Vetting & Managing School Apps to Protect Student Data

Students utilize mobile applications to communicate with teachers, study, and complete assignments, so it is imperative the schools have a clear system for vetting apps.

Schools use education apps and online consoles as hubs for their students’ classes, and elementary and middle schoolers use quiz applications and educational games to engage in and out of the classroom. Students should be able to trust that their school is looking out for their mobile data privacy. Whether an app or software download is mandatory or just encouraged, schools must ensure that these digital education tools respect students’ data privacy and safety.

Information Needed for Vetting Apps

When vetting apps for an educational setting, start with gathering information.

  • What do you need the app to do?
  • Is it for a whole district, a specific school, or a class?
  • Is it mandatory, or just a suggestion?
  • What information are you allowed to collect, based on district policies?
  • What encryption and security standards must be met?

Questions like these help you discover the general guidelines your district will be working from when finding an app solution. Check with administrators, school IT Departments, and potentially the school district’s lawyer to verify you have the specifics correct as you search.

Who is Vetting Educational Apps?

It may not be necessary to do all the vetting purely on your own. There are third party organizations that will vet apps for school districts, but those will need to be researched and sourced if they are to be trusted (we here at DriveStrike are not lawyers or educators, and do not recommend any specific vetting service). There also may be a regional group of school IT and security professionals that pool information about policies, standards, and scopes of different app options that could help inform your choices. Get to know professionals in different school districts and share information, but remember that ultimately, your students are your responsibility, and you must make the final decision as to what is and is not safe for their data when vetting apps.

 

Keys to Consider

As you begin to embark on this process, here are some things to remember:

Determine what data needs to be collected and why.

Unfortunately, student apps often collect mass amounts of data and provide that information to third parties, according to 2022 research by Atlas VPN. Consider your students’ data more valuable than gold; the less Personally Identifiable Information (PII) you gather, the less the school is responsible for. Only collect and store the data that is necessary; additional collection increases the attack surface.

Decide an appropriate amount of risk.

Schools are often considered vulnerable by cybercriminals, as they have potential links to other government agencies and have smaller cybersecurity budgets. With this in mind, do not ignore red flags simply because an app seems useful. Ask yourself things like:

  • What sort of information is exposed or accessible through the application?
  • Are sensitive pieces of information, such as social security numbers or passwords to school systems, connected in any way?
  • Can the application access the students’ phone cameras or microphones?
  • What permissions are requested, and are these necessary for the app to function?

Any online application will have security concerns, so be precise and conservative when determining how much you are willing to place in third-party hands.

Stick to apps that are available in either Google Play or the App Store.

Apps available through those sources have passed a screening to be listed. While this by no means proves the apps are fully trustworthy, it does prove a base level of functionality and security. These sites will also allow you to read reviews from other users, whose experience or concerns with the app may help you find spots to investigate further.

Discover as much as you can about who published the application.

Read what you can about their security posture, development, and business practices. Speak to the publisher directly, and ask questions about who has access to their data, what data they collect, and how they store it. Ask about third parties that have access to any aspect of the app. Ask about the physical locations of servers and their security safeguards. Choosing an app for your students to use is much like choosing a software, so consider the concerns you would have for implementing a traditional software and adjust them to fit an app context.

Understand the app’s data security practices.

Student data needs to be encrypted, both as it is stored and as it is transported. Verify how long data is stored, and who has access to the information. See what the process is to delete information if requested by students or parents.

Verify that the app is regularly updated to match cybersecurity and industry best practices.

For something as important as student data, you want to be assured that you have a good working relationship with a responsive support team that is invested in data security and maintaining an application that is regularly patched and up to date.

Check for vulnerabilities in threat databases.

There are several organizations that maintain collections of known vulnerabilities, and it is worth taking the time to read through them and see if there are any known flaws in the apps you are considering. For example, you can utilize the Common Vulnerabilities and Exposures (CVE) Dictionary and Common Weakness Enumeration (CWE) to reference the U.S. National Vulnerability Database (NVD) for this information.

The CVE provides a standardized way to categorize and discuss software vulnerabilities.
The CWE is a software weakness classification system that segments weaknesses into categories.
Both are maintained by Mitre Corporation.

Schedule periodic checks going forward.

As apps are updated, security protocols and permissions can change. It is also possible for a bad actor to introduce malicious code into an update after you have completed the initial vetting process. For these reasons, it is important to have ongoing security testing.

Apps provide incredible access to information and instruction, improving the learning experience of students around the planet. This modern wonder can dazzle people into ignoring threats, however. It is ultimately up to you to protect your students’ data. Vetting apps is essential to an effective security posture.

 

About DriveStrike

DriveStrike is an all-in-one endpoint security solution that integrates Remote Locate, Lock, and Wipe services with Encryption management in one secure online console. Begin defending your data today with mass deployment options for phones, tablets, and computers on any operating system. Start your 30 Day Free Trial and begin protecting data today with DriveStrike!