A worrying trend on Applab Public Project

A student showed me this app today: Code.org - App Lab

Its creator said he is 12 years old. AFAIK, code.org should not provide Applab service to minors.
Code.org - App Lab

This is, however, not a report ticket. The age problem is just the beginning.

The first app requires the creation of “Usernames and Passwords”. Leaving the question of whether such information constitutes as “personal information”, and thus violates the ToS, alone,

IMHO, Applab is not designed to hold sensitive information like this. There’s no cryptography support, no real hashing. People like to reuse their passwords. Allowing 3-rd party apps like these can breach user security.

So if anyone from the team read this, please consider tightening controls on public projects and maybe provide cryptography tools to Applab. It’s a great topic and I would love to teach it to my Higher CS class students.

I disagree with the fact that Applab should be prohibited to minors. The sole purpose of Code.org is to bring a service capable of providing schools, students, young women, and underrepresented groups of individuals free and easy access to computer science. Confining these services will defeat the goal of what Code.org sought out to accomplish.

As for Usernames and Passwords supposedly violating the ToS, apon actually reading the almost 400 lines and over 6,000 word document, (Viewable @ Terms of Service | Code.org) it says that you should not include any personal information in any User Content.
On top of that, though it’s subtle, on most if not every project that contains a function that stores data, will pop up a warning stating to avoid giving any personal info about you or others.

Not sure if this made a difference. Keep in mind I do not represent code.org nor do I speak for their behalf.

Hope this helps!

I totally agree regarding the educational values of applab towards minors, but there are legal concerns within the U.S. and EU regarding data collection from minors.

About your second point, sure there is a popup, but I stand behind my point. Plain text password and username is sensitive personal information, and the collection of such information is not only breaching the ToS, but also creating security vulnerabilities for end-users.

It isn’t unreasonable to put an age limitation. Just as you need to be this tall for this ride.

App Lab is fairly well sand boxed. It keeps children out of trouble as far as I can tell. I wanted to have my class run a DDOS attack on one of my websites with App Lab. There wasn’t any way I could find to do that. Probably just as well since it is a Federal crime.

If asked for personal identifying information 16 year olds will know not to enter it. A 5 year old will not know that. There has to be an age set between those two and code.org has set it. They have that right.

As for this specific program. It wants people to create an account to use it, whatever. As long as you don’t enter your gmail account and password you should be fine. As apps go, I don’t see it being used very much.

image 1

In general I wouldn’t worry too much about any app getting used a lot as App Lab limits exactly how good an app you can make. The only exception is if someone invents the next Tetris. At which point it gets copyrighted and deleted from App Lab very fast.


1Brodie, L. (1980). Starting FORTH . Hermosa Beach, CA: Forth.

But again, nothing is preventing anyone from entering their real account and password. I once came up upon a public project called “GMAIL”. While I’m sure most over the age of 16 are not that gullible, Applab isn’t preventing anyone younger than that to access such naive phishing attempts.

Also, there is a Tetris here - it’s even featured! The Tetris Company sure is slow on this one.

Hi @i15904503668i,

Thank you for raising this question. We take student privacy very seriously and build our tools with privacy by design. The creation of App Lab and Game Lab projects, which are much more powerful in functionality compared to the tools designed for our elementary students, is limited to students above the age of 13 or to students who are a member of a teacher’s section. If a project contains any collection of data, we display a prominent warning to warn and educate users not to provide personal information.

That being said, you’ve brought up some great points that I’ve brought to our team and started conversations about how to make our tools more secure and teach concepts such as hashing to students! Thank you again for bringing this up, we really appreciate hearing this kind of feedback that will help us serve students in the best way possible!

Sincerely,
Ken

1 Like

Just for archival purposes (and for the sceptics who claim that phishing doesn’t exist here), these are two public applab projects with name “write your gmail and password then see the magic” and “write your gmail and password correctly and magic infront of you”.

See for yourselves.

Edit: There’s more!

“write gmail password correctly please”,

First, we have username and password. See what comes then.