RSS

Kids360: Getting Adopted Globally

louismerlin1 pts0 comments

Kids360: Getting adopted globally - SRLabs Research

Skip to main content

SRLabs — Home

Get help now — 24/7 IR

Back AndroidiOSprivacyApplication Security<br>2026-06-17 • 12 minute read

Kids360: Getting adopted globally

Lara Kaiser @lara-kaiser Security Expert

Key takeaways

The app collects and shares more data than disclosed, contradicting its privacy policy and Google Play Store description. Event data is being sent<br>to Facebook and AppsFlyer.

The signup and authentication had security issues, enabling us to exploit the full functionality of the application. The extraction of child information,<br>ranging from name and age to location, was possible.

Long-term access to the data was possible due to the persistent nature of the keys.

Most parents install a parental control app and hand their child a phone, confident that they are in control. What they don't know is that in doing so, they may have handed that same control to a stranger.

We investigated the parental control app Kids360 by ANKO Solutions LLC as part of a research project, interested in the handling of sensitive data regarding children. The app enables parents to restrict, direct and block their child's mobile usage, as well as track their location. Due to insecure management of signup and authentication processes, it was possible to gain access to sensitive information and locate children around the world. This security issue affected both iOS and Android.

Our work has received coverage by Die Zeit (German).

Motivation

Parental control apps like Kids360 inherently require broad permission sets to access the data requested by the parent. This ranges from location to browsing history data, requiring a variety of runtime permissions. Parents are not only able to request information about the current status of the phone but can also restrict usage and block the installation of applications. The real concern is not just the capabilities themselves, but that all this sensitive data has to leave the device at some point, passing through external servers that now know a child is on the other end.

Introduction

Kids360 is a popular parental control app, with over 10M downloads of the parent app and over 1M for the kids counterpart. This broad reach makes it a viable target for extracting extremely personal information from a large audience. The app requires a variety of permission sets, including runtime permissions tied to functionalities that are responsible for collecting data. This information is shared with the parent's mobile. Having such powerful and shareable functionality creates two important points of interest from an attacker's perspective:

Interaction with the child data related endpoints

Interaction with the service distributing the information

To understand the following exploit, we first need to look at how the app works in general.<br>The app comes in two parts. The parent installs the parent app on their mobile, accepts the necessary agreements, and is then encouraged to install the child version on the child's device. During setup on the child's phone, several permissions need to be accepted, including creating a pin code that requires the BIND_DEVICE_ADMIN permission. This pin prevents the child from uninstalling the app. Afterwards, the child is prompted to start the signup process. This flow links the parent and child devices as a family unit and can be done in two ways: either by sending a link to the child via a messenger app, or more conveniently, by entering a 6-digit pin displayed on the parent's phone.<br>This signup method points to a potential entrance for an attacker. As it turns out, the initial signup process heavily relies on this 6-digit pin, which is reserved for a family for one hour. Even with rate limiting in place, this is enumerable: with 1 attempt per 1.2 seconds, this leads to 0.833 attempts per IP address per second. For 60 minutes we manage to achieve 50 attempts per minute, therefore we target 0.3%, 3000 attempts. Applying this logic in addition to IP rotation, we could enumerate a large portion of the given digits, only having to hit an active time window once to gain access to a family.

Findings

As an attack vector, we focused on extracting and altering information regarding the child. The findings are separated into two parts:

relates to information privacy

regards the application exploit

The tested applications included two Android apps, Kids360: Parental Control App (v2.41.0) and Alli360 by Kids360 (v2.38.1), as well as the iOS version of Kids360 (v1.82.7). Testing was conducted on two devices, a Google Pixel 7a and a Google Pixel 6a, both running Android 16 and rooted.

Information privacy

The application vendor claims on the Google Play Store not to send data to third parties regarding the parent application, although during our investigation it became evident that third parties are involved. Further, we were interested in whether there are unrelated third parties that profit from the...

child data kids360 information parent control

Related Articles

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.