Access to your location data is arguably one of themost sensitive permissionsan Android app can request. It becomes even more important when said app will be tracking your location constantly, or in the background, like on fitness apps. One of thebest fitness apps, Strava, is no stranger to such location-related security scares, but a recent research paper reveals there’s an alarmingly high chance Strava’s publicly available, but anonymized heatmap data can dox you.
Privacy concerns with Strava’s location data collection date back to 2018, when the app’s heatmaps accidentally revealed thelocation of several secret army bases, including some in the US. If you aren’t aware, Strava is a social fitness app with over 100 million users, where one can share their fitness-related activities and stats with others for encouragement and competition. The publicly available heatmap feature shows the route every Strava user takes, with time stamps, as a line of light on a map.
Although data collection is anonymized,recent researchby North Carolina State University’s Department of Computer Science claims this data can be de-anonymized, revealing Strava users’ locations, frequented routes, and identities with up to 37.5% accuracy (viaConnect The Watts). Although Strava hides activity data for private profiles in its database, it is still included in the heatmap, meaning public and private profiles can be doxxed with equal ease.
Using that heatmap as a data source, the researchers were able to ID start and end locations of activities, revealing potential residences of the Strava user. Combined with data from OpenStreetMaps and public records like recent voter registrations, there’s a high chance Strava could reveal your name and home address to a bad actor. Moreover, the researchers divulged that the entire process of crawling through public databases and locating houses can be automated easily, to potentially scale such an attack.
Understandably, it would be harder to ID people and their routes in crowded suburbs, but it becomes very easy when towns have few Strava users. If that makes it seem like nothing has changed since the 2018 incident, it turns out that governments banned the use of fitness apps at military installations, but Strava didn’t take any action. The app only hides the data in the first and last segments of location activity from the workout summary.
Thankfully, the North Carolina researchers suggest changes the app devs can make. For one, Strava can expand the hidden zones feature from individual activities to the heatmap. Also, it can create exclusion areas so heatmaps don’t show users on the streets connecting their homes to main roads. Your health data probably isn’t worth risking getting doxxed online, and given Strava’s efforts — or lack thereof — to remedy this issue since 2018, it’s possible nothing will change.
