Apple is fixing a years-old parental control bug that lets kids avoid web filters

For parents, it can feel like a no-brainer to let their kids have an iPad thanks to its built-in parental control feature, Screen Time. But the system is also undeniably buggy, as most parents will attest. Now, Apple is fixing one of the software’s worst bugs — an apparently obscure one that would let kids see the worst parts of the internet despite settings to stop that, reports Joanna Stern for The Wall Street Journal.

The bug goes like this: kids can circumvent content restrictions by entering a specific string of characters into Safari’s browser bar. Security researchers Andreas Jägersberger and Ro Achterberg reported this bug twice in 2021 and, both times, were told that it wasn’t a security flaw, Stern writes. She also notes that it doesn’t appear as though this particular bug has seen widespread use.

The researchers were apparently told repeatedly over three years that it wasn’t a security problem and were referred to Apple’s feedback tool for software bugs. But after they contacted Stern to report their findings and their struggle with Apple, the company told her there was a fix coming in the next iOS software update. Stern writes that the company “maintains the flaw was a software issue, not a security vulnerability.” Well. At least it’s being fixed.

The story underscores that Apple’s parental control software remains woefully underserviced. Though it has that glossy Apple sheen, the feature is functionally hampered by bugs like those that Stern mentions: not receiving requests for more time, for instance, or an occasionally blank screen usage chart. These are the key features that make Screen Time useful. (Stern notes that Apple fixed several issues in recent software updates.)

What makes this worse is that Apple doesn’t have much competition, seemingly by design. It limited or removed third-party parental control app alternatives for its ecosystem in 2019 after it first introduced Screen Time in iOS 12. At the time, the company said that the apps were inappropriately taking advantage of its enterprise-focused mobile device management (MDM) profiles that enable control over company-issued iPhones. Apple forbid removed apps that were using the powerful management feature — a not unreasonable move considering the very real dangers that sort of access poses.

But the API is limited in ways that still make it difficult for third-party apps to compete. Developers of the Grace app complained in 2022 that they couldn’t show certain info, like how much of a time limit is left, and that there was no way to include an app search field when choosing apps to include. They also said, though, that apps using the API are better, because of the danger of MDM apps’ servers being hacked and child data being exposed as a result.

Users might be frustrated at those limitations and turn to MDM apps for deeper controls, but those have their own issues. For instance, to use an app like Qustodio, you still need to install an app on both parent and child devices; you’ll also have to create an MDM profile on your kids’ device — a scary prospect that gives the app much deeper access. That, combined with needing to repeat those steps with each successive kids’ device, makes parental control apps frustrating. It also leaves Apple without much competition in the space and parents with a broken experience.

Apple did not immediately respond to a request for comment.

Correction June 5th: An earlier version of this article stated that Apple did not release a Screen Time API. The company did do so in 2021.