Millions of parents use The Wonder Weeks to follow the development of their baby, ranking the app in the top five most popular paid services on iPhone in 2020.
However, when we investigated the app for its privacy and security protections, we found unrelated third parties were theoeretically able to access The Wonder Weeks' baby monitor server.
Shockingly, the server was also being used by gamers playing Minecraft, who could in theory - alongside others - have snooped on the baby monitor feeds due to poor security protections in place.
After we contacted The Wonder Weeks, it addressed our findings and we have no firm evidence that real users' data was exposed. However, we're concerned that this happened in the first place on such a popular app used by parents.
Health and wellbeing apps can be useful, but they must also be set up to protect your privacy and security. We also assessed other baby and fertility apps, including Flo, Clue, Emma's Diary and BabyCentre. Read on for our full report.
WARNING: The below image features symbols that could be offensive to some people.
Working in collaboration with security research consultancy 6Point6, we assessed the privacy and security protections in a range of pregnancy and parenting apps.
During our testing of The Wonder Weeks, we found what appeared to be a critical vulnerability with the HD Wi-fi baby monitor service being offered to app users for an additional monthly fee.
We found that a third-party company based in Bosnia and Herzegovina had administrative access to a server being used to run The Wonder Weeks baby monitor service.
We believe that this server was also being used to run another server for the popular video game Minecraft. We were concerned to find what we believed were maps created by players seeming to bear Nazi swastika symbols (see above image).
More worryingly, we believe any of these gamers could have accessed real parents' baby monitor feeds if they had been able to guess or access a basic numeric code on the shared server.
There is no specific evidence that any baby monitor feeds or personal information was breached by the gamers.
Plus, it should be noted that in fact anyone could have accessed the baby monitor server if they had located it and guessed the weak access credentials.
Although it took us a few attempts to get in contact with The Wonder Weeks, its team eventually agreed to review our findings and verified they were correct.
Working with its app developer, the company claims to have addressed all the issues we have raised, or is in the process of doing so with more fixes coming in June 2021. With the latter, we continue to monitor the situation for developments.
The Wonder Weeks has also appointed an independent security firm to regularly run tests and assessments of its operation going forwards.
'At the Wonder Weeks we have always been very clear: the data belongs to the parents,' Wonder Weeks told us.
'During our years of development we have made sure that (personal) information which is saved by the parents, is only stored on the phone or the personal cloud storage of the user.
'Thanks to this approach no data was ever sent to our servers: our company does not own any personal data of our app-users. We truly appreciate the security scan provided by Which?.'
We asked The Wonder Weeks if our findings represent a breach of The General Data Protection Regulation (GDPR) - which also covers any data processed by third-party suppliers engaged by companies, such as for app development or server support - and so would need to be referred to the relevant data protection authority.
However, the company claimed that it was 'confident that no user data has been impacted'.
Almost seven in 10 parents used a tracking app during their pregnancy, according to a Which? survey in February 2021 of 1,176 parents who gave birth in the last five years.
Period and fertility tracking apps, such as Flo and Clue, were very popular. The majority of parents found these apps very or fairly useful.
However, our research has demonstrated that it is worth being cautious before you download such services as there could be risks to your privacy or security.
For example, all of these apps let you use easily guessable passwords, such as just 'password', meaning your account could be at risk of hacking attacks.
None of them offer two-factor authentication (2FA), either, which if in place would help to increase your security.
Period tracker and pregnancy app
While we didn't find any major privacy concerns with the Flo app, we did find a concerning security hole with one of Flo's websites. While this might not lead to data on users being exposed, any security vulnerability should be dealt with promptly by companies to avoid the risk of a data breach.
Flo said it has been working on a website update, which should be completed by now. It said all its systems are covered by security monitoring, vulnerability scanning and management, and are subject to regular internal and external penetration tests.
It is also working on updating password complexity rules.
Our findings related to the Flo websites, not the app, so you can download it to your device. Do set a strong password for your account though, so that it can't be hijacked (see more on that below).
Period and ovulation tracking app.
The Clue app and associated websites didn't have any privacy issues, such as using lots of cookies to track you. However, we did find a potential security hole in a Clue website. Again, vulnerabilities like this should not be left open so that they can be targeted by hackers.
Clue said this port was an old, unused and isolated server instance with no access to user data. When we flagged it, Clue removed it.
The Clue app appeared to be fairly well built, so you can download it and not worry too much about your security or privacy. Again, always set strong passwords for your accounts.
Pregnancy tracker and baby development calendar app
Using our assessment tools, we detected four potentially vulnerable web services being operated by BabyCentre. We won't list any technical details here as we don't want to put any users at risk from cybercriminals.
BabyCentre didn't reply when we contacted the company, so we were unable to get the issues we found verified or fixed.
Just like Flo and Clue, there wasn't much concern found with the app, so feel free to install it. You might want to be wary about how much data you are sharing with the company, however, due to the unaddressed security issues we found.
Baby and pregnancy advice app.
Cookies are digital tags used by websites to improve performance, but they also track you for other reasons, including marketing. When visiting the Emma's Diary website we found a total of 119 cookies being used. Four were what we deem to be necessary cookies, but 14 cookies were used to track you.
In this process, when you visit a website your browser is uniquely identified and data can then be used to monitor what you do, sometimes even when you navigate to other websites with the same tracking cookies being used.
We found that 29 being operated on the Emma's Diary website were from third parties. By contrast, Clue only operated 34 cookies in total, with just five believed to be used for tracking you.
While the Emma's Diary app does accept weak passwords, the company told us that it has protections in place to stop accounts from being hacked. It disputed our cookies findings but did admit that 44 cookies were being used for marketing.
However, it claimed that the only third-party marketing cookie in use on its website was for nappies brand Pampers, and that this did not use any personal information on users.
Although we disagree with some claims given directly to us, Emma's Diary does appear to have considered security and privacy. As we didn't find too many issues with the app, you can download it if you are keen to use the features.
Health and wellbeing apps, such as those to help with fertility or pregnancy, can be useful additions to our lives, but only if they are built with security and privacy in mind.
In January 2021, we assessed the protections in more than 30 different health apps, including baby and pregnancy services. You can read more about our findings here.
If you're considering downloading a health app, or if you already have one on your phone, follow the below advice to increase your security and privacy.