Leelou App

Leelou is marketed as an ‘immediate personal protection’ app that connects a user, or Dependent, with their trusted contacts. When the Dependent adds their trusted contacts to the app, those contacts receive a link to download the app.

Up to 5 contacts can be selected as Guardians. When the Dependent presses the emergency Leelou SOS button, the Guardians will receive a sound alert to their device within 15 seconds containing the GPS location of where the alert was activated, and streamed/recorded audio from the Dependent’s device. 

The app can also be used for day-to-day contact between the Dependent and their contacts. 

The app’s interactive dashboard includes icons to access the SOS button (to alert ‘Guardians’), Police alert, ‘AIA’ mode (a precautionary personal safety function, designed as a tribute to Aiia Masarwe, that can be preempted by victims when they feel vulnerable), and ‘World Map’ (GPS location). 

**Please note that the Leelou Development Team have indicated that Leelou is looking to release a fixed version which is significantly different to the app currently available in the App Store now. A full retest would be required and an update will be posted here once that version has been reviewed.**

• While the app doesn’t use a smokescreen for discreteness, it is relatively nondescript with just ‘ Leelou’ as the icon.
• Users can import contacts from their device into the app.
• The app requests confirmation from the user that they know the person they’re adding as a Guardian and that they are willing for their information to be shared with the Guardian when the emergency Leelou SOS is activated.
• Alert notifications are pushed to the user if settings are not enabled for the app to function optimally, e.g. if either location sharing, notifications and/or the microphone are disabled in the device settings, users must tap on the ‘I Understand’ button if they choose to keep these features off.
• Additional security measures such as facial recognition, passwords, and PIN and recovery codes are featured. Currently, users are prompted to save or send themselves recovery codes for safekeeping, and a ‘tap request’ is required for users to confirm that this action has been taken. The app Development Team has confirmed that the recovery code feature will be abolished in the next update. 
• When a Guardian’s device is on silent mode, the app’s silent override feature will push a sound alert notification to their phone when the emergency Leelou SOS is activated. 
• Creating a Leelou account is prohibited for use in children under the age of 13 unless done by a parent or legal guardian.
• The app is designed to work on older android and iOS devices.
• Users can opt to share their location with ‘All Contacts’ (Guardians, Friends and Dependents) or ‘Selected Only’ (i.e. Guardians) or not unless it is an emergency, i.e. ‘Off (except in SOS)’. 
• The app provides a solid personal data safety recommendation, stating that there is no affiliation or association with any organisation to collect, collate and package any information or location details, or promote anything other than personal safety.
• The app Development Team reviews and responds promptly to user reviews in the App Store and is open to engaging with the Testing Team to discuss our findings.

Emergency Responses

• When tested, the SOS alert occasionally failed to activate and the Dependent received a message “SOS alert failed to activate”. In some of these instances, the ‘Guardian’ received the alert, location and audio recording anyway.
• For users dialling the ‘Help Numbers’, such as ‘000’ to reach the police in an emergency, it might be quicker to direct dial using the device keypad rather than go through the app.
• Dialling ‘000’ or ‘112’ outside of the app doesn’t require data or credit on a phone, however to do it in the app requires connection to a mobile network.
• If there is no mobile network available, the app encourages users to ‘Call 112’ by pressing the Police icon on the top right-hand corner of the screen, in the false belief that it will place a call successfully via satellite technology. This is incorrect, and potentially puts the user at risk. The Government has confirmed that mobile phones cannot access satellite technology (https://www.triplezero.gov.au/triple-zero/other-emergency-numbers). The Australian Mobile Telecommunications Association (AMTA) has some more information on calling ‘000’ and ‘112’ here.
• When the emergency Leelou SOS button is activated the app displays a banner stating: “You are now sharing your live audio and location to your Guardian(s) below”. This message is displayed even when the microphone is not enabled on the device (and hence no audio can be shared). 
• Testing confirmed that an SOS alert is received by the Guardian within 15 seconds as claimed, and the audio recording received is loud and clear.
• When an SOS alert is successfully communicated with a Guardian, the progress bar next to the Guardian name turns from red to green, and the text underneath their name switches from a red ‘Notifying’ to a green ‘Notified’. The user is required to request cancellation from the Guardian to cease the alert activation. If the Guardian does not respond, the app continues to share location and audio details of the user. A Guardian can choose to respond to an alert by calling the Dependent. When tested, Leelou requested permission to handle the outbound call, and it took 3 tap requests before that call was made, so it might be quicker for the Guardian to call the Dependent using the device keypad. Confirmation that a Guardian is responding to an alert and the receipt of any messages to the Dependent from the Guardian can take a significant period of time (e.g. upwards of 30 minutes).

Location Accuracy

• During testing, SOS alerts that were activated provided the Guardian’s device with a reasonably accurate location. The Dependent is not able to confirm the accuracy of the location details before sharing. 
• If ‘Location Sharing’ on an iOS device is set to ‘While Using’ for Leelou, users are prompted to confirm this selection each time they open the app.
• Location sharing is toggled, meaning users need to manually toggle it on to use it and also remember to turn it off if they don’t want it. In comparison, other location sharing apps (e.g. Google Maps) offer timers for location sharing.

User Security

• The app requests more information from users than needed for the app to function optimally. Both Dependents and Guardians are requested to supply their full name, date of birth, mobile phone number, and give permissions for location sharing, microphone and camera. This increases the privacy and safety risk for both users and Guardians, and may not be suitable in a domestic and family violence setting.
• The app includes a warning that it may use the user’s location even when it’s not running, which can decrease battery life and put the user’s safety at risk.
• When a user chooses to invite a contact to be a Guardian, a text message with a download link is generated and sent to the contact as follows: “Hi, I’d like to add you to my Personal Safety on Demand network using Leelou. Please download it and accept my invitation here so we can keep each other safe!”. The message is sent outside of the app and the user would need to take steps to delete it manually if the message presented a safety risk to them.
• If Guardians are not friends (e.g. parents in a domestic or family violence situation or a custody dispute) then no personal details or location are supposedly shared between them unless allowed by the user. However, when tested, Guardian details were shared with other Guardians without the user realising the permission had been given. Additionally, personal details were still shared despite having been deleted from the user’s app account.
• When a Guardian receives notification of an SOS alert from a Dependent, it saves the details and all audio stream/recording in ‘SOS History Received’ and not in ‘Evidence History Received’ where a user might intuitively think it should be saved. There was no evidence of audio recordings being saved on the device outside of the app.

Data Security

•  The iOS version of this app has not been updated since April 2019. The Android version of this app was updated in February 2020.
• Leelou’s API server registers the location of users who trigger the SOS button, as well as all their names, dates of birth, and mobile numbers. If the API server was hacked, the security of all those user’s data would be at risk.
• The app pushes a notification to the user saying that information generated by Leelou needs to be saved somewhere, and then asks whether the user agrees to store that information on the device. If the user selects ‘skip’ to that question, it is unclear where that information is then stored.  
• To address the privacy and security needs of domestic and family violence victim-survivors, the app design would minimise the amount of information that the server registers about its users. An example of a design for an SOS app that avoids the need to maintain a server entirely, is Help Me. Some features that LeeLou offers can’t be implemented that way, however, the use of end-to-end encryption for app-to-app messaging would mean the API server never registers actual locations.
• Text messaging also goes through the server and the contents are visible to that server unencrypted. A better design to include messaging in the app would be end-to-end encryption.
• Leelou uses Firebase Analytics and while the data analyses may not contain sensitive information, the use of Firebase Analytics is not disclosed in the privacy policy. 
• At a minimum, the developer needs to provide clarity about what they are doing to keep the server secure. Ongoing external audits by an appropriately qualified firm are required.

Accessibility

• The app Store states English, Japanese and Simplified Chinese languages are supported by the app, however only English was available at the time of testing.
• The date of birth is captured in American date format, which may confuse Australian users.
• The app’s ‘Contacts’ section includes ‘Guardians’, ‘Dependents’, ‘Friends’ and ‘Pending’. The app allows contacts to be added from the device’s native contact list and then ‘Guardians’ can be selected from these to respond in an emergency. These labels and processes are confusing, and users with a cognitive disability or low digital literacy may have trouble navigating this section.
• The app supports colour inversion and filter device accessibility features, however Dynamic Type and voice to text functionality etc. are not supported.
• The app doesn’t stay open if the screen closes. Users need to reload the app using FaceID or by entering their PIN code.
• The ‘AIA’ mode alert, which is a design feature tributed to the memory of Aiia Masarwe, to assist users in preparing to potentially activate a SOS alert in a dangerous situation, functions as expected however it requires the user to possess enough dexterity to hold and slide their finger off the alert button if they don’t want to activate the alert.
• In general, using the app features felt clunky. The software design lacks intuition and requires users to have a high level of comprehension and dexterity to navigate the app. 

General Observations

• The app has a number of serious bugs, including two separate bugs that prevented completion of signup. On that basis, it cannot be recommended as a safety app until the developer fixes those bugs.
• The app makes the claim that ‘Opt-in’ makes the app stalker-proof, however the Testing Team consider this claim to be incorrect and unsafe. Any data is breachable by determined hackers. 
• The ‘back’ and ‘next’ arrows used to navigate between pages are often not responsive.
• The app store marketing claims the app’s ‘AIA’ mode is designed for “instant access to visual and auditory information to alert Guardians and assist in getting help fast”. The AIA mode worked when tested however no visual information was streamed/recorded. Further, on testing, the camera icon did not appear to have any functionality.
• On the ‘Messages’ page of the app, the user can search for contacts, and message them individually or message selected contacts as a group. When tested the individual messaging feature worked but the group messaging function didn’t, as contacts that had been saved didn’t show and thus couldn’t be selected.
• If a contact is not a registered user with Leelou then the app suggests it is not possible to save the contact’s details in the app’s ‘Contacts’ section, when in fact it saves these details regardless. If a user does not wish to send the contact a Leelou registration invite the only option available is to ‘Cancel’ out of the set up of that Contact/potential Guardian. 
• During testing it was difficult to add and save ‘Contacts’ and ‘Guardians’ as the app frequently became unresponsive. It was also difficult to register contacts as ‘Guardians’ for the same reason. 
• The process to remove contacts from the app account wasn’t intuitive. Removed ‘Guardians’ still appear as contact options when activating an SOS alert despite being deleted from the account. This could compromise a user’s safety if a trusted contact becomes untrustworthy or is unavailable to serve this purpose.
• Accepting a request to become a ‘Guardian’ was also complex. After the Guardian receives the text request from the Dependent and downloads the app as requested, a code is received on their mobile mid sign-up requiring the Guardian to send a text outside of the app for authorisation. Finally, setting a PIN code is required and five recovery codes are generated. The app prompts the Guardian to save the recovery codes on the device, or alternatively send the codes via text to the Dependent’s mobile number and their own mobile number for safekeeping. The text message with the recovery codes that the Dependent receives does not indicate any association with Leelou or domestic violence. 
• Of note, when a Guardian accepts the Dependent’s request, the Dependent doesn’t appear in the Guardian’s contacts as a Dependent for a significant period of time (e.g. occasionally > 24hrs). 
• The app has separate ‘Send/Receive’ tabs for ‘SOS History’, ‘False Start SOS History’ and ‘Evidence History’. The purpose of these is to show a log of the date, time and duration of SOS alert activations and any accompanying data that has been sent to Guardians. Details of aborted alerts and messages that failed to send are captured here also. Users may find these labels confusing, and if the native messaging service on the mobile phone captures the same details and is more user friendly, then it is not apparent why these features are needed.
• ‘Leelou Culture’ outlines steps on how to use the app and would benefit from being more visible, rather than nested under ‘Account’. The features in ‘Leelou Culture’ include: ‘Meet Leelou’, ‘How Does It Work’, ‘School Security’, ‘Public Event Security’, ‘FAQ’s’, ‘Download Now’ and ‘Contact Us’.