U of I researchers find, fix fitness app security flaws

Posted: Updated:

URBANA, Ill. (WAND)- A team of researchers at the University of Illinois uncovered security flaws in several fitness tracking apps and developed solutions.

The apps, such as Strava, Garmin Connect and Map My Tracks, record details of workouts like runs, walks and bicycle rides.

“There’s tens of millions of people throughout the world using fitness tracking services online through wearable devices and their mobile phones,” said assistant professor Adam Bates.

While those apps map the route of a run or walk, they allow for a privacy zone around their starting point so others cannot find a user’s home address. Still, Bates and his students found many of those circular privacy zones centered on the home address, making them easy to uncover. The team analyzed millions of accounts.

“We found that, for 84 percent of those athletes that were that were using this privacy zone mechanism  we were able to deduce what their home address was, and when we delved further into the results, we found it was much worse,” Bates said.

Since then, the team has notified the companies and shared solutions.

“We’ve been working over the past year with Strava, Garmin Connect and Map My Tracks, which are the major companies we found that use this privacy zone,” Bates said. “They’ve acknowledged the vulnerability, and they’ve been working to incorporate our counter-measures. So if you go into Strava today to set up a privacy zone, you’ll find that they place the circle at a random offset from your home address.”

Current Conditions