Study finds “serious security risks” in K-12 school apps

Many apps used by schools contain features that can lead to the “unregulated and out of control” sharing of student data to advertising companies and other security issues, according to a report published Monday by the nonprofit Me2B Alliance.

The report follows up on research published by the group in May, which audited 73 apps used by 38 schools to find that 60% of them were sending student data to a variety of third parties. Roughly half of them were sending student data to Google, while 14% were sending data to Facebook.

In the update, Me2B specifically looked at the use of a common feature called “WebView,” which allows developers to integrate web pages into apps. Although the feature allows schools to include dynamic details—like calendars and results of sporting events—in apps without having to update the app itself, it can lead to the siphoning of student data and, in particularly bad cases, students and parents being targeted by scams.

For example, on several occasions the researchers observed the hijacking of web pages linked to by school apps, leading users to malicious sites. An app used by Maryland’s largest school district accidentally directed users to a compromised site that once was used for the district’s sports teams. The Quinlan, Texas school district had a sports domain integrated into its app that was purchased by an unknown actor for $30 before anyone took action—a security threat that’s sometimes called a “dangling domain.”

Cybercriminals and scammers regularly scan for expired URLs and use them for business email compromise schemes, phishing attacks, and malicious advertising campaigns. Schools might fall victim to these attacks if they forget to renew their domains, or if they stop using a domain without realizing it’s integrated into their apps for students.

“In this instance, schools seem to have just selected private domain registrars for their non-.gov domain registrations, and then merely forgot to renew the domains,” said Zach Edwards, who is in charge of data integrity testing for the Me2B Alliance. “Apparently the schools didn’t even notice they lost control of the domains until we reported the compromises.”

The report offers several recommendations to mitigate security risks highlighted in the report, including training for app administrators, creating processes at schools for keeping track of expiring URLs, requiring schools to report lost or dangling domains within a specific time, and launching a “privacy bounty program” at the US Department of Education to audit school apps.

But perhaps the fastest way to reduce these risks is to alter the way the apps work. “Apple and Google can change rules for in-app WebView links to ensure app developers can’t overrule a local device browser preference,” Edwards said.