Millions of parents use The Wonder Weeks to follow the development of their baby, ranking the app in the top five most popular paid services on iPhone in 2020.
However, when we investigated the app for its privacy and security protections, we found unrelated third parties were theoeretically able to access The Wonder Weeks’ baby monitor server.
Shockingly, the server was also being used by gamers playing Minecraft, who could in theory – alongside others – have snooped on the baby monitor feeds due to poor security protections in place.
After we contacted The Wonder Weeks, it addressed our findings and we have no firm evidence that real users’ data was exposed. However, we’re concerned that this happened in the first place on such a popular app used by parents.
Health and wellbeing apps can be useful, but they must also be set up to protect your privacy and security. We also assessed other baby and fertility apps, including Flo, Clue, Emma’s Diary and BabyCentre. Read on for our full report.
WARNING: The below image features symbols that could be offensive to some people.
Baby monitor reviews: browse smart baby monitors that have been rigorously tested, including how they protect you from hackers.
The Wonder Weeks app and ‘Nazi’ symbols in Minecraft
Working in collaboration with security research consultancy 6Point6, we assessed the privacy and security protections in a range of pregnancy and parenting apps.
During our testing of The Wonder Weeks, we found what appeared to be a critical vulnerability with the HD Wi-fi baby monitor service being offered to app users for an additional monthly fee.
We found that a third-party company based in Bosnia and Herzegovina had administrative access to a server being used to run The Wonder Weeks baby monitor service.
We believe that this server was also being used to run another server for the popular video game Minecraft. We were concerned to find what we believed were maps created by players seeming to bear Nazi swastika symbols (see above image).
More worryingly, we believe any of these gamers could have accessed real parents’ baby monitor feeds if they had been able to guess or access a basic numeric code on the shared server.
There is no specific evidence that any baby monitor feeds or personal information was breached by the gamers.
Plus, it should be noted that in fact anyone could have accessed the baby monitor server if they had located it and guessed the weak access credentials.
What is the response from The Wonder Weeks?
Although it took us a few attempts to get in contact with The Wonder Weeks, its team eventually agreed to review our findings and verified they were correct.
Working with its app developer, the company claims to have addressed all the issues we have raised, or is in the process of doing so with more fixes coming in June 2021. With the latter, we continue to monitor the situation for developments.
The Wonder Weeks has also appointed an independent security firm to regularly run tests and assessments of its operation going forwards.
‘At the Wonder Weeks we have always been very clear: the data belongs to the parents,’ Wonder Weeks told us.
‘During our years of development we have made sure that (personal) information which is saved by the parents, is only stored on the phone or the personal cloud storage of the user.
‘Thanks to this approach no data was ever sent to our servers: our company does not own any personal data of our app-users. We truly appreciate the security scan provided by Which?.’
We asked The Wonder Weeks if our findings represent a breach of The General Data Protection Regulation (GDPR) – which also covers any data processed by third-party suppliers engaged by companies, such as for app development or server support – and so would need to be referred to the relevant data protection authority.
However, the company claimed that it was ‘confident that no user data has been impacted’.
Our other findings
Almost seven in 10 parents used a tracking app during their pregnancy, according to a Which? survey in February 2021 of 1,176 parents who gave birth in the last five years.
Period and fertility tracking apps, such as Flo and Clue, were very popular. The majority of parents found these apps very or fairly useful.
However, our research has demonstrated that it is worth being cautious before you download such services as there could be risks to your privacy or security.
For example, all of these apps let you use easily guessable passwords, such as just ‘password’, meaning your account could be at risk of hacking attacks.
None of them offer two-factor authentication (2FA), either, which if in place would help to increase your security.
Flo
What is it?
Period tracker and pregnancy app
What we found
While we didn’t find any major privacy concerns with the Flo app, we did find a concerning security hole with one of Flo’s websites. While this might not lead to data on users being exposed, any security vulnerability should be dealt with promptly by companies to avoid the risk of a data breach.
What Flo told us
We contacted Flo about our findings but it did not come back to us.
Should I download it?
Our findings related to the Flo websites, not the app, so you can download it to your device. Do set a strong password for your account though, so that it can’t be hijacked (see more on that below).
Clue
What is it?
Period and ovulation tracking app.
What we found
The Clue app and associated websites didn’t have any privacy issues, such as using lots of cookies to track you. However, we did find a potential security hole in a Clue website. Again, vulnerabilities like this should not be left open so that they can be targeted by hackers.
What Clue told us
Unfortunately, Clue did not respond to our findings.
Should I download it?
The Clue app appeared to be fairly well built, so you can download it and not worry too much about your security or privacy. Again, always set strong passwords for your accounts.
BabyCentre
What is it?
Pregnancy tracker and baby development calendar app
What we found
Using our assessment tools, we detected four potentially vulnerable web services being operated by BabyCentre. We won’t list any technical details here as we don’t want to put any users at risk from cybercriminals.
What BabyCentre told us
BabyCentre didn’t reply when we contacted the company, so we were unable to get the issues we found verified or fixed.
Should I download it?
Just like Flo and Clue, there wasn’t much concern found with the app, so feel free to install it. You might want to be wary about how much data you are sharing with the company, however, due to the unaddressed security issues we found.
Emma’s Diary
What is it?
Baby and pregnancy advice app.
What we found
Cookies are digital tags used by websites to improve performance, but they also track you for other reasons, including marketing. When visiting the Emma’s Diary website we found a total of 119 cookies being used. Four were what we deem to be necessary cookies, but 14 cookies were used to track you.
In this process, when you visit a website your browser is uniquely identified and data can then be used to monitor what you do, sometimes even when you navigate to other websites with the same tracking cookies being used.
We found that 29 being operated on the Emma’s Diary website were from third parties. By contrast, Clue only operated 34 cookies in total, with just five believed to be used for tracking you.
What Emma’s Diary told us
While the Emma’s Diary app does accept weak passwords, the company told us that it has protections in place to stop accounts from being hacked. It disputed our cookies findings but did admit that 44 cookies were being used for marketing.
However, it claimed that the only third-party marketing cookie in use on its website was for nappies brand Pampers, and that this did not use any personal information on users.
Should I download it?
Although we disagree with some claims given directly to us, Emma’s Diary does appear to have considered security and privacy. As we didn’t find too many issues with the app, you can download it if you are keen to use the features.
How to stay safe when using baby apps
Health and wellbeing apps, such as those to help with fertility or pregnancy, can be useful additions to our lives, but only if they are built with security and privacy in mind.
In January 2021, we assessed the protections in more than 30 different health apps, including baby and pregnancy services. You can read more about our findings here.
If you’re considering downloading a health app, or if you already have one on your phone, follow the below advice to increase your security and privacy.
- Set strong passwords Far too many services accept weak passwords when setting up accounts, including ‘password’. Always use a strong password, potentially a string of three random words. Or better still, use a password manager.
- Two-factor authentication Although none of the apps featured here offered it, two-factor authentication (2FA) can be useful in adding more security to your online accounts. Amazon, Google and Microsoft all offer it, but many companies don’t.
- Permissions Whether it’s your calendar, photos, or location, app developers shouldn’t request access to any part of your device or data unless they really need it. Check what each app wants and ask yourself, am I really happy to grant this? If the answer is no, deny it.
- Privacy policies We used teams of lawyers to analyse the privacy policies of the health apps, and it was often unclear what the policies were and weren’t saying. We’d advise you to consult the sections on data collection. See what they say about sharing your data with third parties. If it sounds a bit iffy, it’s probably best to avoid the service.
- Care what you share Whether you’re downloading an app or setting up an account, consider carefully whether you really need to share the information being requested. It can help to have a dedicated email account purely to sign up to services, and if you are making a payment, only save your credit card details if you plan to regularly use the service.
source https://www.which.co.uk/news/2021/06/popular-baby-monitor-app-put-privacy-at-risk/