Australian School Apps Audit Exposes Major Data Risks for Children

Only one in four apps did what their privacy policies said they would. A UNSW-led cyber security audit of nearly 200 educational apps reveals significant privacy flaws, with data harvesting beginning before students even interact with screens.

Australian School Apps Audit Exposes Major Data Risks for Children
Image Source: AdobeStock (Medianet)

•Systematic Data Harvesting Before Student Interaction

•Widespread "Policy Distortion" and Unreadable Privacy Terms

•The "Illusion of Safety" in Child-Centric Branding

Sydney - A comprehensive audit of nearly 200 school-endorsed applications has revealed that the majority begin harvesting sensitive student data within seconds of being opened, often in direct contradiction to their own privacy policies.

The research, led by the University of New South Wales (UNSW) Institute for Cyber Security, suggests that the digital transition in Australian classrooms, from kindergarten upwards, is being built on a foundation of institutional trust that researchers describe as largely unwarranted.

The study analysed approximately 200 Android apps sourced from state Department of Education recommendation lists and the Google Play Store.

The findings highlight a significant gap in oversight between education departments, developers and regulators.

The data shows that 89.3% of the apps began transmitting device identifiers and location metadata to third parties before a child had even touched the screen.

"Even if you are not interacting with the app, you just open it and that’s it, it is still transferring lots of data," said Dr. Rahat Masood, a lead cyber security expert at UNSW.

Dr Rahat Masood. Image Source: UNSW

"Despite just opening the app and not using any educational feature, it is still transferring a lot of information that is sensitive and can actually identify your device," she said.

The audit also exposed a readability crisis regarding privacy documentation. The research found that 97% of the apps’ privacy policies required university-level literacy or higher to comprehend, leaving the average parent unable to provide informed consent.

Furthermore, the study found that only one in four apps behaved in a manner consistent with their stated privacy promises.

In several instances, apps marketed as "Data Not Collected" were observed initialising tracking tools such as Firebase and Facebook SDK immediately upon launch.

"Nobody will understand these terminologies and jargon," Dr. Masood stated, "comprehension, readability, understandability, all these metrics that we analysed were all very bad."

Perhaps most concerning is the finding that apps specifically branded for children, using terms like "Kids," "Preschool" or "ABC", were frequently less secure than general-audience titles.

The researchers termed this the "illusion of safety," where child-centric marketing cultivates parental trust without providing technical protection.

The study revealed that 76% of child-targeted apps showed some form of policy distortion, often embedding the same advertising trackers used to follow adults across the internet.

"Teachers don’t know anything," Dr. Masood noted, highlighting the lack of resources available to educators.

"They are out of resources, first of all, and they don’t know about any security issues. They were just given an app to use and that’s it," she said.

Beyond privacy, the audit identified technical vulnerabilities, with nearly 80% of apps containing hard-coded secrets, such as API keys and passwords embedded directly into the code.

The practice allows anyone who decompiles the application to potentially access sensitive systems.

The UNSW team is currently developing a "traffic light" system to help parents quickly assess an app’s security profile.

They however argue that individual tools are not enough to solve a systemic failure.

The researchers are calling for federal regulators to prohibit idle telemetry, data transmission that occurs before user interaction, and to mandate that privacy policies be written in plain, accessible language.

"The federal government and education departments [must be] well aware of the security and privacy risks," Dr. Masood concluded.