With Screen Time for Kids, parents can monitor their child’s smartphone and restrict its use. Unfortunately, the app does not perform well when it comes to data protection: all data from the monitored device ends up with the provider, the user account is poorly secured and Facebook is busy tracking in the app.
What is Screen Time for Kids?
With the app “Screen Time for K >What else are there on apps? Click here for our large overview of parental control apps.
Parents can then monitor their children’s smartphone use from their own device. Not only can you monitor which app your child is using at what time and for how long, but you can also limit whether and how long the different apps or the device can run every day.
This full functionality is part of the premium version. After two weeks of testing, 4.50 Euro per month is due. The basic version with limited functionality is available free of charge.
The app is offered by Screen Time Labs Ltd, based in Bristol, Great Britain. There is Screen Time for Kids for Android and iOS.
Our test at a glance
All information provided by the app about the child’s use of the device ends up on the provider’s servers. For example, which app is used for how long and possibly also the location of the child.
To allow the supervisor to remotely control the child’s app, all settings are also routed through the main service servers. For example, what times of use you have set.
This communication is transport encrypted, but not end-to-end encrypted. Therefore, the provider has full access to this information – including the messages that parents and children send each other via the app.
Even with the best intentions of the provider, this always carries the risk that the information may fall into the wrong hands due to errors or attacks. The past shows that this possibility is quite realistic: In the last two years alone, data leaks have become known to seven providers of monitoring apps.
The access data for the user account in which the app can be managed are stored unencrypted on the monitored device. With some technical know-how, you can read out these access data for app management if you get your hands on the device unlocked. A gross blunder of craftsmanship that should not happen when dealing with children’s sensitive data.
The app integrates a tracker from Facebook that reads the advertising ID from the device. Facebook learns that you are using Screen Time and links this information to your own Facebook profile. Even those who do not have a Facebook profile may be identified by Facebook under certain circumstances, as many apps integrate Facebook as an analysis service.
The sophisticated time management of the app works well and can help to enforce previously made agreements. The monitoring function of the app, however, represents a violent invasion of the child’s privacy. In addition, there is a risk that sensitive data from children will fall into the wrong hands. In our opinion, Facebook has lost absolutely nothing in an app for children.
We therefore cannot recommend Screen Time for Kids.
Our test in detail
The technical analysis was carried out by IT expert Mike Kuketz.
What permissions does the app require?
The app requires permissions that are plausible for a “monitoring app” but still far-reaching. On the child’s device the app needs among other things:
- Administrator rights (device management): Protects the app from being uninstalled, allows you to set a lock screen, for example to lock the device.
- Device and app history (access to usage data): to determine if and how long other apps are running.
- Location: This permission is optional and can be denied.
On the monitor’s device, the appropriate parent app requires access to the address book, among other things, during installation. But you can deny it.
Where does Screen Time for Kids connect?
All communication is TLS encrypted. The provider waives additional security through cert pinning.
screentimelabs.appspot.com (main service): After the start the app does not contact the server. Only during the personalization of the app the following information will be transmitted:
- Country, state and city
- set language (en)
- E-mail address and password
- the name and date of birth of the child
- Names of all apps installed on the device
After the adaptation of the restrictions will be transmitted:
- Selected bed time, e.g. 8 p.m. to 7 a.m.
- The names of the locked apps
- Fixed total useful life per day
- Fixed total usage time of each app
At regular intervals:
Facebook: Immediately after the start of the app and at recurring intervals, the following information, among others, will be transmitted:
Note: This data is transmitted to Facebook at regular intervals – regardless of whether you have an account there or not.
AppMeasurement: App-Measurement belongs to Google and is a free tool for user analysis in iOS and Android apps.
During the use is transmitted among other things:
Note: Further information or data transmissions are additionally encrypted and cannot be viewed.
Google FCM: FCM is a Google push message service. Transferred:
- Various own identification numbers
- App name and version
Kissmetrics.com: Kissmetrics is a Californian analysis service that tracks user behavior within apps. Transferred:
- Various own identification numbers
- All menu items that the user opens in the app are transferred.
How secure does the app store my data?
The account data is stored in plain text on the device – both the user name (e-mail address) and the password. The parent security PIN is also stored in plain text in the file.
This is a gross handicraft blunder, which should not happen especially when dealing with sensitive data of children. Because with some technical know-how, you can read out the access data for app management from the child’s device if you can get your hands on it unlocked. Unless the supervisor has completely blocked the file app.
Unfortunately, the explanation is only partially available in German and also refers to the Screen Time website. That Facebook gets data from the app is not mentioned.