Categories: Security

Strava’s privacy zones have been revealing users’ hidden locations

In case you missed it in the news last week, online fitness tracker Strava was thrown into the spotlight after security concerns were raised over its global heat map revealing the exercise routes of military personnel.

Strava’s global heat map shows the paths its users record as they run or cycle. Because the app’s user base is denser in major cities, these areas are white hot against a mostly black backdrop. But upon closer examination, it was found that foreign military bases in remote areas also stand out as isolated “hotspots”.

The heatmap reportedly reveals the structure of foreign military bases by correlating the lit-up activity routes or “digital footprints” of individual users and the known bases of US military or intelligence operations.

But this wasn’t the first time Strava had been called out for revealing the sensitive locations of its users.

Striving to keep user data safe

If you don’t know how Strava works, it provides an app that uses a mobile phone’s GPS to record data on a user’s exercise activity including detailed activity maps and performance data so they can share and compare with others.

With 27 million users around the world, Strava aims to be the social network for athletes. The premise is that sharing your exercise data with the whole community feeds into people’s desire to compete with others, which makes it so appealing for those serious athletes out there. Riders strive to become King or Queen of a Mountain and runners can use heat maps to seek out popular routes.

That urge to share and boast about your workout probably conflicts with your instinct to keep your personal data private. But Strava thought of this. Strava’s privacy zone is designed to hide the portion of your activity that starts or ends in a specific zone – presumably your home or office – from all other athletes.

The problem with Strava’s privacy zone

The biggest flaw in Strava’s privacy zone feature is the precision in which it ends activity information around a selected address.

If an activity on Strava is circular in nature and the return route is from the opposite direction, it is relatively easy to deduce the mid-point and where the privacy zone is centered on. If there are not two exact opposite points, it’s possible to use a third point from a different activity and solve the equation of a circle passing through 3 points.

Here are two maps we created using Strava on two different activities to give us the three endpoints needed to calculate the exact location of the address we selected to be surrounded by a 1/8 mile privacy zone.

Strava only offers five fixed radius options (1/8 mile, 1/4 mile, 3/8 mile, 1/2 mile and 5/8 mile) for its privacy zones. Using the ending points of an activity, it is possible to determine which radius option was selected by the user and then to trilaterate the exact location of the selected address.

Because Strava’s privacy zone is of equal size in each activity, it’s possible to represent this graphically by increasing the radius of circles around each activity end marker until three or more circles intersect.

In some cases, Strava’s privacy zone actually makes the determination of home addresses more accurate as it is more precise than the GPS and location services of a mobile device. For example, the same activity mapped below without Strava’s privacy zone enabled shows significant location drift.

Strava’s response

Last year, one of our employees contacted Strava to bring this flaw to their attention. The employee even provided a detailed explanation of how he was able to pinpoint the exact location of this home by using just one recorded map that shows the entry points to his privacy zone. Strava commented that its privacy zones were working as intended and users could opt-out entirely if required.

The news of US military personnel not turning-off social aspects of Strava shows that many users are not following this precaution.

Strava has gone as far as to introduce a feature to tag friends on activities who may not even be Strava users themselves. As of February 2018, Strava’s privacy zones have not changed and are not even enabled by default.

Assuming Strava’s user base is made up of serious cyclists who invest heavily in the best equipment, the app can be used by criminals as an accurate map of where to find expensive bikes they might want to steal. Especially risky when bikes are kept in the basement of office buildings which can be easily accessed with some clever social engineering.Dan Cuddeford, Director of Systems Engineering, Wandera

Location permissions as a wider issue

Strava isn’t the only service that has been unwittingly providing this kind of location data about its users. In 2014, security firm IncludeSec announced Tinder had been revealing the exact location of its user with a similar method of trilateration. The dating app responded by taking steps to randomize the privacy circle around selected addresses.

In our responsible disclosure, we recommended the Strava’s privacy zone could benefit from a similar approach of randomizing the privacy zone rather than setting it at a specific radius.

The latest mobile threats that you should know about

Our Threat Advisories present useful information on new mobile threats, their implications and practical steps for remediation and prevention, enabling you to swiftly address each new threat before it impacts your business.

Learn MORE

Liarna La Porta

Liarna La Porta leads content marketing at Wandera. As Editor of Wandera’s blog, Liarna keeps the content ticking that makes Wandera a reliable news source for mobile security professionals. Her passion for helping tech start ups in all aspects of marketing and PR is reflected in the expert industry coverage she provides. An Australian adventurist at heart, Liarna has been in the Marketing and PR industry for over six years working from Melbourne, Sydney, London and San Francisco, soaking up the expertise required for her global role at Wandera.

Recent Posts

Product update: big new updates to the Wandera mobile app

Some product updates are hard to define. Is it a new feature? Does it need a name? When it comes…

1 week ago

4 ways hackers are infiltrating phones with malware on Android phones

It’s not hard to tell if your desktop computer is infected with malware - it might slow down, ads or…

2 weeks ago

Product update: Enhanced App Insights

We’ve come a long way since Apple coined, and relentlessly promoted, its famous ‘there’s an app for that’ tagline. In…

3 weeks ago

Your GDPR action plan for mobile

If recent events have taught us anything, it’s that when it comes to organizations handling data, consumer distrust is at…

3 weeks ago

Three things to consider before signing up to a data pool plan

Mobile data pools are a cost-efficient option especially for large organizations with many corporate mobile devices. Having a single bill…

3 weeks ago

Phishing attacks are moving to messaging and social apps at an alarming rate

Phishing is the number one threat affecting organizations today, in fact, 90% of cyber attacks start with a phish. While phishing has…

1 month ago