Canopy was advertised to me through my child’s school. The company offers a multi-platform parental control app claiming various abilities to limit and monitor use of protected devices. Access to Canopy is billed monthly and includes a compelling list of features for concerned parents: 

From: https://app.canopy.us/?a=account/package (8/18/21) 

Several of these features imply that the app has privileged access to the protected device and may be intercepting TLS connections to filter content. This privileged access can introduce considerable risk to the security of protected devices and the privacy of the children using those devices. 

DevOps Experience

Where to Begin? 

The published Android app provides a starting point for analysis before registering for an account. The app’s apk file can be easily obtained by a Play Store indexing site such as APKPure

Reviewing the APK 

The contents of the APK are easily extracted and converted into smali (a 2GL language for Android). There are several clues in the output about what Canopy is doing. 

1. The package name is com.canopy.vpn.filter.parent 

a. From this we can infer that it is implementing a VPN connection. 

2. The smali recovered from the APK includes TensorFlow/lite 

a. This indicates that the product performs some AI (likely image classification) on-device. (This is a good thing for privacy.) 

3. The smali recovered includes com.netspark.android 

a. A quick Google for NetSpark reveals that they offer VPN filtering technology.  

Installing the App 

After establishing an account, I proceeded to add monitoring protection to an Android handset. The app provided links for downloading the app as well as help documentation to support installation. The installation process involved authorizing a wide set of permissions including accessibility support, the ability to draw on top (Read more...)