A privacy risk has been discovered in the popular fitness app Strava that could be exploited by an attacker or even by a stalker to identify the home addresses of its users.
Strava is not only one of the best running apps but it’s also one of the best workout apps overall. It allows runners and other fitness enthusiasts to track their heart rate, activity details, GPS location and more.
With over 100 million users worldwide, Strava’s heatmap feature could pose a significant privacy risk if not configured correctly. Designed to help users find new trails or exercise hotspots, heatmap anonymously aggregates users’ activity so that they can workout in locations that are safer due to the fact they’re more crowded.
Now though, researchers at North Carolina State University in Raleigh have discovered that Strava’s heatmap feature could open up unsuspecting users to tracking by having their data on the platform de-anonymized.
Abusing Strava’s heatmap feature
In a new report (PDF), researchers at North Carolina State University have explained how they were able to locate the homes of athletes by using Strava’s heatmap feature. BleepingComputer highlighted the dangers in its report on these findings.
First off, the researchers collected publicly available data from Strava’s heatmap in Arkansas, Ohio and North Carolina over the course of a month. From here, they used image analysis to determine the start and stop areas next to streets in order to indicate that a specific home is linked to tracked activity in Strava. However, if a user already had their address hidden, there would be no way to say where an activity began or ended.
With heatmap screenshots that matched their criteria, the researchers then overlaid OpenStreetMaps images at zoom levels to help them identify the addresses of individual residences. They then performed user crawling by leveraging a search feature in the Strava app to locate users that have registered a specific city as their location.
By comparing the endpoints from Strava’s heatmap with personal data from the app’s search function, the researchers were then able to match high activity points on the heatmap with the home addresses of actual users.
This is because public Strava profiles without any privacy settings enabled can contain loads of activity data with time stamps and distances which makes it much easier to identify potential routes and match patterns in the heatmap data. Likewise, as many Strava users register using their real names and even upload their photos to the app, correlating identities with home locations is also possible.
The researchers went a step further though by correlating their findings with voter registration data to discover that their predictions were around 37.5% accurate.
How to stay safe when using Strava to track your workouts
If you’re a Strava user that’s concerned about your own home address being located using the steps described above, there are a few steps you can take right now in order to stay safe.
First, you’re going to want to hide your home address from Strava by using the app's Edit Map Visibility feature. There you'll find the service's Aggregated Data Usage control which allows you to exclude all activities from the heatmap. However, you can also set Activity Visibility to 'Only You' for your activities to hide them from everyone.
Tom’s Guide’s own Fitness Editor Jane McGuire also provided some additional tips for runners looking to stay safe during their workouts while tracking their progress, saying:
“If you're a runner who likes to keep a record of your routes online, think about how visible these maps are to strangers. Most runners are creatures of habits, and will run the same routes time and time again, making it easy for someone to build up a picture of where you might be heading. If you're using Strava, you can either set your heatmaps to private, or hide the start and finish of your run, so it's not clear where you live.
“On the run, if you're worried you're being followed, run into a shop, knock on someone's front door, or flag down a car. When it comes to feeling safer on the run, your tech can be help: apps like Strava Beacon allows you to share your live location with up to three people, who can continue to track you until you stop your activity, LiveTrack and Incident Detection on the best Garmin running watches, and fall detection on the best Apple Watches are all designed to help runners feel safer.
“Your phone can also be used in an emergency — if you press and hold the right side button and one of the volume buttons on an iPhone 8 or later you'll engage the phone’s Emergency SOS feature (on an iPhone 7 or earlier, rapidly press the top or side button five times). This will call the emergency services and text your emergency contacts. On a Samsung phone, hold and press the power button and tap Emergency Mode. We always hope we won't need features like this, but it's important to remind ourselves that they are there."
Regardless of which fitness tracking app you’re using, just like with the best dating apps, you want to limit the amount of personal information you post online. Stalkers and even hackers often scrape publicly available data to use in their attacks both online and offline which is why you want to play things close to the chest to stay safe.