Sports and fitness apps, such as Strava, are gaining in popularity and have also often become true social networks. Users share some very personal data there, including their home address and when they will not be there. Apps usually allow you to hide home locations, but university researchers from the imec-DistriNet research group at KU Leuven in Belgium discovered that, in many cases, this option gives a false sense of security.
Strava said there had been no leaks or cyber attacks connected to this research and has invited the researchers to review their conclusions together.
The popular sports app Strava had more than 100 million users in 195 countries at the end of May 2022. Runtastic from Adidas has as many as 182 million registered users. These are just two examples of the popularity of social networking around sports. Every day, millions of sports activities around the world are shared with friends and other app users – a virtual supporter community. But the activities shared may give away sensitive information. Very often, patterns can be discovered, such as places and times when you exercise, fixed routes, and fixed points of departure and arrival.
To avoid simply releasing that data, social networks such as Strava often work with endpoint privacy zones: they allow users to hide zones around privacy-sensitive locations, in a circle around that spot that they choose the size of. But that approach creates a false sense of security, as the researchers were able to demonstrate.
The researchers developed an inference attack, as these are known, and applied it to anonymized activities shared on sports apps. “For example, among the 1.4 million Strava activities we analyzed, we were able to uncover up to 85 percent of the hidden locations anyway, based purely on the additional data that was publicly available,” said researcher Victor Le Pochat of the imec-DistriNet research group.
Many users do realize the risk involved in sharing activities on these apps. In the past, for example, there were reports of how soldiers unknowingly revealed the location of secret military sites by sharing their running laps. Or reports of athletes whose expensive bikes were stolen after thieves were lurking on Strava. But equally, the new options for protecting location data are not foolproof.
The researchers have delivered their findings to the respective platforms, and are working together with Strava to discuss their suggestions for improvements. They say the apps could better hide the information about the distance users cover within the hidden zone from outsiders, or even omit it altogether. The latter intervention, however, will have a severe impact on users, since the activity is then no longer fully recorded. They could also vary the shape and size of the areas that are hidden (now mostly circles) more.
“Users can better protect their privacy on sports apps too. Setting a privacy zone is still a good idea anyway, but make the zone around places you want to keep hidden large enough. It is often a minimum of 200 meters, but you can increase the zone to more than a kilometer. The bigger, the better,” stresses researcher Karel Dhondt. In addition, varying your start and finish locations more is another effective strategy. The researchers have also built an online application, which they christened Priva, that uses their insights to better secure your sports activities. You choose a location there that you want to secure and the application chooses the best size of area to be made invisible for you.