For many families, back to school looks a lot different this year. All-virtual or partially virtual classroom setups have led to an increased reliance on mobile apps for student- and parent-teacher collaboration. In the U.S., K-12 schools that are reopening must comply with CDC guidelines to limit the spread of coronavirus, including properly notifying families of potential exposure, checking temperatures, and tracing COVID-19 cases.
With the constantly evolving status of regional coronavirus cases, most schools have been scrambling to implement new back-to-school models. In many cases, schools are opting for a fully remote or hybrid learning model. According to a survey conducted by Education Week Research, 9 in 10 district leaders say that they plan to implement some form of remote learning this school year. This means that there will be an increased reliance on education technology, including mobile apps. Additionally, some schools are requiring parents or guardians to take and report students’ temperatures daily via mobile applications.
With the need to act quickly and be nimble, many academic institutions are leveraging third-party mobile apps and may not have the expertise or time to evaluate the security of the mobile apps.
The issue of mobile app security is particularly important when dealing with children’s data, including personally identifiable information (PII) and educational records. For academic institutions that are relying more heavily on mobile apps this year, there are three key security tips to keep in mind.
District-mandated security awareness training for staff, students, and parents should be a key consideration during the first half of the school year. This training can inform people on how to properly use mobile apps and online services.
Some best practices that should be part of security awareness training include using two-factor authentication to protect accounts and avoiding password reuse. According to Google, 65% of people reuse passwords across sites, which can increase the likelihood of a security breach.
Parents, students and schools should also be educated on and on the lookout for phishing and social engineering attacks, where hackers use legitimate-looking communications via email, SMS/text, or other channels to infiltrate accounts.
Certain mobile applications can trigger potential violations to children’s data privacy regulations, such as the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA) in the U.S. FERPA pertains to how schools can share a student’s educational records and PII, while COPPA gives parents control over what information third-party sites and apps can collect from their children. In addition, health-tracking apps should comply with healthcare-specific privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).
While schools already may be aware of regulations like these, they may not know how implementing certain technologies will impact their compliance. For example, video conferencing tools used to broadcast classes can introduce privacy risks. If these tools are not designed for K-12 classrooms (and in some cases, even when they are), the provider may not be in compliance with regulatory requirements. Enterprise accounts are not specifically set up to protect student data privacy.
Moreover, as we saw earlier in the year with Zoom’s security concerns, some solutions weren’t prepared for the surge in popularity during the pandemic. Fortunately, there are many new resources to help inform classrooms about how to avoid compliance risks.
Privacy concerns apply not only to video conferencing, but also to many other types of collaboration tools and contact tracing apps. A recent report from Guardsquare showed that most government-sponsored COVID-19 contact tracing apps were insecure and risked exposing sensitive, private user data. To avoid similar concerns, districts should verify the security of mobile apps to ensure student privacy and data security (more on this in a moment).
Malicious actors can spot an insecure app relatively easily within the iOS and Android app marketplaces and target it for various attacks. Therefore, it’s important to make sure that applications are vetted by internal security teams or external security consultants to ensure that they comply with mobile security standards. (If internal resources are lean, one good resource to find security experts is the International Association of Professional Security Consultants.)
Teams can use existing security frameworks such as those provided by the Open Web Security Project (OWASP) for this vetting process. OWASP’s Mobile Top 10 checklist is a great resource for evaluating apps for the most critical security issues and making sure they’re addressed. The list contains issues related to secure transmission and storage of data, as well as targeted attacks on mobile apps.
While the entire list (M1-M10) should be viewed and addressed, sections M8 and M9 may be effectively addressed by integrating layers of protection into the code of the application to shield it against threats at all times. This includes a combination of code hardening and runtime application self-protection (RASP) techniques which are used to protect apps against reverse engineering and tampering.
These precautions should be taken by schools if they are developing their own mobile applications, or (more commonly) schools can ask their mobile app vendors to show proof of security and privacy protections, then verify this with a security consultant.