In our comparison test, six smart children’s watches were tested for their security. In the following, we will report about the hellOO Watch of the Dutch manufacturer of the same name, which brings features like geofencing, telephony and text messages in addition to the real-time location of the child and its location history.

App Check

The HellOO app is not obfuscated, making it easier for potential attackers to reverse-engineer the app’s functionality.
Access data is stored completely unencrypted in the app’s data folder, an area that is only readable for others on rooted smartphones. Nevertheless, the encryption options provided by Android should be used.

Unencrypted access data

In addition, the credentials are also displayed in plain text in the Android Logcat while the app is being used.

Android Logcat contains access data

As shown in Figure 2, a library of Chinese origin is used. Later research showed that the HellOO Watch is not a Dutch, but a Chinese product.

Online communication

All Internet communication takes place to servers in China and is completely unencrypted.

Unencrypted communication

A token is provided by the API after logging in, which is then used for all further API accesses. This can also be used to read out all information about the children’s watch via the API. Since communication is completely unencrypted during registration and subsequent use, the token can be easily spied out so that, for example, the current location or the child’s location history can be read unnoticed.
A brute force attack on the API would also be possible since no rate limiting is used. In this way, many attacks can be carried out in a short time without the attempts to be blocked. The probability of a successful attack is 1:2715, but it should be improved as well.

Hardware

When connected to a PC, the watch is displayed as “MediaTek Inc. MT6227 phone”. This means that it could also be loaded with a new firmware via the tools of the SoC manufacturer MediaTek or that data of the clock could be read out. If the clock is connected via USB when switched off, it will be recognized as a removable media. Firmware files can then be easily down- and uploaded via Copy&Paste.

Privacy

The privacy statement of HellOO covers only the manufacturer’s website, but not the use of the children’s watch or the app. Since the supposedly Dutch clock communicates in plain text with Chinese servers, no points can be awarded in this category.
The HellOO app has a lot of permissions, so we assume that more data will be collected than necessary.

Android app permissions

Conclusion

The HellOO children’s watch of the Dutch manufacturer of the same name cannot score in any of the test categories and is therefore rated 0 out of 3 stars in our comparison test.