NC State researcher says fitness app loophole may reveal users address
A loophole in the popular fitness app Strava may be revealing your home address to strangers.
Researchers at North Carolina State University used data that’s supposed to be anonymous to find specific Strava users’ homes and running routes.
“31.7% of Strava users are active enough to have the heat map show their home address,” says Kevin Childs, who studied cybersecurity at NC State.
Childs was motivated to start digging into the app’s privacy after a friend had a stalking incident.
“Immediately, my mind went to ‘she uses Strava,’” Childs explained about the incident.
Strava’s default settings plot a user’s historical GPS data anonymously on a heatmap. That data is intended to help Strava’s 100 million users find popular running, cycling and swimming areas. Childs says his research found a loophole.
“We found that with specific people that are active, you can see that their home is producing a lot of activities, and in remote areas that’s ripe for an attack,” Childs warned.
“It’s really shocking to hear that,” said Riley Williams about Childs’ research.
Williams says she used Strava briefly. She’s always concerned about safety while running but didn’t realize how much she may have been sharing.
“You just have it on in your head all the time; I’m alone, what do I have on me, what is my phone doing apparently,” Williams said.
5 On Your Side asked Strava about this report and they sent the following statement:
Strava does not track users or share data without their permission. When users share their aggregated, de-identified data with the Heatmap and Strava Metro, they contribute to a one-of-a-kind data set that helps urban planners as they develop better infrastructure for people on foot and bikes, and makes it easy to plan routes with the knowledge of the community.
There have been concerns about Strava and privacy in the past. In 2018, Strava users in active war zones were painting detailed pictures of US bases in Afghanistan and Syria. That led to an investigation by the Pentagon.
“You’re not only sharing where you’re going, how fast you’re going, but exactly what time. You’re starting to give your habits and even certain medical data such as your heart rate,” Childs warned.
You can choose not to contribute any data to the heat map by unclicking the “Aggregated Data Usage” option in the app’s privacy controls.
Strava says data on the heat map is not live.