Table of Contents

Spider-Man Security

mike moran Updated by mike moran


No under-13 user’s personally-identifiable information, including voice, is stored on the toy or Spider-Man servers. API access uses (and requires) an HTTPS connection (TLS encrypted). The USB port on the toy blocks data transmission and only provides power to the device. File access via the API is limited to specified directories, API parameters are escaped to protect against SQL injection,and API level changes are internally peer reviewed prior to publication. Finally, total system architecture has been audited by four independent specialist firms.

Hardware Description

  • A33 quad core processor (Allwinner)
  • 512 MB RAM
  • 4GB Flash storage
  • BLE 4.1
  • WiFi b/g/n 2.4GHz
  • 3-Axis Accelerometer (wake toy on acceleration)
  • Power button
  • Microphone
  • Speaker
  • Reset button
  • Micro USB port (charging)
  • Charging base (w/ USB cord and wall adapter)
  • IR Motion Sensor

Physical Access

Spider-Man uses an external USB port for charging - this USB port does not support any data transfer. There is also a second USB port inside the toy which can be accessed by cutting away the silicone skin and disassembling the plastic module which houses the main PCB. This internal USB port is used at the factory for loading the software; the data connection on this internal USB is also disabled. Care has been taken to obfuscate keys and to encrypt user data stored on the toy, to minimize the privacy and security risk should a user’s toy be stolen or otherwise compromised.

Accounts & Authentication

The toy software runs as a user (not root) in the OS with a minimal set of permissions. User profile data is encrypted when stored and the keys are obfuscated and stored in compiled code. personally-identifiable information is not stored on the device. The only personally-identifiable information stored on the server is the email address of age-appropriate users who have opted to provide their email. Admin cookies expire when the browser session ends, or after 5 hours have elapsed. All communication with the server, including authentication and session handshakes, is sent over https using TLS. Authentication credentials, as well as all other API parameters, are escaped to prevent SQL injection. Passwords on the server are encrypted using Salt. API access for customer data requires both API credentials as well as the customer credentials.

Data Storage & Privacy

Spider-Man stores profile names, session tokens, age, WiFi credentials, content scores, and saved state for content, all of which is encrypted when stored. Crash logs are stored until a WiFi connection is available, at which time they are uploaded to Crashlytics. No under 13 user’s personally-identifiable information, geographic data, or captured audio data is stored. See the application Privacy Policy for more information on how information is collected and used.

COPPA Compliance

No under 13 user’s personally-identifiable information is stored on the toy or Spider-Man’s servers. Email is used for product and Sphero-related communications, but only age-appropriate users may provide their email. Should there ever be the need to collect, store, or disclose any child’s personally-identifiable information, Sphero will first obtain appropriate parental consent, if applicable.  Sphero and outside counsel reviewed Spider-Man for compliance with child privacy laws, including the Children’s Online Privacy Protection Act (COPPA).

How did we do?