Yifan Yao, Shawn McCollum, Zhibo Sun, and Yue Zhang, Drexel University
The rapid growth of mobile apps has provided convenience and entertainment, including adult-oriented apps for users 18 and older. Despite various strategies to prevent minors from accessing such content, the effectiveness of these measures remains uncertain. This paper investigates these mechanisms and proposes a novel detection solution: GUARD (Guarding Underage Access Restriction Detection). GUARD determines relevant components (e.g., those that can accept the user's age or birthdate) based on the spatial relationships of the components in a layout and tracks the data flows through taint analysis. Recognizing static analysis limitations, GUARD also dynamically interacts with apps to identify age-related input components, which are then used for precise taint analysis. Our analysis of 31,750 adult-only apps (out of 693,334 apps on Google Play) reveals that only 1,165 (3.67%) implement age verification, with the majority relying on the weakest method, the age gate (which simply asks users if they are over 18). Even apps with stronger age verification (e.g., document uploads, online ID verification) can be bypassed using simple methods like false IDs or fake documents. They can also be circumvented through accounts from services without age checks (e.g., OAuth abuse) or by exploiting regional differences via VPNs. This paper also proposes countermeasures to enhance the effectiveness of age verification methods, which received positive feedback from Google through our email exchanges.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
