Within the scope of our large children’s smartwatch test, we analyzed the Carl Kids Watch from CAT Berlin – one of the few models on the market that are sold under a german label and therefore trigger a certain expectation of quality among customers. The following test report will show whether the product meets these expectations.

Application Security

The static analysis of the Android application (com.cat.carltracking, version 2.1.5.1) already provides a long list of potentially critical problems, which can be immediately identified in the source code. Most of the points found in this way refer to the missing or incorrect implementation of the certificate pinning for HTTPS secured connections. The repeated empty implementations of the so-called TrustManager, which performs the task of certificate validation, are particularly critical. In the case of the Carl App, however, the essential methods “checkServerTrusted” and “getAcceptedIssuers” are experimentally implemented, which practically means that every server with any presented certificate is accepted. This opens the door to a man-in-the-middle attack on the actually encrypted connections.

Apart from this, the static analysis also identified the use of unencrypted connections and the unsecured storage of a detailed log file on the SD card. This log file contains, among other things, the plaintext account password.

Excerpt from log file, stored unsecured on SD-Card

Numerous smaller and larger vulnerabilities are also carried into the app by a large number of third-party modules and, in combination with the other vulnerabilities mentioned above, lead to a overall low security level of the application.

Online Communication

As the static analysis of the application already suggested, the communication over the Internet is in many cases – or in actually all observed cases – not secured at all or only inadequately secured. Registration, for example, including the confirmation/activation link sent by e-mail, is carried out completely via an unsecured, unencrypted HTTP connection – user information and account password are of course not adequately protected in this way.

In summary, it can be said on this point that in the practical analysis, no online function of the app could be located that would have been adequately protected against reading along and/or manipulation – a fact that could of course have the most serious consequences, especially in this product area, and therefore must inevitably have a negative influence on the rating for this product.

Privacy

CAT Berlin’s privacy policy is written in a complicated way, available in English only and can only be accessed after registering in the app or via a link in the Google Play Store. However, the privacy policy could not be found on the manufacturer’s website.

Especially with children’s watches like this one, the point “storage time” is relatively critical, since children’s movement profiles are created. In addition to information on data storage and storage time, no mention is made of where the data is processed. Due to the recorded network traffic, it is clear that communication with Chinese servers is taking place. As this is not mentioned either, there are no points to be awarded in this area.

Android App permissions
Android App permissions

Conclusion

As one of the few products under a german label, we analyzed the Carl Kids from CAT Berlin with an admittedly high level of expectation. Unfortunately, the product was unable to meet these expectations and also showed glaring errors in several critical technical areas. The product was also not convincing in the important area of data privacy and therefore cannot be rated with a star for any criterion.