Creating secure applications for children

Designing an award-winning applications for children doesn’t just mean engaging graphics and interactive audiovisuals; in-built cyber security controls, and data protection is critical.

When the COVID-19 global pandemic broke out, the whole world had to turn to digital modes to continue working, networking and socializing, especially when the lockdowns were imposed. Schools also began conducting online classes, and children’s screen time witnessed a dramatic increase. This was over and above the time that children already spend online on various platforms and websites for gaming, entertainment and social media.

It has been estimated that children aged between 8 years and 18 years spend upwards of seven hours online. This makes them prone to cyberbullying and they can also become easy targets to cyber predators. They are also unaware of phishing and cyber security best practices, so they are susceptible to sharing private information that could fall into the hands of nefarious actors.

Given the risks involved, there are several inherent challenges in designing apps for children that app developers must overcome to ensure that the data is secure and private, without compromising on the user experience.

Challenges in creating secure applications for children

Organizations and app development teams must understand the various risks involved before releasing any public-facing app for children. Designing an award-winning app for children does not only mean using engaging and interactive audio and visuals, but the protection of all data related to its users is also vital. Some of the challenges of creating secure apps, especially for children, are:

·       Secure and intuitive user interface and experience

The process of developing apps is usually complex; it gets more complicated when the target market is children below the age of 16 years. From the application standpoint, ensuring the user interface and user experience are simple, secure and intuitive is the predominant challenge. The app development team and the organization have to recognize children as spontaneous and intelligent, with an exceptional ability to learn new things.

Secure applications

·       Simple privacy policy

Privacy policy statements are filled with legal terminology, which is difficult enough for most adults to understand. When these policies are being drafted for children’s applications, the app developers and organizations must ensure that they are simple and easily comprehensible. These policies must also clearly state when an adult is needed.  

The information and data about children should be considered sensitive and how securely it will be stored and handled should be explicitly mentioned in the privacy policy.

· Uncompromising adherence to compliances

The other major challenge is adhering to the necessary compliances and policies with regard to children’s data. Though there seem to be no specific guidelines pertaining to the protection of children’s data in India, many app developers and organizations fall back on the European Union’s General Data Protection Regulation (GDPR).

The EU’s GDPR clearly states that organizations and app developers have to obtain the consent of parents or guardians mandatorily before processing children’s data. This is to ensure that no one can manipulate the data or no one with malicious intent can access the sensitive data.   

Best practices for app developers when creating applications for children:

·       Plan for cybersecurity right from the start

Most app developers and organizations rush to release the app and as a result, focus on creating the best user experience and functionality. Little thought is given to data privacy and security aspects – currently, with no laws in place, corrective action is thought of and taken only post-exploitation of data. This is mainly due to the lack of mandatory regulations and laws in place, like the EU’s GDPR. 

Once stringent laws and regulations are in place, data privacy and security will become mandatory. Organizations and app developers will have to take into account data privacy and security from the beginning. It is best if this is part of the planning for development, and included in the product roadmap and budget. It is also important to ensure an audit or review by a third party.

·       In-built security controls

Unless there is a paid subscription, a majority of the gaming and entertainment applications include in-app purchases or payment transactions. However, there is very little monitoring on who is performing these transactions, whether the purchaser is actually a child or an adult. Such situations could pose serious cyber security threats, especially in the case of public-facing children’s applications.

To overcome such risky situations, security controls can be built-in by app developers, such as multi-factor authentication, mandatory manual intervention before each transaction, and filtering mechanisms based on the age of the user.

·       Using AI, ML, and NLP effectively

Given the potential cyber security threats and risks, app developers and organizations must go beyond the current practices and exploit Artificial Intelligence and Machine Learning, use Natural Language Processing (NLP) for word predictions, develop algorithms for pattern detection and alert the guardians or parents in case of any deviation. For organizations and app developers, AI and ML can be used to detect anomalies, provide insights, give feedback to the backend teams and report the incidents to law enforcement, if required. If these security controls are in-built, organizations and app developers can build far safer apps for children.

·  Use compliances to stay on the safe side

Given that data protection laws in India are yet to be enforced, organizations could well model their protections on the industry standards used in other countries. In the absence of laws and guidelines, organizations could follow those enshrined under the EU’s GDPR, Data Protection Act, etc. to either have in-built security controls or define their own best practices.

·       Refer to OWASP Top 10

Some security best practices are coming from different standards like the Open Web Application Security Project (OWASP Top 10), and National Institute Standards and Technology. Some changes were made to OWASP Top 10 in 2021 and design-level security best practices have now been defined.  If the security controls specified under these guidelines and standards are put in place, the public-facing app will be truly secure, irrespective of its target audience.

·   Create awareness among parents and guardians

It’s recommended that parents and guardians actively inform and educate themselves on the online habits and explorations of their children. Caregivers also have the responsibility of raising awareness among children about the risks involved in sharing sensitive data along with how best to protect themselves when using public-facing apps.

Rely on an expert like Entersoft

Entersoft, a leading application security provider, is helping businesses across the fintech and blockchain technology sectors secure their apps through future-ready solutions. Entersoft can help app developers and organizations better understand their risks and threat factors while defining means of safeguarding their applications.

The best way to build secure apps is to start from the design stage itself, as a simple penetration test on an app is not enough to understand all inherent risks. This is where Entersoft’s services come into play. 

The first step is to understand the business purpose, usage of the app, why the specific age group is being on-boarded, and the region-specific laws and compliances that need to be adhered to.

The second step is to understand the revenue models, and the primary location of operation for the app, undertake a review of the privacy policy statement, and identify the vulnerabilities. It is not a simple security audit, but a thorough and comprehensive gap assessment and analysis. Entersoft, as a security vendor, also recommends periodic audits to rule out any infiltration, or misuse of secure data.