A privacy risk has been discovered in the popular fitness app Strava that could be exploited by an attacker or even by a stalker to identify the home addresses of its users.
Strava is not only one of the best running apps but it’s also one of the best workout apps overall. It allows runners and other fitness enthusiasts to track their heart rate, activity details, GPS location and more.
With over 100 million users worldwide, Strava’s heatmap feature could pose a significant privacy risk if not configured correctly. Designed to help users find new trails or exercise hotspots, heatmap anonymously aggregates users’ activity so that they can workout in locations that are safer due to the fact they’re more crowded.
Now though, researchers at North Carolina State University in Raleigh have discovered that Strava’s heatmap feature could open up unsuspecting users to tracking by having their data on the platform de-anonymized.
Abusing Strava’s heatmap feature
In a new report (PDF), researchers at North Carolina State University have explained how they were able to locate the homes of athletes by using Strava’s heatmap feature. BleepingComputer highlighted the dangers in its report on these findings.
First off, the researchers collected publicly available data from Strava’s heatmap in Arkansas, Ohio and North Carolina over the course of a month. From here, they used image analysis to determine the start and stop areas next to streets in order to indicate that a specific home is linked to tracked activity in Strava.
With heatmap screenshots that matched their criteria, the researchers then overlaid OpenStreetMaps images at zoom levels to help them identify the addresses of individual residences. They then performed user crawling by leveraging a search feature in the Strava app to locate users that have registered a specific city as their location.
By comparing the endpoints from Strava’s heatmap with personal data from the app’s search function, the researchers were then able to match high activity points on the heatmap with the home addresses of actual users.
This is because many public Strava profiles contain loads of activity data with time stamps and distances which makes it much easier to identify potential routes and match patterns in the heatmap data. Likewise, as many Strava users register using their real names and even upload their photos to the app, correlating identities with home locations is also possible.
The researchers went a step further though by correlating their findings with voter registration data to discover that their predictions were around 37.5% accurate.
How to stay safe when using Strava to track your workouts
If you’re a Strava user that’s concerned about your own home address being located using the steps described above, there are a few steps you can take right now in order to stay safe.
Fisrt, you’re going to want to hide your home address from Strava. This can be done enabling the option to hide the start and finish of your activities within the app. Head to the Settings section, tap the cog in the upper right-hand corner and then select Privacy Controls. Here, you want to Edit map visibility and you can customize how much of the start or end of an activity is hidden up to a 1-mile radius.
At the same time, you can also choose whether you hide the start and end of activities from a specific address like your home or whether you prefer to hide the start and end of all activities regardless of where they begin. You can even hide the entire map if you so please.
Tom’s Guide’s own Fitness Editor Jane McGuire also provided some additional tips for runners looking to stay safe during their workouts while tracking their progress, saying:
“If you're a runner who likes to keep a record of your routes online, think about how visible these maps are to strangers. Most runners are creatures of habits, and will run the same routes time and time again, making it easy for someone to build up a picture of where you might be heading. If you're using Strava, you can either set your heatmaps to private, or hide the start and finish of your run, so it's not clear where you live.
“On the run, if you're worried you're being followed, run into a shop, knock on someone's front door, or flag down a car. When it comes to feeling safer on the run, your tech can be help: apps like Strava Beacon allows you to share your live location with up to three people, who can continue to track you until you stop your activity, LiveTrack and Incident Detection on the best Garmin running watches, and fall detection on the best Apple Watches are all designed to help runners feel safer.
“Your phone can also be used in an emergency — if you press and hold the right side button and one of the volume buttons on an iPhone 8 or later you'll engage the phone’s Emergency SOS feature (on an iPhone 7 or earlier, rapidly press the top or side button five times). This will call the emergency services and text your emergency contacts. On a Samsung phone, hold and press the power button and tap Emergency Mode. We always hope we won't need features like this, but it's important to remind ourselves that they are there."
Regardless of which fitness tracking app you’re using, just like with the best dating apps, you want to limit the amount of personal information you post online. Stalkers and even hackers often scrape publicly available data to use in their attacks both online and offline which is why you want to play things close to the chest to stay safe.
Now that researchers have managed to abuse Strava’s heatmap feature, the company will likely implement additional safeguards going forward to keep users of its app safer.