How Free Kids' Apps are Becoming a Cyber Crime Risk

Joan Goodchild/CyberSavvy Mom

Have you ever offered your child an iPad to play games in order to get some uninterrupted time to cook dinner, or to do some work around the house? Many of us have. It’s common for parents to allow young kids to play games on parent-owned phones or tablets.

But a new report from security firm Rubica finds many gaming apps for kids contain significant security risks and may not be safe for use.

“As parents, we often let our kids play games on our phones and tablets, and cybercriminals know that we share devices with our kids and they exploit this,” said Rubica CEO Frances Dewing. “Kids’ games, once downloaded onto a device, can act as a gateway for malware or for sensitive personal data to be leaked out.”

That’s because free apps almost always contain advertisements and in-app purchase or upgrade options, and that is where the trouble often starts. While an adult consumer expects to be advertised to when using a free service, children are often unaware that what they are watching or interacting with is an advertisement.

“It is not uncommon for kids’ apps to contain aggressive prompts to download other apps that may be age inappropriate or unlock gates for cybercriminals to access everything from emails to banking apps,” noted the report summary.

You can read all about Rubica’s methodology for testing and ranking the apps in their free white paper on app dangers. Dewing said it is not the app itself that poses the danger, it is the secondary apps kids download as part of the game experience.

“The advertisements that pop-up during gameplay - as often as every 2-3 minutes in some cases - prompt the child to download other applications, such as puzzle games, word games, race car games, etc. Many of these secondary apps have excessive, overreaching, and even dangerous access to personal data on your device,” she said.

Deceptive tactics in free apps include offering a “prize” or enticement like “click here for a free life” to prompt the child to click and unknowingly allow the app to take an action. Often this action gives the app additional permissions on the device, or authorizes the download of another program, which can secretly gain access to information on the device. That means any sensitive information on the device could be breached.

What kind of information are these secondary apps accessing? During the research, Dewing said Rubica found puzzle games that had access to precise GPS location, the ability to see other running applications, and sensitive device history. A race car game had access to phone call information and contacts and had the ability to read and modify files on the device. A billiard game had access to “send email without owner knowledge” and was able to read and modify calendar events. These are just a few examples.

In all, researchers tested 20 primary games and were prompted to download 62 additional applications, and more than 30 percent of them had dangerous permission levels, said Dewing.

The Rubica report ranks the top 20 free mobile games aimed at children with scores that range from “safe” to “unsafe.” Among some of the rankings:

  • Sonic Dash (Sega) ranked as the most insecure with a score of 130.
  • Rolling Sky (Cheetah) ranked second most unsafe with a score of 95.
  • Fruit Ninja (Halfbrick Studios) is "not recommended" with a score of 43
  • Hot Wheels: Race Off (Hutch Games) is recommended "only with parents' supervision" and scored a 16.
  • Nintendo's Super Mario Run was given a safe score with a 0.
  • All of the game rankings are available in the Rubica report.

If you are concerned about app safety, Dewing has this advice:

1. Use parental controls…the right way: Enabling parental controls will prevent your child from downloading apps without your authorization. However, make sure the password for your parental authorization is one your child doesn’t know.

2. Check permissions: Don’t assume an app is safe. Check the permissions listed in the app store for that game before downloading, and be sure to read each permission prompt/pop-up before accepting. Use common sense, and if the app asks for permission that doesn’t seem necessary or seems invasive, then click “don’t allow” or don’t download the app at all.

3. Use a solution that detects hidden threats based on behavior. These app-based threats often hide in plain sight and aren’t detectable by antivirus or other traditional security solutions

Joan Goodchild, the CyberSavvy Mom, is a writer and editor living in Central Massachusetts. Got a question or a topic you would like to see covered here? Reach out at or follow Cybersavvy Mom on Facebook. Read more news and information on staying safe, secure and civil online at