from private companies prompted the regulator to remove the app two months sooner than scheduled, he said.
A law passed in April requires all new smartphones sold to those 18 and under to be equipped with software which parents can use to snoop on their kids’ social media activity. Smart Sheriff, the most popular of more than a dozen state-approved apps, was meant to keep children safe from pornography, bullying and other threats, but experts say its abysmal security left the door wide open to hackers and put the personal information of some 380,000 users at risk.
Pulling the plug on Smart Sheriff was “long overdue,” said independent researcher Collin Anderson, who worked with Internet watchdog group Citizen Lab and German software auditing firm Cure53 to comb through the app’s code.
In a pair of reports published in September, Cure53 described the app’s security as “catastrophic.” Citizen Lab, which is based at the University of Toronto’s Munk School of Global Affairs, said the problems could lead to a “mass compromise” of all users.
MOIBA said in response then that the vulnerabilities had been dealt with in the six weeks preceding publication of the reports. But the researchers said in new reports published Sunday that the fixes were mainly cosmetic. Anderson said they were “akin to putting a lock on a few of the doors but then leaving the keys to the locks outside.”
Mario Heiderich of Cure53 said it wasn’t his place to say whether it was right to mandate the installation of monitoring apps on children’s phones. But he said Smart Sheriff’s implementation of the surveillance was disastrous.
“If you are going to do it at all, you have to do it right,” he said. “And this was not done right at all.”
Anderson said there was no guarantee that the other monitoring apps didn’t also have security issues.
If the government requires its citizens to use specific programs, citizens should demand more transparency and more information from the government as well as from the companies that create the apps so that anyone can audit the programs, said Ronald Deibert, director at The Citizen Lab.
Satter reported from London.
Citizen Lab report on Smart Sheriff: https://citizenlab.org/2015/11/smart-sheriff-update
Cure53 report on Smart Sheriff: https://cure53.de/pentest-report_smartsheriff-2.pdf